Merge pull request 'Update image ghcr.io/siderolabs/kubelet to v1.31.2' (#838) from renovate/ghcr.io-siderolabs-kubelet-1.x into main

Reviewed-on: #838

.ansible-lint

@@ -1,9 +0,0 @@
----
-skip_list:
-  - yaml[line-length]
-  - var-naming
-warn_list:
-  - command-instead-of-shell
-  - deprecated-command-syntax
-  - experimental
-  - no-changed-when

.archive/.taskfiles/Ansible/Taskfile.yaml

@@ -1,52 +0,0 @@
----
-# yaml-language-server: $schema=https://taskfile.dev/schema.json
-version: "3"
-
-vars:
-  PYTHON_BIN: python3
-
-env:
-  PATH: "{{.ROOT_DIR}}/.venv/bin:$PATH"
-  VIRTUAL_ENV: "{{.ROOT_DIR}}/.venv"
-  ANSIBLE_COLLECTIONS_PATH: "{{.ROOT_DIR}}/.venv/galaxy"
-  ANSIBLE_ROLES_PATH: "{{.ROOT_DIR}}/.venv/galaxy/ansible_roles"
-  ANSIBLE_VARS_ENABLED: "host_group_vars,community.sops.sops"
-
-tasks:
-
-  deps:
-    desc: Set up Ansible dependencies for the environment
-    cmds:
-      - task: .venv
-
-  run:
-    desc: Run an Ansible playbook for configuring a cluster
-    summary: |
-      Args:
-        cluster: Cluster to run command against (required)
-        playbook: Playbook to run (required)
-    prompt: Run Ansible playbook '{{.playbook}}' against the '{{.cluster}}' cluster... continue?
-    deps: ["deps"]
-    cmd: |
-      .venv/bin/ansible-playbook \
-        --inventory {{.ANSIBLE_DIR}}/{{.cluster}}/inventory/hosts.yaml \
-        {{.ANSIBLE_DIR}}/{{.cluster}}/playbooks/{{.playbook}}.yaml {{.CLI_ARGS}}
-    preconditions:
-      - { msg: "Argument (cluster) is required", sh: "test -n {{.cluster}}" }
-      - { msg: "Argument (playbook) is required", sh: "test -n {{.playbook}}" }
-      - { msg: "Venv not found", sh: "test -d {{.ROOT_DIR}}/.venv" }
-      - { msg: "Inventory not found", sh: "test -f {{.ANSIBLE_DIR}}/{{.cluster}}/inventory/hosts.yaml" }
-      - { msg: "Playbook not found", sh: "test -f {{.ANSIBLE_DIR}}/{{.cluster}}/playbooks/{{.playbook}}.yaml" }
-
-  .venv:
-    internal: true
-    cmds:
-      - true && {{.PYTHON_BIN}} -m venv {{.ROOT_DIR}}/.venv
-      - .venv/bin/python3 -m pip install --upgrade pip setuptools wheel
-      - .venv/bin/python3 -m pip install --upgrade --requirement {{.ANSIBLE_DIR}}/requirements.txt
-      - .venv/bin/ansible-galaxy install --role-file "{{.ANSIBLE_DIR}}/requirements.yaml" --force
-    sources:
-      - "{{.ANSIBLE_DIR}}/requirements.txt"
-      - "{{.ANSIBLE_DIR}}/requirements.yaml"
-    generates:
-      - "{{.ROOT_DIR}}/.venv/pyvenv.cfg"

.archive/.taskfiles/rook/Taskfile.yaml

@@ -1,104 +0,0 @@
----
-version: "3"
-
-x-task-vars: &task-vars
-  node: "{{.node}}"
-  ceph_disk: "{{.ceph_disk}}"
-  ts: "{{.ts}}"
-  jobName: "{{.jobName}}"
-
-vars:
-  waitForJobScript: "../_scripts/wait-for-k8s-job.sh"
-  ts: '{{now | date "150405"}}'
-
-tasks:
-  wipe-node-aule:
-    desc: Trigger a wipe of Rook-Ceph data on node "aule"
-    cmds:
-      - task: wipe-disk
-        vars:
-          node: "{{.node}}"
-          ceph_disk: "/dev/disk/by-id/scsi-0HC_Volume_37460833"
-      - task: wipe-data
-        vars:
-          node: "{{.node}}"
-    vars:
-      node: aule
-
-  wipe-node-orome:
-    desc: Trigger a wipe of Rook-Ceph data on node "orome"
-    cmds:
-      - task: wipe-disk
-        vars:
-          node: "{{.node}}"
-          ceph_disk: "/dev/disk/by-id/scsi-0HC_Volume_37645333"
-      - task: wipe-data
-        vars:
-          node: "{{.node}}"
-    vars:
-      node: orome
-
-  wipe-node-eonwe:
-    desc: Trigger a wipe of Rook-Ceph data on node "eonwe"
-    cmds:
-      - task: wipe-disk
-        vars:
-          node: "{{.node}}"
-          ceph_disk: "/dev/disk/by-id/scsi-0HC_Volume_37460887"
-      - task: wipe-data
-        vars:
-          node: "{{.node}}"
-    vars:
-      node: eonwe
-
-  wipe-node-arlen:
-    desc: Trigger a wipe of Rook-Ceph data on node "arlen"
-    cmds:
-      - task: wipe-disk
-        vars:
-          node: "{{.node}}"
-          ceph_disk: "/dev/disk/by-id/scsi-0HC_Volume_37460897"
-      - task: wipe-data
-        vars:
-          node: "{{.node}}"
-    vars:
-      node: arlen
-
-  wipe-disk:
-    desc: Wipe all remnants of rook-ceph from a given disk (ex. task rook:wipe-disk node=aule ceph_disk="/dev/nvme0n1")
-    silent: true
-    internal: true
-    cmds:
-      - envsubst < <(cat {{.wipeRookDiskJobTemplate}}) | kubectl apply -f -
-      - bash {{.waitForJobScript}} {{.wipeCephDiskJobName}} default
-      - kubectl -n default wait job/{{.wipeCephDiskJobName}} --for condition=complete --timeout=1m
-      - kubectl -n default logs job/{{.wipeCephDiskJobName}} --container list
-      - kubectl -n default delete job {{.wipeCephDiskJobName}}
-    vars:
-      node: '{{ or .node (fail "`node` is required") }}'
-      ceph_disk: '{{ or .ceph_disk (fail "`ceph_disk` is required") }}'
-      jobName: 'wipe-disk-{{- .node -}}-{{- .ceph_disk | replace "/" "-" -}}-{{- .ts -}}'
-      wipeRookDiskJobTemplate: "WipeDiskJob.tmpl.yaml"
-    env: *task-vars
-    preconditions:
-      - sh: test -f {{.waitForJobScript}}
-      - sh: test -f {{.wipeRookDiskJobTemplate}}
-
-  wipe-data:
-    desc: Wipe all remnants of rook-ceph from a given disk (ex. task rook:wipe-data node=aule)
-    silent: true
-    internal: true
-    cmds:
-      - envsubst < <(cat {{.wipeRookDataJobTemplate}}) | kubectl apply -f -
-      - bash {{.waitForJobScript}} {{.wipeRookDataJobName}} default
-      - kubectl -n default wait job/{{.wipeRookDataJobName}} --for condition=complete --timeout=1m
-      - kubectl -n default logs job/{{.wipeRookDataJobName}} --container list
-      - kubectl -n default delete job {{.wipeRookDataJobName}}
-    vars:
-      node: '{{ or .node (fail "`node` is required") }}'
-      jobName: "wipe-rook-data-{{- .node -}}-{{- .ts -}}"
-      wipeRookDataJobTemplate: "WipeRookDataJob.tmpl.yaml"
-    env: *task-vars
-    preconditions:
-      - sh: test -f {{.waitForJobScript}}
-      - sh: test -f {{.wipeRookDataJobTemplate}}

.archive/.taskfiles/rook/WipeDiskJob.tmpl.yaml

@@ -1,26 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: "${jobName}"
-  namespace: "default"
-spec:
-  ttlSecondsAfterFinished: 3600
-  template:
-    spec:
-      automountServiceAccountToken: false
-      restartPolicy: Never
-      nodeName: ${node}
-      containers:
-        - name: disk-wipe
-          image: docker.io/library/alpine:3.20.0
-          securityContext:
-            privileged: true
-          resources: {}
-          command: ["/bin/sh", "-c"]
-          args:
-            - apk add --no-cache sgdisk util-linux parted;
-              sgdisk --zap-all ${ceph_disk};
-              blkdiscard ${ceph_disk};
-              dd if=/dev/zero bs=1M count=10000 oflag=direct of=${ceph_disk};
-              partprobe ${ceph_disk};

.archive/.taskfiles/rook/WipeRookDataJob.tmpl.yaml

@@ -1,29 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: "${jobName}"
-  namespace: "default"
-spec:
-  ttlSecondsAfterFinished: 3600
-  template:
-    spec:
-      automountServiceAccountToken: false
-      restartPolicy: Never
-      nodeName: ${node}
-      containers:
-        - name: disk-wipe
-          image: docker.io/library/alpine:3.20.0
-          securityContext:
-            privileged: true
-          resources: {}
-          command: ["/bin/sh", "-c"]
-          args:
-            - rm -rf /mnt/host_var/lib/rook
-          volumeMounts:
-            - mountPath: /mnt/host_var
-              name: host-var
-      volumes:
-        - name: host-var
-          hostPath:
-            path: /var

.archive/.taskfiles/rook/pod.yaml

@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: my-pod
-spec:
-  containers:
-    - name: disk-wipe
-      image: docker.io/library/alpine:3.20.0
-      securityContext:
-        privileged: true
-      resources: {}
-      command: ["/bin/sh", "-c"]
-      args:
-        - apk add --no-cache sgdisk util-linux parted e2fsprogs;
-          sgdisk --zap-all /dev/nvme1n1;
-          blkdiscard /dev/nvme1n1;
-          dd if=/dev/zero bs=1M count=10000 oflag=direct of=/dev/nvme1n1;
-          sgdisk /dev/nvme1n1
-          partprobe /dev/nvme1n1;

.archive/ai/stable-diffusion/comfyui/helmrelease.yaml

@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.3.2
+      version: 3.5.1
       sourceRef:
         kind: HelmRepository
         name: bjw-s
@@ -38,7 +38,6 @@ spec:
               tag: v0.0.1
             resources:
               requests:
-                nvidia.com/gpu: 1 # requesting 1 GPU
                 cpu: 500m
                 memory: 2Gi
               limits:

.archive/ai/stable-diffusion/ks.yaml

@@ -14,12 +14,12 @@ spec:
     - name: nvidia-device-plugin
     - name: node-feature-discovery
     - name: volsync
-    - name: openebs
+    - name: rook-ceph-cluster
   path: ./kubernetes/apps/ai/stable-diffusion/comfyui
   prune: true
   sourceRef:
     kind: GitRepository
-    name: homelab
+    name: theshire
   wait: false
   interval: 30m
   retryInterval: 1m
@@ -28,6 +28,4 @@ spec:
     substitute:
       APP: *app
       VOLSYNC_CAPACITY: 5Gi
-      VOLSYNC_STORAGECLASS: openebs-zfs
-      VOLSYNC_SNAPSHOTCLASS: openebs-zfs
       GATUS_SUBDOMAIN: comfyui

.archive/default/nicehash/app/externalsecret.yaml

@@ -0,0 +1,20 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: nicehash
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: nicehash-secret
+    template:
+      type: Opaque
+      data:
+        MINING_ADDRESS: "{{ .MINING_ADDRESS }}"
+  dataFrom:
+    - extract:
+        key: nicehash

.archive/default/nicehash/app/helmrelease.yaml

@@ -0,0 +1,72 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: nicehash
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.5.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    controllers:
+      nicehash:
+        annotations:
+          reloader.stakater.com/auto: "true"
+        containers:
+          app:
+            image:
+              repository: docker.io/dockerhubnh/nicehash
+              tag: latest
+            envFrom:
+              - secretRef:
+                  name: nicehash-secret
+            env:
+              TZ: America/Chicago
+              MINING_WORKER_NAME: shadowfax
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+            resources:
+              requests:
+                cpu: 10m
+              limits:
+                nvidia.com/gpu: 1 # requesting 1 GPU
+                memory: 10Gi
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 568
+        runAsGroup: 568
+        fsGroup: 568
+        fsGroupChangePolicy: OnRootMismatch
+        seccompProfile: { type: RuntimeDefault }
+      nodeSelector:
+        nvidia.com/gpu.present: "true"
+      runtimeClassName: nvidia
+    persistence:
+      logs:
+        type: emptyDir
+        globalMounts:
+          - path: /var/log/
+      tmp:
+        type: emptyDir
+      cache:
+        existingClaim: nicehash
+        globalMounts:
+          - path: /var/cache/nhm4/

.archive/default/nicehash/ks.yaml

@@ -3,24 +3,23 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: &app matter-server
+  name: &app nicehash
   namespace: flux-system
 spec:
-  targetNamespace: home-automation
+  targetNamespace: default
   commonMetadata:
     labels:
       app.kubernetes.io/name: *app
   dependsOn:
-    - name: openebs-system
-    - name: volsync
-  path: ./kubernetes/apps/home-automation/matter-server/app
+    - name: external-secrets-stores
+    - name: rook-ceph-cluster
+  path: ./kubernetes/apps/default/nicehash/app
   prune: true
   sourceRef:
     kind: GitRepository
-    name: homelab
+    name: theshire
   wait: false
   interval: 30m
-  retryInterval: 1m
   timeout: 5m
   postBuild:
     substitute:

.archive/default/piped/app/externalsecret.yaml

@@ -0,0 +1,34 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: piped
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: crunchy-pgo-secrets
+    kind: ClusterSecretStore
+  target:
+    name: piped-secret
+    template:
+      type: Opaque
+      data:
+        config.properties: |
+          API_URL: https://piped-api.hsn.dev
+          COMPROMISED_PASSWORD_CHECK: true
+          DISABLE_REGISTRATION: true
+          FEED_RETENTION: 30
+          FRONTEND_URL: https://piped.hsn.dev
+          HTTP_WORKERS: 4
+          MATRIX_SERVER: https://element.infosec.exchange
+          PORT: 8080
+          PROXY_PART: https://piped-proxy.jahanson.tech
+          SENTRY_DSN:
+          hibernate.connection.driver_class: org.postgresql.Driver
+          hibernate.connection.url: jdbc:postgresql://{{ index . "host" }}:5432/{{ index . "dbname" }}
+          hibernate.connection.username: {{ index . "user" }}
+          hibernate.connection.password: {{ index . "password" }}
+  dataFrom:
+    - extract:
+        key: postgres-pguser-piped

.archive/default/piped/app/helmrelease.yaml

@@ -0,0 +1,182 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: piped
+spec:
+  chart:
+    spec:
+      chart: app-template
+      version: 3.5.1
+      interval: 30m
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  interval: 30m
+  values:
+    defaultPodOptions:
+      automountServiceAccountToken: false
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        fsGroupChangePolicy: "OnRootMismatch"
+
+    controllers:
+      backend:
+        strategy: RollingUpdate
+        annotations:
+          secret.reloader.stakater.com/reload: piped-secret
+
+        containers:
+          app:
+            image:
+              repository: 1337kavin/piped
+              tag: latest@sha256:18e77857414236edc7245bebb3fb8ab3ac49c44bd76701bfce24f6ba0170d4b8
+            probes:
+              liveness:
+                enabled: true
+              readiness:
+                enabled: true
+            resources:
+              requests:
+                cpu: 10m
+                memory: 500Mi
+              limits:
+                memory: 2000Mi
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                  - ALL
+              seccompProfile:
+                type: RuntimeDefault
+
+      frontend:
+        strategy: RollingUpdate
+
+        containers:
+          app:
+            image:
+              repository: ghcr.io/bjw-s-labs/piped-frontend
+              tag: 2024.11.4@sha256:0e413986606f39cdc6afa0379feca912d4a4abbdcbe67b408c9fbe19fbabd10f
+            env:
+              BACKEND_HOSTNAME: piped-api.hsn.dev
+            probes:
+              liveness:
+                enabled: true
+              readiness:
+                enabled: true
+            resources:
+              requests:
+                cpu: 10m
+                memory: 32Mi
+              limits:
+                memory: 256Mi
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                  - ALL
+              readOnlyRootFilesystem: true
+
+      ytproxy:
+        strategy: RollingUpdate
+
+        containers:
+          app:
+            image:
+              repository: 1337kavin/piped-proxy
+              tag: latest@sha256:ab9e472107337886d71b0151b6e777fc4cba0dd8251a21d4788a7a7f165f545a
+            command:
+              - /app/piped-proxy
+            probes:
+              liveness:
+                enabled: true
+              readiness:
+                enabled: true
+            resources:
+              requests:
+                cpu: 10m
+                memory: 500Mi
+              limits:
+                memory: 2000Mi
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                  - ALL
+              seccompProfile:
+                type: RuntimeDefault
+
+    service:
+      backend:
+        controller: backend
+        ports:
+          http:
+            port: 8080
+      frontend:
+        controller: frontend
+        ports:
+          http:
+            port: 8080
+      ytproxy:
+        controller: ytproxy
+        ports:
+          http:
+            port: 8080
+
+    ingress:
+      backend:
+        className: "external-nginx"
+        annotations:
+          external-dns.alpha.kubernetes.io/target: external.hsn.dev
+          external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
+          nginx.ingress.kubernetes.io/enable-cors: "true"
+          nginx.ingress.kubernetes.io/cors-allow-origin: "https://piped.hsn.dev, https://piped-api.hsn.dev, https://piped-proxy.jahanson.tech"
+        hosts:
+          - host: piped-api.hsn.dev
+            paths:
+              - path: /
+                service:
+                  identifier: backend
+                  port: http
+      frontend:
+        className: "external-nginx"
+        annotations:
+          external-dns.alpha.kubernetes.io/target: external.hsn.dev
+          external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
+          nginx.ingress.kubernetes.io/enable-cors: "true"
+          nginx.ingress.kubernetes.io/cors-allow-origin: "https://piped.hsn.dev, https://piped-api.hsn.dev, https://piped-proxy.jahanson.tech"
+        hosts:
+          - host: piped.hsn.dev
+            paths:
+              - path: /
+                service:
+                  identifier: frontend
+                  port: http
+      ytproxy:
+        className: "internal-nginx"
+        annotations:
+          nginx.ingress.kubernetes.io/enable-cors: "true"
+          nginx.ingress.kubernetes.io/cors-allow-origin: "https://piped.hsn.dev, https://piped-api.hsn.dev, https://piped-proxy.jahanson.tech"
+        hosts:
+          - host: piped-proxy.jahanson.tech
+            paths:
+              - path: /
+                service:
+                  identifier: ytproxy
+                  port: http
+
+    persistence:
+      config:
+        type: secret
+        name: piped-secret
+        advancedMounts:
+          backend:
+            app:
+              - path: /app/config.properties
+                subPath: config.properties
+                readOnly: true

.archive/default/piped/ks.yaml

@@ -3,26 +3,21 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: &app jellyseerr
+  name: &appname piped
   namespace: flux-system
 spec:
   targetNamespace: default
   commonMetadata:
     labels:
-      app.kubernetes.io/name: *app
+      app.kubernetes.io/name: *appname
   interval: 10m
-  path: "./kubernetes/apps/default/jellyseerr/app"
+  path: "./kubernetes/apps/default/piped/app"
   prune: true
   sourceRef:
     kind: GitRepository
-    name: homelab
+    name: theshire
   wait: false
   dependsOn:
-    - name: openebs
-    - name: crunchy-postgres-operator
     - name: external-secrets-stores
-    - name: volsync
-  postBuild:
-    substitute:
-      APP: *app
-      VOLSYNC_CAPACITY: 1Gi
+    - name: crunchy-postgres-operator-cluster
+    - name: crunchy-postgres-operator-secretstore

.archive/kubernetes/default/jellyfin/ks.yaml

@@ -1,23 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app jellyfin
-  namespace: flux-system
-spec:
-  dependsOn:
-    - name: external-secrets-stores
-  path: ./kubernetes/apps/default/jellyfin/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: homelab
-  wait: false
-  interval: 30m
-  retryInterval: 1m
-  timeout: 5m
-  postBuild:
-    substitute:
-      APP: *app
-      VOLSYNC_CAPACITY: 10Gi

.archive/kubernetes/home-automation/home-assistant/app/externalsecret.yaml

@@ -1,26 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: home-assistant
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: onepassword-connect
-  target:
-    name: home-assistant-secret
-    creationPolicy: Owner
-    template:
-      engineVersion: v2
-      data:
-        HASS_ELEVATION: "{{ .hass_elevation }}"
-        HASS_LATITUDE: "{{ .hass_latitude }}"
-        HASS_LONGITUDE: "{{ .hass_longitude }}"
-  dataFrom:
-    - extract:
-        key: home-assistant
-      rewrite:
-        - regexp:
-            source: "(.*)"
-            target: "hass_$1"

.archive/kubernetes/home-automation/home-assistant/app/helmrelease.yaml

@@ -1,90 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: home-assistant
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: app-template
-      version: 3.1.0
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: flux-system
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      strategy: rollback
-      retries: 3
-  values:
-    controllers:
-      home-assistant:
-        annotations:
-          reloader.stakater.com/auto: "true"
-        pod:
-          annotations:
-            k8s.v1.cni.cncf.io/networks: |
-              [{
-                "name":"multus-iot",
-                "namespace": "kube-system",
-                "ips": ["10.1.3.151/24"]
-              }]
-          securityContext:
-            runAsUser: 568
-            runAsGroup: 568
-            runAsNonRoot: true
-            fsGroup: 568
-            fsGroupChangePolicy: OnRootMismatch
-        containers:
-          app:
-            image:
-              repository: ghcr.io/home-assistant/home-assistant
-              tag: 2024.5.5
-            env:
-              TZ: America/Chicago
-              HASS_HTTP_TRUSTED_PROXY_1: 10.244.0.0/16
-            envFrom:
-              - secretRef:
-                  name: home-assistant-secret
-            resources:
-              requests:
-                cpu: 10m
-              limits:
-                memory: 1Gi
-    service:
-      app:
-        controller: home-assistant
-        ports:
-          http:
-            port: 8123
-    ingress:
-      app:
-        className: internal-nginx
-        hosts:
-          - host: &host hass.jahanson.tech
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts: [*host]
-    persistence:
-      config:
-        existingClaim: home-assistant
-      logs:
-        type: emptyDir
-        globalMounts:
-          - path: /config/logs
-      tts:
-        type: emptyDir
-        globalMounts:
-          - path: /config/tts
-      tmp:
-        type: emptyDir

.archive/kubernetes/home-automation/kustomization.yaml

@@ -1,9 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  # Pre Flux-Kustomizations
-  - ./namespace.yaml
-  # Flux-Kustomizations
-  - ./mosquitto/ks.yaml

.archive/kubernetes/home-automation/matter-server/app/helmrelease.yaml

@@ -1,107 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: &app matter-server
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: app-template
-      version: 3.2.1
-      interval: 15m
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: flux-system
-  maxHistory: 3
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      strategy: rollback
-      retries: 3
-  values:
-    controllers:
-      matter-server:
-        type: statefulset
-        annotations:
-          reloader.stakater.com/auto: "true"
-        pod:
-          annotations:
-            k8s.v1.cni.cncf.io/networks: |
-              [{
-                "name":"multus-iot",
-                "namespace": "kube-system",
-                "ips": ["10.1.3.152/24"]
-              }]
-          securityContext:
-            runAsUser: 568
-            runAsGroup: 568
-            runAsNonRoot: true
-            fsGroup: 568
-            fsGroupChangePolicy: OnRootMismatch
-
-        containers:
-          app:
-            image:
-              repository: ghcr.io/home-assistant-libs/python-matter-server
-              tag: 6.0.1
-              pullPolicy: IfNotPresent
-            env:
-              TZ: "America/Chicago"
-              MATTER_SERVER__INSTANCE_NAME: Matter-Server
-              MATTER_SERVER__PORT: &port 5580
-              MATTER_SERVER__APPLICATION_URL: &host matter.jahanson.tech
-              MATTER_SERVER__LOG_LEVEL: info
-            probes:
-              liveness:
-                enabled: true
-              readiness:
-                enabled: true
-              startup:
-                enabled: true
-                spec:
-                  failureThreshold: 30
-                  periodSeconds: 5
-            resources:
-              requests:
-                memory: "100M"
-              limits:
-                memory: "500M"
-    service:
-      app:
-        controller: *app
-        type: LoadBalancer
-        annotations:
-          io.cilium/lb-ipam-ips: "10.1.1.37"
-        ports:
-          api:
-            enabled: true
-            primary: true
-            protocol: TCP
-            port: *port
-        externalTrafficPolicy: Cluster
-    persistence:
-      config:
-        enabled: true
-        existingClaim: matter-server
-        advancedMounts:
-          matter-server:
-            app:
-              - path: "/data"
-    ingress:
-      app:
-        className: internal-nginx
-        hosts:
-          - host: *host
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts: [*host]

.archive/kubernetes/home-automation/mosquitto/app/config/mosquitto.conf

@@ -1,9 +0,0 @@
-per_listener_settings false
-listener 1883
-allow_anonymous false
-persistence true
-persistence_location /data
-autosave_interval 1800
-connection_messages false
-autosave_interval 60
-password_file /mosquitto/external_config/mosquitto_pwd

.archive/kubernetes/home-automation/mosquitto/app/externalsecret.yaml

@@ -1,27 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: mosquitto
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: onepassword-connect
-  target:
-    name: mosquitto-secret
-    creationPolicy: Owner
-    template:
-      engineVersion: v2
-      data:
-        mosquitto_pwd: |
-          {{ .mosquitto_username }}:{{ .mosquitto_password }}
-          {{ .mosquitto_zwave_username }}:{{ .mosquitto_zwave_password }}
-          {{ .mosquitto_home_assistant_username }}:{{ .mosquitto_home_assistant_password }}
-  dataFrom:
-    - extract:
-        key: mosquitto
-      rewrite:
-        - regexp:
-            source: "(.*)"
-            target: "mosquitto_$1"

.archive/kubernetes/home-automation/mosquitto/app/helmrelease.yaml

@@ -1,105 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: &app mosquitto
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: app-template
-      version: 3.2.1
-      interval: 30m
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: flux-system
-
-  values:
-    controllers:
-      mosquitto:
-        annotations:
-          reloader.stakater.com/auto: "true"
-
-        pod:
-          securityContext:
-            runAsUser: 568
-            runAsGroup: 568
-            fsGroup: 568
-            fsGroupChangePolicy: OnRootMismatch
-
-        initContainers:
-          init-config:
-            image:
-              repository: public.ecr.aws/docker/library/eclipse-mosquitto
-              tag: 2.0.18
-            command:
-              - "/bin/sh"
-              - "-c"
-            args:
-              - cp /tmp/secret/* /mosquitto/external_config/;
-                mosquitto_passwd -U /mosquitto/external_config/mosquitto_pwd;
-                chmod 0600 /mosquitto/external_config/mosquitto_pwd;
-
-        containers:
-          app:
-            image:
-              repository: public.ecr.aws/docker/library/eclipse-mosquitto
-              tag: 2.0.18
-            probes:
-              liveness:
-                enabled: true
-              readiness:
-                enabled: true
-              startup:
-                enabled: true
-                spec:
-                  failureThreshold: 30
-                  periodSeconds: 5
-            resources:
-              requests:
-                cpu: 5m
-                memory: 10M
-              limits:
-                memory: 10M
-
-    service:
-      app:
-        controller: mosquitto
-        type: LoadBalancer
-        annotations:
-          external-dns.alpha.kubernetes.io/hostname: "mqtt.jahanson.tech"
-          io.cilium/lb-ipam-ips: "10.1.1.36"
-        externalTrafficPolicy: Local
-        ports:
-          mqtt:
-            enabled: true
-            port: 1883
-
-    persistence:
-      data:
-        existingClaim: *app
-        advancedMounts:
-          mosquitto:
-            app:
-              - path: /data
-      mosquitto-configfile:
-        type: configMap
-        name: mosquitto-configmap
-        advancedMounts:
-          mosquitto:
-            app:
-              - path: /mosquitto/config/mosquitto.conf
-                subPath: mosquitto.conf
-      mosquitto-secret:
-        type: secret
-        name: mosquitto-secret
-        advancedMounts:
-          mosquitto:
-            init-config:
-              - path: /tmp/secret
-      mosquitto-externalconfig:
-        type: emptyDir
-        globalMounts:
-          - path: /mosquitto/external_config

.archive/kubernetes/home-automation/mosquitto/ks.yaml

@@ -1,28 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &appname mosquitto
-  namespace: flux-system
-spec:
-  targetNamespace: home-automation
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *appname
-  interval: 10m
-  path: "./kubernetes/apps/home-automation/mosquitto/app"
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: homelab
-  wait: true
-  dependsOn:
-    - name: openebs
-    - name: volsync
-    - name: external-secrets-stores
-  postBuild:
-    substitute:
-      APP: *appname
-      VOLSYNC_CLAIM: mosquitto-data
-      VOLSYNC_CAPACITY: 512Mi

.archive/kubernetes/home-automation/namespace.yaml

@@ -1,8 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: home-automation
-  labels:
-    kustomize.toolkit.fluxcd.io/prune: disabled
-    volsync.backube/privileged-movers: "true"

.archive/kubernetes/kube-system/cilium/app/bgpcrd.yaml

@@ -1,588 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
-  creationTimestamp: null
-  name: ciliumbgppeeringpolicies.cilium.io
-spec:
-  group: cilium.io
-  names:
-    categories:
-    - cilium
-    - ciliumbgp
-    kind: CiliumBGPPeeringPolicy
-    listKind: CiliumBGPPeeringPolicyList
-    plural: ciliumbgppeeringpolicies
-    shortNames:
-    - bgpp
-    singular: ciliumbgppeeringpolicy
-  scope: Cluster
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    name: v2alpha1
-    schema:
-      openAPIV3Schema:
-        description: CiliumBGPPeeringPolicy is a Kubernetes third-party resource for
-          instructing Cilium's BGP control plane to create virtual BGP routers.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: Spec is a human readable description of a BGP peering policy
-            properties:
-              nodeSelector:
-                description: "NodeSelector selects a group of nodes where this BGP
-                  Peering Policy applies. \n If empty / nil this policy applies to
-                  all nodes."
-                properties:
-                  matchExpressions:
-                    description: matchExpressions is a list of label selector requirements.
-                      The requirements are ANDed.
-                    items:
-                      description: A label selector requirement is a selector that
-                        contains values, a key, and an operator that relates the key
-                        and values.
-                      properties:
-                        key:
-                          description: key is the label key that the selector applies
-                            to.
-                          type: string
-                        operator:
-                          description: operator represents a key's relationship to
-                            a set of values. Valid operators are In, NotIn, Exists
-                            and DoesNotExist.
-                          enum:
-                          - In
-                          - NotIn
-                          - Exists
-                          - DoesNotExist
-                          type: string
-                        values:
-                          description: values is an array of string values. If the
-                            operator is In or NotIn, the values array must be non-empty.
-                            If the operator is Exists or DoesNotExist, the values
-                            array must be empty. This array is replaced during a strategic
-                            merge patch.
-                          items:
-                            type: string
-                          type: array
-                      required:
-                      - key
-                      - operator
-                      type: object
-                    type: array
-                  matchLabels:
-                    additionalProperties:
-                      description: MatchLabelsValue represents the value from the
-                        MatchLabels {key,value} pair.
-                      maxLength: 63
-                      pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
-                      type: string
-                    description: matchLabels is a map of {key,value} pairs. A single
-                      {key,value} in the matchLabels map is equivalent to an element
-                      of matchExpressions, whose key field is "key", the operator
-                      is "In", and the values array contains only "value". The requirements
-                      are ANDed.
-                    type: object
-                type: object
-              virtualRouters:
-                description: A list of CiliumBGPVirtualRouter(s) which instructs the
-                  BGP control plane how to instantiate virtual BGP routers.
-                items:
-                  description: CiliumBGPVirtualRouter defines a discrete BGP virtual
-                    router configuration.
-                  properties:
-                    exportPodCIDR:
-                      default: false
-                      description: ExportPodCIDR determines whether to export the
-                        Node's private CIDR block to the configured neighbors.
-                      type: boolean
-                    localASN:
-                      description: LocalASN is the ASN of this virtual router. Supports
-                        extended 32bit ASNs
-                      format: int64
-                      maximum: 4294967295
-                      minimum: 0
-                      type: integer
-                    neighbors:
-                      description: Neighbors is a list of neighboring BGP peers for
-                        this virtual router
-                      items:
-                        description: CiliumBGPNeighbor is a neighboring peer for use
-                          in a CiliumBGPVirtualRouter configuration.
-                        properties:
-                          advertisedPathAttributes:
-                            description: AdvertisedPathAttributes can be used to apply
-                              additional path attributes to selected routes when advertising
-                              them to the peer. If empty / nil, no additional path
-                              attributes are advertised.
-                            items:
-                              description: CiliumBGPPathAttributes can be used to
-                                apply additional path attributes to matched routes
-                                when advertising them to a BGP peer.
-                              properties:
-                                communities:
-                                  description: Communities defines a set of community
-                                    values advertised in the supported BGP Communities
-                                    path attributes. If nil / not set, no BGP Communities
-                                    path attribute will be advertised.
-                                  properties:
-                                    large:
-                                      description: Large holds a list of the BGP Large
-                                        Communities Attribute (RFC 8092) values.
-                                      items:
-                                        description: BGPLargeCommunity type represents
-                                          a value of the BGP Large Communities Attribute
-                                          (RFC 8092), as three 4-byte decimal numbers
-                                          separated by colons.
-                                        pattern: ^([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5])$
-                                        type: string
-                                      type: array
-                                    standard:
-                                      description: Standard holds a list of "standard"
-                                        32-bit BGP Communities Attribute (RFC 1997)
-                                        values defined as numeric values.
-                                      items:
-                                        description: BGPStandardCommunity type represents
-                                          a value of the "standard" 32-bit BGP Communities
-                                          Attribute (RFC 1997) as a 4-byte decimal
-                                          number or two 2-byte decimal numbers separated
-                                          by a colon (<0-65535>:<0-65535>). For example,
-                                          no-export community value is 65553:65281.
-                                        pattern: ^([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[01][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[01][0-9]{2}|42949672[0-8][0-9]|429496729[0-5])$|^([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$
-                                        type: string
-                                      type: array
-                                    wellKnown:
-                                      description: WellKnown holds a list "standard"
-                                        32-bit BGP Communities Attribute (RFC 1997)
-                                        values defined as well-known string aliases
-                                        to their numeric values.
-                                      items:
-                                        description: "BGPWellKnownCommunity type represents
-                                          a value of the \"standard\" 32-bit BGP Communities
-                                          Attribute (RFC 1997) as a well-known string
-                                          alias to its numeric value. Allowed values
-                                          and their mapping to the numeric values:
-                                          \n internet                   = 0x00000000
-                                          (0:0) planned-shut               = 0xffff0000
-                                          (65535:0) accept-own                 = 0xffff0001
-                                          (65535:1) route-filter-translated-v4 = 0xffff0002
-                                          (65535:2) route-filter-v4            = 0xffff0003
-                                          (65535:3) route-filter-translated-v6 = 0xffff0004
-                                          (65535:4) route-filter-v6            = 0xffff0005
-                                          (65535:5) llgr-stale                 = 0xffff0006
-                                          (65535:6) no-llgr                    = 0xffff0007
-                                          (65535:7) blackhole                  = 0xffff029a
-                                          (65535:666) no-export                  =
-                                          0xffffff01\t(65535:65281) no-advertise               =
-                                          0xffffff02 (65535:65282) no-export-subconfed
-                                          \       = 0xffffff03 (65535:65283) no-peer
-                                          \                   = 0xffffff04 (65535:65284)"
-                                        enum:
-                                        - internet
-                                        - planned-shut
-                                        - accept-own
-                                        - route-filter-translated-v4
-                                        - route-filter-v4
-                                        - route-filter-translated-v6
-                                        - route-filter-v6
-                                        - llgr-stale
-                                        - no-llgr
-                                        - blackhole
-                                        - no-export
-                                        - no-advertise
-                                        - no-export-subconfed
-                                        - no-peer
-                                        type: string
-                                      type: array
-                                  type: object
-                                localPreference:
-                                  description: LocalPreference defines the preference
-                                    value advertised in the BGP Local Preference path
-                                    attribute. As Local Preference is only valid for
-                                    iBGP peers, this value will be ignored for eBGP
-                                    peers (no Local Preference path attribute will
-                                    be advertised). If nil / not set, the default
-                                    Local Preference of 100 will be advertised in
-                                    the Local Preference path attribute for iBGP peers.
-                                  format: int64
-                                  maximum: 4294967295
-                                  minimum: 0
-                                  type: integer
-                                selector:
-                                  description: Selector selects a group of objects
-                                    of the SelectorType resulting into routes that
-                                    will be announced with the configured Attributes.
-                                    If nil / not set, all objects of the SelectorType
-                                    are selected.
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            enum:
-                                            - In
-                                            - NotIn
-                                            - Exists
-                                            - DoesNotExist
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        description: MatchLabelsValue represents the
-                                          value from the MatchLabels {key,value} pair.
-                                        maxLength: 63
-                                        pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                selectorType:
-                                  description: 'SelectorType defines the object type
-                                    on which the Selector applies: - For "PodCIDR"
-                                    the Selector matches k8s CiliumNode resources
-                                    (path attributes apply to routes announced for
-                                    PodCIDRs of selected CiliumNodes. Only affects
-                                    routes of cluster scope / Kubernetes IPAM CIDRs,
-                                    not Multi-Pool IPAM CIDRs. - For "CiliumLoadBalancerIPPool"
-                                    the Selector matches CiliumLoadBalancerIPPool
-                                    custom resources (path attributes apply to routes
-                                    announced for selected CiliumLoadBalancerIPPools).
-                                    - For "CiliumPodIPPool" the Selector matches CiliumPodIPPool
-                                    custom resources (path attributes apply to routes
-                                    announced for allocated CIDRs of selected CiliumPodIPPools).'
-                                  enum:
-                                  - PodCIDR
-                                  - CiliumLoadBalancerIPPool
-                                  - CiliumPodIPPool
-                                  type: string
-                              required:
-                              - selectorType
-                              type: object
-                            type: array
-                          authSecretRef:
-                            description: AuthSecretRef is the name of the secret to
-                              use to fetch a TCP authentication password for this
-                              peer.
-                            type: string
-                          connectRetryTimeSeconds:
-                            default: 120
-                            description: ConnectRetryTimeSeconds defines the initial
-                              value for the BGP ConnectRetryTimer (RFC 4271, Section
-                              8).
-                            format: int32
-                            maximum: 2147483647
-                            minimum: 1
-                            type: integer
-                          eBGPMultihopTTL:
-                            default: 1
-                            description: EBGPMultihopTTL controls the multi-hop feature
-                              for eBGP peers. Its value defines the Time To Live (TTL)
-                              value used in BGP packets sent to the neighbor. The
-                              value 1 implies that eBGP multi-hop feature is disabled
-                              (only a single hop is allowed). This field is ignored
-                              for iBGP peers.
-                            format: int32
-                            maximum: 255
-                            minimum: 1
-                            type: integer
-                          families:
-                            description: "Families, if provided, defines a set of
-                              AFI/SAFIs the speaker will negotiate with it's peer.
-                              \n If this slice is not provided the default families
-                              of IPv6 and IPv4 will be provided."
-                            items:
-                              description: CiliumBGPFamily represents a AFI/SAFI address
-                                family pair.
-                              properties:
-                                afi:
-                                  description: Afi is the Address Family Identifier
-                                    (AFI) of the family.
-                                  enum:
-                                  - ipv4
-                                  - ipv6
-                                  - l2vpn
-                                  - ls
-                                  - opaque
-                                  type: string
-                                safi:
-                                  description: Safi is the Subsequent Address Family
-                                    Identifier (SAFI) of the family.
-                                  enum:
-                                  - unicast
-                                  - multicast
-                                  - mpls_label
-                                  - encapsulation
-                                  - vpls
-                                  - evpn
-                                  - ls
-                                  - sr_policy
-                                  - mup
-                                  - mpls_vpn
-                                  - mpls_vpn_multicast
-                                  - route_target_constraints
-                                  - flowspec_unicast
-                                  - flowspec_vpn
-                                  - key_value
-                                  type: string
-                              required:
-                              - afi
-                              - safi
-                              type: object
-                            type: array
-                          gracefulRestart:
-                            description: GracefulRestart defines graceful restart
-                              parameters which are negotiated with this neighbor.
-                              If empty / nil, the graceful restart capability is disabled.
-                            properties:
-                              enabled:
-                                description: Enabled flag, when set enables graceful
-                                  restart capability.
-                                type: boolean
-                              restartTimeSeconds:
-                                default: 120
-                                description: RestartTimeSeconds is the estimated time
-                                  it will take for the BGP session to be re-established
-                                  with peer after a restart. After this period, peer
-                                  will remove stale routes. This is described RFC
-                                  4724 section 4.2.
-                                format: int32
-                                maximum: 4095
-                                minimum: 1
-                                type: integer
-                            required:
-                            - enabled
-                            type: object
-                          holdTimeSeconds:
-                            default: 90
-                            description: HoldTimeSeconds defines the initial value
-                              for the BGP HoldTimer (RFC 4271, Section 4.2). Updating
-                              this value will cause a session reset.
-                            format: int32
-                            maximum: 65535
-                            minimum: 3
-                            type: integer
-                          keepAliveTimeSeconds:
-                            default: 30
-                            description: KeepaliveTimeSeconds defines the initial
-                              value for the BGP KeepaliveTimer (RFC 4271, Section
-                              8). It can not be larger than HoldTimeSeconds. Updating
-                              this value will cause a session reset.
-                            format: int32
-                            maximum: 65535
-                            minimum: 1
-                            type: integer
-                          peerASN:
-                            description: PeerASN is the ASN of the peer BGP router.
-                              Supports extended 32bit ASNs
-                            format: int64
-                            maximum: 4294967295
-                            minimum: 0
-                            type: integer
-                          peerAddress:
-                            description: PeerAddress is the IP address of the peer.
-                              This must be in CIDR notation and use a /32 to express
-                              a single host.
-                            format: cidr
-                            type: string
-                          peerPort:
-                            default: 179
-                            description: PeerPort is the TCP port of the peer. 1-65535
-                              is the range of valid port numbers that can be specified.
-                              If unset, defaults to 179.
-                            format: int32
-                            maximum: 65535
-                            minimum: 1
-                            type: integer
-                        required:
-                        - peerASN
-                        - peerAddress
-                        type: object
-                      minItems: 1
-                      type: array
-                    podIPPoolSelector:
-                      description: "PodIPPoolSelector selects CiliumPodIPPools based
-                        on labels. The virtual router will announce allocated CIDRs
-                        of matching CiliumPodIPPools. \n If empty / nil no CiliumPodIPPools
-                        will be announced."
-                      properties:
-                        matchExpressions:
-                          description: matchExpressions is a list of label selector
-                            requirements. The requirements are ANDed.
-                          items:
-                            description: A label selector requirement is a selector
-                              that contains values, a key, and an operator that relates
-                              the key and values.
-                            properties:
-                              key:
-                                description: key is the label key that the selector
-                                  applies to.
-                                type: string
-                              operator:
-                                description: operator represents a key's relationship
-                                  to a set of values. Valid operators are In, NotIn,
-                                  Exists and DoesNotExist.
-                                enum:
-                                - In
-                                - NotIn
-                                - Exists
-                                - DoesNotExist
-                                type: string
-                              values:
-                                description: values is an array of string values.
-                                  If the operator is In or NotIn, the values array
-                                  must be non-empty. If the operator is Exists or
-                                  DoesNotExist, the values array must be empty. This
-                                  array is replaced during a strategic merge patch.
-                                items:
-                                  type: string
-                                type: array
-                            required:
-                            - key
-                            - operator
-                            type: object
-                          type: array
-                        matchLabels:
-                          additionalProperties:
-                            description: MatchLabelsValue represents the value from
-                              the MatchLabels {key,value} pair.
-                            maxLength: 63
-                            pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
-                            type: string
-                          description: matchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
-                          type: object
-                      type: object
-                    serviceSelector:
-                      description: "ServiceSelector selects a group of load balancer
-                        services which this virtual router will announce. The loadBalancerClass
-                        for a service must be nil or specify a class supported by
-                        Cilium, e.g. \"io.cilium/bgp-control-plane\". Refer to the
-                        following document for additional details regarding load balancer
-                        classes: \n https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
-                        \n If empty / nil no services will be announced."
-                      properties:
-                        matchExpressions:
-                          description: matchExpressions is a list of label selector
-                            requirements. The requirements are ANDed.
-                          items:
-                            description: A label selector requirement is a selector
-                              that contains values, a key, and an operator that relates
-                              the key and values.
-                            properties:
-                              key:
-                                description: key is the label key that the selector
-                                  applies to.
-                                type: string
-                              operator:
-                                description: operator represents a key's relationship
-                                  to a set of values. Valid operators are In, NotIn,
-                                  Exists and DoesNotExist.
-                                enum:
-                                - In
-                                - NotIn
-                                - Exists
-                                - DoesNotExist
-                                type: string
-                              values:
-                                description: values is an array of string values.
-                                  If the operator is In or NotIn, the values array
-                                  must be non-empty. If the operator is Exists or
-                                  DoesNotExist, the values array must be empty. This
-                                  array is replaced during a strategic merge patch.
-                                items:
-                                  type: string
-                                type: array
-                            required:
-                            - key
-                            - operator
-                            type: object
-                          type: array
-                        matchLabels:
-                          additionalProperties:
-                            description: MatchLabelsValue represents the value from
-                              the MatchLabels {key,value} pair.
-                            maxLength: 63
-                            pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
-                            type: string
-                          description: matchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
-                          type: object
-                      type: object
-                  required:
-                  - localASN
-                  - neighbors
-                  type: object
-                minItems: 1
-                type: array
-            required:
-            - virtualRouters
-            type: object
-        required:
-        - metadata
-        type: object
-    served: true
-    storage: true
-    subresources: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []

.archive/kubernetes/kube-system/cilium/app/bgppeeringpolicy.yaml

@@ -1,36 +0,0 @@
----
-apiVersion: cilium.io/v2alpha1
-kind: CiliumBGPPeeringPolicy
-# comments courtesy of JJGadgets
-# MAKE SURE CRDs ARE INSTALLED IN CLUSTER VIA cilium-config ConfigMap OR Cilium HelmRelease/values.yaml (bgpControlPlane.enabled: true), BEFORE THIS IS APPLIED!
-# "CiliumBGPPeeringPolicy" Custom Resource will replace the old MetalLB BGP's "bgp-config" ConfigMap
-# "CiliumBGPPeeringPolicy" is used with `bgpControlPlane.enabled: true` which uses GoBGP, NOT the old `bgp.enabled: true` which uses MetalLB
-metadata:
-  name: bgp-loadbalancer-ip-main
-spec:
-  nodeSelector:
-    matchLabels:
-      kubernetes.io/os: "linux" # match all Linux nodes, change this to match more granularly if more than 1 PeeringPolicy is to be used throughout cluster
-  virtualRouters:
-    - localASN: 64512
-      exportPodCIDR: false
-      serviceSelector: # this replaces address-pools, instead of defining the range of IPs that can be assigned to LoadBalancer services, now services have to match below selectors for their LB IPs to be announced
-        matchExpressions:
-          - {
-            key: thisFakeSelector,
-            operator: NotIn,
-            values: ["will-match-and-announce-all-services"],
-          }
-      neighbors:
-        - peerAddress: "10.1.1.1/32" # unlike bgp-config ConfigMap, peerAddress needs to be in CIDR notation
-          peerASN: 64512
-
----
-# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumloadbalancerippool_v2alpha1.json
-apiVersion: "cilium.io/v2alpha1"
-kind: CiliumLoadBalancerIPPool
-metadata:
-  name: main-pool
-spec:
-  cidrs:
-    - cidr: 10.45.0.1/24

.archive/kubernetes/kube-system/cilium/app/helmrelease.yaml

@@ -1,78 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: cilium
-  namespace: kube-system
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: cilium
-      version: 1.15.3
-      sourceRef:
-        kind: HelmRepository
-        name: cilium
-        namespace: flux-system
-  maxHistory: 2
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    cluster:
-      name: homelab
-      id: 1
-    hubble:
-      relay:
-        enabled: true
-      ui:
-        enabled: true
-      metrics:
-        enableOpenMetrics: true
-    prometheus:
-      enabled: true
-    operator:
-      prometheus:
-        enabled: true
-    ipam:
-      mode: kubernetes
-    kubeProxyReplacement: true
-    k8sServiceHost: 127.0.0.1
-    k8sServicePort: 7445
-    rollOutCiliumPods: true
-    cgroup:
-      automount:
-        enabled: false
-      hostRoot: /sys/fs/cgroup
-    bgp:
-      enabled: false
-      announce:
-        loadbalancerIP: true
-        podCIDR: false
-    bgpControlPlane:
-      enabled: true
-    securityContext:
-      capabilities:
-        ciliumAgent:
-          - CHOWN
-          - KILL
-          - NET_ADMIN
-          - NET_RAW
-          - IPC_LOCK
-          - SYS_ADMIN
-          - SYS_RESOURCE
-          - DAC_OVERRIDE
-          - FOWNER
-          - SETGID
-          - SETUID
-        cleanCiliumState:
-          - NET_ADMIN
-          - SYS_ADMIN
-          - SYS_RESOURCE

.archive/kubernetes/kube-system/cilium/app/netpols/allow-ssh.yaml

@@ -1,23 +0,0 @@
-# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
----
-apiVersion: cilium.io/v2
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: allow-ssh
-spec:
-  description: ""
-  nodeSelector:
-    matchLabels:
-      # node-access: ssh
-      node-role.kubernetes.io/control-plane: "true"
-  ingress:
-  - fromEntities:
-    - cluster
-  - toPorts:
-    - ports:
-      - port: "22"
-        protocol: TCP
-  - icmps:
-    - fields:
-      - type: 8
-        family: IPv4

.archive/kubernetes/kube-system/cilium/app/netpols/apiserver.yaml

@@ -1,27 +0,0 @@
-# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
----
-apiVersion: cilium.io/v2
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: api-server
-spec:
-  nodeSelector:
-    # apply to master nodes
-    matchLabels:
-      node-role.kubernetes.io/control-plane: 'true'
-  ingress:
-  # load balancer -> api server
-  - fromCIDR:
-    - 167.235.217.82/32
-    toPorts:
-    - ports:
-      - port: '6443'
-        protocol: TCP
-  egress:
-  # api server -> kubelet
-  - toEntities:
-    - remote-node
-    toPorts:
-    - ports:
-      - port: '10250'
-        protocol: TCP

.archive/kubernetes/kube-system/cilium/app/netpols/cilium-health.yaml

@@ -1,41 +0,0 @@
-# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
----
-apiVersion: cilium.io/v2
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: cilium-health
-specs:
-  - endpointSelector:
-      # apply to health endpoints
-      matchLabels:
-        reserved:health: ''
-    ingress:
-    # cilium agent -> cilium agent
-    - fromEntities:
-      - host
-      - remote-node
-      toPorts:
-      - ports:
-        - port: '4240'
-          protocol: TCP
-  - nodeSelector:
-      # apply to all nodes
-      matchLabels: {}
-    ingress:
-    # cilium agent -> cilium agent
-    - fromEntities:
-      - health
-      - remote-node
-      toPorts:
-      - ports:
-        - port: '4240'
-          protocol: TCP
-    egress:
-    # cilium agent -> cilium agent
-    - toEntities:
-      - health
-      - remote-node
-      toPorts:
-      - ports:
-        - port: '4240'
-          protocol: TCP

.archive/kubernetes/kube-system/cilium/app/netpols/cilium-vxlan.yaml

@@ -1,26 +0,0 @@
-# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
----
-apiVersion: cilium.io/v2
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: cilium-vxlan
-spec:
-  nodeSelector:
-    # apply to all nodes
-    matchLabels: {}
-  ingress:
-  # node -> vxlan
-  - fromEntities:
-    - remote-node
-    toPorts:
-    - ports:
-      - port: '8472'
-        protocol: UDP
-  egress:
-  # node -> vxlan
-  - toEntities:
-    - remote-node
-    toPorts:
-    - ports:
-      - port: '8472'
-        protocol: UDP

.archive/kubernetes/kube-system/cilium/app/netpols/core-dns.yaml

@@ -1,65 +0,0 @@
-# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumnetworkpolicy_v2.json
----
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: core-dns
-  namespace: kube-system
-specs:
-  - nodeSelector:
-      # apply to master nodes
-      matchLabels:
-        node-role.kubernetes.io/control-plane: 'true'
-    ingress:
-    # core dns -> api server
-    - fromEndpoints:
-      - matchLabels:
-          io.cilium.k8s.policy.serviceaccount: coredns
-      toPorts:
-      - ports:
-        - port: '6443'
-          protocol: TCP
-  - nodeSelector:
-      # apply to all nodes
-      matchLabels: {}
-    egress:
-    # kubelet -> core dns probes
-    - toEndpoints:
-      - matchLabels:
-          io.cilium.k8s.policy.serviceaccount: coredns
-      toPorts:
-      - ports:
-        - port: '8080'
-          protocol: TCP
-        - port: '8181'
-          protocol: TCP
-  - endpointSelector:
-      # apply to core dns pods
-      matchLabels:
-        io.cilium.k8s.policy.serviceaccount: coredns
-    ingress:
-    # kubelet -> core dns probes
-    - fromEntities:
-      - host
-      toPorts:
-      - ports:
-        - port: '8080'
-          protocol: TCP
-        - port: '8181'
-          protocol: TCP
-    egress:
-    # core dns -> api server
-    - toEntities:
-      - kube-apiserver
-      toPorts:
-      - ports:
-        - port: '6443'
-          protocol: TCP
-    # core dns -> upstream DNS
-    - toCIDR:
-      - 185.12.64.1/32
-      - 185.12.64.2/32
-      toPorts:
-      - ports:
-        - port: '53'
-          protocol: UDP

.archive/kubernetes/kube-system/cilium/app/netpols/etcd.yaml

@@ -1,27 +0,0 @@
-# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
----
-apiVersion: cilium.io/v2
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: etcd
-spec:
-  nodeSelector:
-    # apply to master nodes
-    matchLabels:
-      node-role.kubernetes.io/control-plane: 'true'
-  ingress:
-  # etcd peer -> etcd peer
-  - fromEntities:
-    - remote-node
-    toPorts:
-    - ports:
-      - port: '2380'
-        protocol: TCP
-  egress:
-  # etcd peer -> etcd peer
-  - toEntities:
-    - remote-node
-    toPorts:
-    - ports:
-      - port: '2380'
-        protocol: TCP

.archive/kubernetes/kube-system/cilium/app/netpols/fix-apiserver.yml

@@ -1,15 +0,0 @@
-# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
----
-apiVersion: "cilium.io/v2"
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: allow-specific-traffic
-spec:
-  endpointSelector: {}
-  ingress:
-  - fromEntities:
-    - host
-    toPorts:
-    - ports:
-      - port: '6443'
-        protocol: TCP

.archive/kubernetes/kube-system/cilium/app/netpols/hubble-relay.yaml

@@ -1,50 +0,0 @@
-# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumnetworkpolicy_v2.json
----
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: hubble-relay
-  namespace: kube-system
-specs:
-  - nodeSelector:
-      # apply to all nodes
-      matchLabels: {}
-    ingress:
-    # hubble relay -> hubble agent
-    - fromEndpoints:
-      - matchLabels:
-          io.cilium.k8s.policy.serviceaccount: hubble-relay
-      toPorts:
-      - ports:
-        - port: '4244'
-          protocol: TCP
-    egress:
-    # kubelet -> hubble relay probes
-    - toEndpoints:
-      - matchLabels:
-          io.cilium.k8s.policy.serviceaccount: hubble-relay
-      toPorts:
-      - ports:
-        - port: '4245'
-          protocol: TCP
-  - endpointSelector:
-      # apply to hubble relay pods
-      matchLabels:
-        io.cilium.k8s.policy.serviceaccount: hubble-relay
-    ingress:
-    # kubelet -> hubble relay probes
-    - fromEntities:
-      - host
-      toPorts:
-      - ports:
-        - port: '4245'
-          protocol: TCP
-    egress:
-    # hubble relay -> hubble agent
-    - toEntities:
-      - host
-      - remote-node
-      toPorts:
-      - ports:
-        - port: '4244'
-          protocol: TCP

.archive/kubernetes/kube-system/cilium/app/netpols/hubble-ui.yaml

@@ -1,75 +0,0 @@
-# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumnetworkpolicy_v2.json
----
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: hubble-ui
-  namespace: kube-system
-specs:
-  - nodeSelector:
-      # apply to master nodes
-      matchLabels:
-        node-role.kubernetes.io/control-plane: ''
-    ingress:
-    # hubble ui -> api server
-    - fromEndpoints:
-      - matchLabels:
-          io.cilium.k8s.policy.serviceaccount: hubble-ui
-      toPorts:
-      - ports:
-        - port: '6443'
-          protocol: TCP
-  - endpointSelector:
-      # apply to core dns endpoints
-      matchLabels:
-        io.cilium.k8s.policy.serviceaccount: coredns
-    ingress:
-    # hubble ui -> core dns
-    - fromEndpoints:
-      - matchLabels:
-          io.cilium.k8s.policy.serviceaccount: hubble-ui
-      toPorts:
-      - ports:
-        - port: '53'
-          protocol: UDP
-  - endpointSelector:
-      # apply to hubble relay endpoints
-      matchLabels:
-        io.cilium.k8s.policy.serviceaccount: hubble-relay
-    ingress:
-    # hubble ui -> hubble relay
-    - fromEndpoints:
-      - matchLabels:
-          io.cilium.k8s.policy.serviceaccount: hubble-ui
-      toPorts:
-      - ports:
-        - port: '4245'
-          protocol: TCP
-  - endpointSelector:
-      # apply to hubble ui endpoints
-      matchLabels:
-        io.cilium.k8s.policy.serviceaccount: hubble-ui
-    egress:
-    # hubble ui -> api server
-    - toEntities:
-      - kube-apiserver
-      toPorts:
-      - ports:
-        - port: '6443'
-          protocol: TCP
-    # hubble ui -> hubble relay
-    - toEndpoints:
-      - matchLabels:
-          io.cilium.k8s.policy.serviceaccount: hubble-relay
-      toPorts:
-      - ports:
-        - port: '4245'
-          protocol: TCP
-    # hubble ui -> core dns
-    - toEndpoints:
-      - matchLabels:
-          io.cilium.k8s.policy.serviceaccount: coredns
-      toPorts:
-      - ports:
-        - port: '53'
-          protocol: UDP

.archive/kubernetes/kube-system/cilium/app/netpols/kubelet.yaml

@@ -1,28 +0,0 @@
-# yaml-language-server: $schema=https://ks.hsn.dev/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
----
-apiVersion: cilium.io/v2
-kind: CiliumClusterwideNetworkPolicy
-metadata:
-  name: kubelet
-spec:
-  nodeSelector:
-    # apply to all nodes
-    matchLabels: {}
-  ingress:
-  # api server -> kubelet
-  - fromEntities:
-    - kube-apiserver
-    toPorts:
-    - ports:
-      - port: '10250'
-        protocol: TCP
-  egress:
-  # kubelet -> load balancer
-  - toCIDR:
-    - 167.235.217.82/32
-    toEntities:
-      - host
-    toPorts:
-    - ports:
-      - port: '6443'
-        protocol: TCP

.archive/kubernetes/kube-system/cilium/app/netpols/kustomization.yaml

@@ -1,16 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: kube-system
-resources:
-  - ./allow-ssh.yaml
-  - ./apiserver.yaml
-  - ./cilium-health.yaml
-  - ./cilium-vxlan.yaml
-  - ./core-dns.yaml
-  - ./etcd.yaml
-  - ./hubble-relay.yaml
-  - ./hubble-ui.yaml
-  - ./kubelet.yaml
-

.archive/kubernetes/kube-system/cilium/ks.yaml

@@ -1,17 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: cilium
-  namespace: flux-system
-spec:
-  interval: 30m
-  retryInterval: 1m
-  timeout: 5m
-  path: "./kubernetes/apps/kube-system/cilium/app"
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: homelab
-  wait: false

.archive/kubernetes/kube-system/spegel/app/resources/values.yml

@@ -1,17 +0,0 @@
----
-spegel:
-  containerdSock: /run/containerd/containerd.sock
-  containerdRegistryConfigPath: /etc/cri/conf.d/hosts
-  registries:
-    - https://docker.io
-    - https://ghcr.io
-    - https://quay.io
-    - https://mcr.microsoft.com
-    - https://public.ecr.aws
-    - https://gcr.io
-    - https://registry.k8s.io
-    - https://k8s.gcr.io
-    - https://lscr.io
-service:
-  registry:
-    hostPort: 29999

.archive/kubernetes/kube-system/zfs-scrub/app/helmrelease.yaml

@@ -1,109 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: &app zfs-scrub
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: app-template
-      version: 3.2.1
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: flux-system
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-      strategy: rollback
-  values:
-    controllers:
-      kubanetics:
-        type: cronjob
-        cronjob:
-          schedule: "@weekly"
-          parallelism: 1 # Set to my total number of nodes
-        containers:
-          app:
-            image:
-              repository: ghcr.io/aarnaud/talos-debug-tools
-              tag: latest-6.6.29
-            command: ["/bin/bash", "-c"]
-            args:
-              - |
-                # Trim filesystems
-                chroot /host /usr/local/sbin/zpool scrub nahar
-            probes:
-              liveness:
-                enabled: false
-              readiness:
-                enabled: false
-              startup:
-                enabled: false
-            resources:
-              requests:
-                cpu: 25m
-              limits:
-                memory: 128Mi
-            securityContext:
-              privileged: true
-        pod:
-          hostNetwork: true
-          hostPID: true
-          topologySpreadConstraints:
-            - maxSkew: 1
-              topologyKey: kubernetes.io/hostname
-              whenUnsatisfiable: DoNotSchedule
-              labelSelector:
-                matchLabels:
-                  app.kubernetes.io/name: *app
-    persistence:
-      netfs:
-        type: hostPath
-        hostPath: /sys
-        hostPathType: Directory
-        globalMounts:
-          - path: /sys
-            readOnly: true
-      dev:
-        type: hostPath
-        hostPath: /dev
-        hostPathType: Directory
-        globalMounts:
-          - path: /dev
-      modules:
-        type: hostPath
-        hostPath: /lib/modules
-        hostPathType: ""
-        globalMounts:
-          - path: /lib/modules
-      udev:
-        type: hostPath
-        hostPath: /run/udev
-        hostPathType: ""
-        globalMounts:
-          - path: /run/udev
-      localtime:
-        type: hostPath
-        hostPath: /etc/localtime
-        hostPathType: ""
-        globalMounts:
-          - path: /etc/localtime
-      host:
-        type: hostPath
-        hostPath: /
-        hostPathType: Directory
-        globalMounts:
-          - path: /host
-      efivars:
-        type: hostPath
-        hostPath: /sys/firmware/efi/efivars
-        hostPathType: ""
-        globalMounts:
-          - path: /sys/firmware/efi/efivars

.archive/kubernetes/kube-system/zfs-scrub/app/resources/zfs-scrub.sh

@@ -1,20 +0,0 @@
-#!/usr/bin/env bash
-KUBELET_BIN="/usr/local/bin/kubelet"
-KUBELET_PID="$(pgrep -f $KUBELET_BIN)"
-ZPOOL="nahar"
-
-if [ -z "${KUBELET_PID}" ]; then
-    echo "kubelet not found"
-    exit 1
-fi
-
-# Enter namespaces and run commands
-nsrun() {
-    nsenter \
-        --mount="/host/proc/${KUBELET_PID}/ns/mnt" \
-        --net="/host/proc/${KUBELET_PID}/ns/net" \
-        -- bash -c "$1"
-}
-
-# Scrub filesystems
-nsrun "zpool scrub ${ZPOOL}"

.archive/kubernetes/media/immich/app/configmap.yaml

@@ -1,16 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: immich-app-config
-  labels:
-    app.kubernetes.io/name: immich
-data:
-  LOG_LEVEL: verbose
-  DB_VECTOR_EXTENSION: pgvector
-  NODE_ENV: production
-  REDIS_HOSTNAME: dragonfly.database.svc.cluster.local
-  REDIS_PORT: "6379"
-  IMMICH_WEB_URL: http://immich-web.media.svc.cluster.local:3000
-  IMMICH_SERVER_URL: http://immich-server.media.svc.cluster.local:3001
-  IMMICH_MACHINE_LEARNING_URL: http://immich-machine-learning.media.svc.cluster.local:3003

.archive/kubernetes/media/immich/app/helmrelease.yaml

@@ -1,97 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: &name immich
-  namespace: default
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: app-template
-      version: 3.1.0
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: flux-system
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-      strategy: rollback
-  values:
-    controllers:
-      immich-server:
-        type: statefulset
-        annotations:
-          reloader.stakater.com/auto: "true"
-        containers:
-          app:
-            image:
-              repository: ghcr.io/immich-app/immich-server
-              tag: v1.105.1
-            command: /bin/sh
-            args:
-              - ./start-server.sh
-            probes:
-              startup:
-                enabled: true
-                spec:
-                  failureThreshold: 30
-                  periodSeconds: 5
-              liveness:
-                enabled: true
-              readiness:
-                enabled: true
-            resources:
-              requests:
-                cpu: 100m
-                memory: 512Mi
-              limits:
-                memory: 4Gi
-            env:
-              TZ: America/Chicago
-              DB_URL:
-                valueFrom:
-                  secretKeyRef:
-                    name: immich-secret
-                    key: DATABASE_URI
-            envFrom:
-              - configMapRef:
-                  name: immich-app-config
-    service:
-      app:
-        controller: immich-server
-        ports:
-          http:
-            port: 3001
-    ingress:
-      app:
-        enabled: true
-        className: external-nginx
-        annotations:
-          external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
-          external-dns.alpha.kubernetes.io/target: external.hsn.dev
-          nginx.ingress.kubernetes.io/proxy-body-size: "0"
-        hosts:
-          - host: &host "im.hsn.dev"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
-    persistence:
-      media:
-        enabled: true
-        type: nfs
-        server: 10.1.1.13
-        path: /eru/media/immich
-        globalMounts:
-          - path: /usr/src/app/upload

.archive/kubernetes/media/immich/app/kustomization.yaml

@@ -1,27 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/kustomization
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./configmap.yaml
-  - ./externalsecret.yaml
-  - ./gatus.yaml
-  - ./helmrelease.yaml
-  - ./machine-learning
-  - ./microservices
-  - ./postgresCluster.yaml
-  - ./pushsecret.yaml
-  - ./service.yaml
-configMapGenerator:
-  - name: immich-databse-init-sql
-    files:
-      - init.sql=./resources/init.sql
-labels:
-  - pairs:
-      app.kubernetes.io/name: immich
-      app.kubernetes.io/instance: immich
-      app.kubernetes.io/part-of: immich
-generatorOptions:
-  disableNameSuffixHash: true
-  annotations:
-    kustomize.toolkit.fluxcd.io/substitute: disabled

.archive/kubernetes/media/immich/app/machine-learning/helmrelease.yaml

@@ -1,82 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: immich-machine-learning
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: app-template
-      version: 3.1.0
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: flux-system
-      interval: 15m
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-      strategy: rollback
-  values:
-    controllers:
-      immich-machine-learning:
-        annotations:
-          reloader.stakater.com/auto: "true"
-        strategy: Recreate
-        pod:
-          nodeSelector:
-            nvidia.com/gpu.present: "true"
-          runtimeClassName: nvidia
-        containers:
-          app:
-            image:
-              repository: ghcr.io/immich-app/immich-machine-learning
-              tag: v1.105.1
-            resources:
-              requests:
-                cpu: 15m
-                memory: 250Mi
-              limits:
-                memory: 4000Mi
-            probes:
-              startup:
-                enabled: true
-                spec:
-                  failureThreshold: 30
-                  periodSeconds: 5
-              liveness:
-                enabled: true
-              readiness:
-                enabled: true
-            envFrom:
-              - configMapRef:
-                  name: immich-app-config
-            env:
-              DB_URL:
-                valueFrom:
-                  secretKeyRef:
-                    name: immich-secret
-                    key: DATABASE_URI
-    service:
-      app:
-        controller: immich-machine-learning
-        ports:
-          http:
-            port: 3003
-    persistence:
-      media:
-        enabled: true
-        type: nfs
-        server: 10.1.1.13
-        path: /eru/media/immich
-        globalMounts:
-          - path: /usr/src/app/upload
-      cache:
-        enabled: true
-        type: emptyDir

.archive/kubernetes/media/immich/app/machine-learning/kustomization.yaml

@@ -1,11 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-labels:
-  - pairs:
-      app.kubernetes.io/name: immich-machine-learning
-      app.kubernetes.io/instance: immich-machine-learning
-      app.kubernetes.io/part-of: immich
-resources:
-  - ./helmrelease.yaml

.archive/kubernetes/media/immich/app/microservices/helmrelease.yaml

@@ -1,80 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: immich-microservices
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: app-template
-      version: 3.1.0
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: flux-system
-      interval: 15m
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-      strategy: rollback
-  values:
-    controllers:
-      immich-microservices:
-        strategy: Recreate
-        annotations:
-          reloader.stakater.com/auto: "true"
-        pod:
-          nodeSelector:
-            nvidia.com/gpu.present: "true"
-          runtimeClassName: nvidia
-        containers:
-          app:
-            image:
-              repository: ghcr.io/immich-app/immich-server
-              tag: v1.105.1
-            command: /bin/sh
-            args:
-              - ./start-microservices.sh
-            resources:
-              requests:
-                cpu: 100m
-                memory: 250Mi
-              limits:
-                memory: 4000Mi
-            probes:
-              startup:
-                enabled: true
-                spec:
-                  failureThreshold: 30
-                  periodSeconds: 5
-              liveness:
-                enabled: true
-              readiness:
-                enabled: true
-            envFrom:
-              - configMapRef:
-                  name: immich-app-config
-            env:
-              DB_URL:
-                valueFrom:
-                  secretKeyRef:
-                    name: immich-secret
-                    key: DATABASE_URI
-    service:
-      app:
-        controller: immich-microservices
-        enabled: false
-    persistence:
-      media:
-        enabled: true
-        type: nfs
-        server: 10.1.1.13
-        path: /eru/media/immich
-        globalMounts:
-          - path: /usr/src/app/upload

.archive/kubernetes/media/immich/app/microservices/kustomization.yaml

@@ -1,11 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-labels:
-  - pairs:
-      app.kubernetes.io/name: immich-microservices
-      app.kubernetes.io/instance: immich-microservices
-      app.kubernetes.io/part-of: immich
-resources:
-  - ./helmrelease.yaml

.archive/kubernetes/media/immich/app/postgresCluster.yaml

@@ -1,94 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/postgres-operator.crunchydata.com/postgrescluster_v1beta1.json
-apiVersion: postgres-operator.crunchydata.com/v1beta1
-kind: PostgresCluster
-metadata:
-  name: &name "${APP}"
-spec:
-  postgresVersion: 16
-  dataSource:
-    pgbackrest:
-      stanza: db
-      configuration:
-        - secret:
-            name: pgo-s3-creds
-      global:
-        repo1-path: "/${APP}/repo1"
-        repo1-s3-uri-style: path
-      repo:
-        name: repo1
-        s3:
-          bucket: "crunchy-postgres"
-          endpoint: "s3.hsn.dev"
-          region: "us-east-1"
-  monitoring:
-    pgmonitor:
-      exporter:
-        # https://github.com/CrunchyData/postgres-operator-examples/blob/main/helm/install/values.yaml
-        image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-0.15.0-3
-  patroni:
-    dynamicConfiguration:
-      synchronous_mode: true
-      postgresql:
-        synchronous_commit: "on"
-        pg_hba:
-          - hostnossl all all 10.244.0.0/16 md5
-          - hostssl all all all md5
-  databaseInitSQL:
-    name: immich-databse-init-sql
-    key: init.sql
-  instances:
-    - name: postgres
-      metadata:
-        labels:
-          app.kubernetes.io/name: pgo-${APP}
-      replicas: 1
-      dataVolumeClaimSpec:
-        storageClassName: openebs-zfs
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 5Gi
-      topologySpreadConstraints:
-        - maxSkew: 1
-          topologyKey: "kubernetes.io/hostname"
-          whenUnsatisfiable: "DoNotSchedule"
-          labelSelector:
-            matchLabels:
-              postgres-operator.crunchydata.com/cluster: ${APP}
-              postgres-operator.crunchydata.com/data: postgres
-  users:
-    - name: "immich"
-      databases:
-        - "immich"
-      options: "SUPERUSER"
-      password:
-        type: AlphaNumeric
-  backups:
-    pgbackrest:
-      configuration:
-        - secret:
-            name: pgo-s3-creds
-      global:
-        archive-push-queue-max: 4GiB
-        repo1-retention-full: "14"
-        repo1-retention-full-type: time
-        repo1-path: "/${APP}/repo1"
-        repo1-s3-uri-style: path
-      manual:
-        repoName: repo1
-        options:
-          - --type=full
-      metadata:
-        labels:
-          app.kubernetes.io/name: pgo-${APP}-backup
-      repos:
-        - name: repo1
-          schedules:
-            full: "0 1 * * 0"
-            differential: "0 1 * * 1-6"
-          s3:
-            bucket: "crunchy-postgres"
-            endpoint: "s3.hsn.dev"
-            region: "us-east-1"

.archive/kubernetes/media/immich/app/pushsecret.yaml

@@ -1,40 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/pushsecret_v1alpha1.json
-apiVersion: external-secrets.io/v1alpha1
-kind: PushSecret
-metadata:
-  name: immich
-spec:
-  refreshInterval: 1h
-  secretStoreRefs:
-    - name: onepassword-connect
-      kind: ClusterSecretStore
-  selector:
-    secret:
-      name: immich-pguser-immich
-  data:
-    - match:
-        secretKey: dbname
-        remoteRef:
-          remoteKey: immich
-          property: DATABASE_NAME
-    - match:
-        secretKey: host
-        remoteRef:
-          remoteKey: immich
-          property: DATABASE_HOST
-    - match:
-        secretKey: user
-        remoteRef:
-          remoteKey: immich
-          property: DATABASE_USER
-    - match:
-        secretKey: password
-        remoteRef:
-          remoteKey: immich
-          property: DATABASE_PASSWORD
-    - match:
-        secretKey: port
-        remoteRef:
-          remoteKey: immich
-          property: DATABASE_PORT

.archive/kubernetes/media/immich/app/resources/init.sql

@@ -1,4 +0,0 @@
-\c immich\\
-CREATE EXTENSION vector;
-CREATE EXTENSION cube;
-CREATE EXTENSION earthdistance;

.archive/kubernetes/media/immich/app/service.yaml

@@ -1,20 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    postgres-operator.crunchydata.com/cluster: immich
-    postgres-operator.crunchydata.com/role: primary
-  name: immich-primary-real
-  namespace: media
-spec:
-  internalTrafficPolicy: Cluster
-  ports:
-    - name: postgres
-      port: 5432
-      protocol: TCP
-      targetPort: postgres
-  selector:
-    postgres-operator.crunchydata.com/cluster: immich
-    postgres-operator.crunchydata.com/role: master
-  type: ClusterIP

.archive/kubernetes/media/kustomization.yaml

@@ -1,9 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  # Pre Flux-Kustomizations
-  - ./namespace.yaml
-  # Flux-Kustomizations
-  - ./immich/ks.yaml

.archive/kubernetes/observability/grafana/app/externalsecret.yaml

@@ -1,61 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: grafana-secret
-  namespace: observability
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: onepassword-connect
-  target:
-    name: grafana-secret
-    creationPolicy: Owner
-    template:
-      engineVersion: v2
-      data:
-        GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .authentik_grafana_oauth_client_secret }}"
-        GF_DATE_FORMATS_USE_BROWSER_LOCALE: "true"
-        GF_SERVER_ROOT_URL: https://grafana.hsn.dev
-        GF_DATABASE_NAME: "{{ .grafana_GF_DATABASE_NAME }}"
-        GF_DATABASE_HOST: "postgres-primary-real.database.svc"
-        GF_DATABASE_USER: "{{ .grafana_GF_DATABASE_USER }}"
-        GF_DATABASE_PASSWORD: "{{ .grafana_GF_DATABASE_PASSWORD }}"
-        GF_DATABASE_SSL_MODE: "require"
-        GF_DATABASE_TYPE: postgres
-        GF_ANALYTICS_CHECK_FOR_UPDATES: "false"
-        GF_ANALYTICS_CHECK_FOR_PLUGIN_UPDATES: "false"
-        GF_ANALYTICS_REPORTING_ENABLED: "false"
-        GF_AUTH_ANONYMOUS_ENABLED: "false"
-        GF_AUTH_BASIC_ENABLED: "false"
-        GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
-        GF_AUTH_GENERIC_OAUTH_API_URL: https://auth.hsn.dev/application/o/userinfo/
-        GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.hsn.dev/application/o/authorize/
-        GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://auth.hsn.dev/application/o/token/
-        GF_AUTH_GENERIC_OAUTH_CLIENT_ID: CoV7ae1HxuNzwCbVPf3U7TfYMX2rVqC5T9RAUo5M
-        GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES: "false"
-        GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
-        GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email groups
-        GF_AUTH_OAUTH_AUTO_LOGIN: "true"
-        GF_EXPLORE_ENABLED: "true"
-        GF_FEATURE_TOGGLES_ENABLE: publicDashboards
-        GF_LOG_MODE: console
-        GF_NEWS_NEWS_FEED_ENABLED: "false"
-        GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS: natel-discrete-panel,pr0ps-trackmap-panel,panodata-map-panel
-        GF_SECURITY_COOKIE_SAMESITE: grafana
-        GF_SECURITY_ANGULAR_SUPPORT_ENABLED: "true"
-
-  dataFrom:
-    - extract:
-        key: Authentik
-      rewrite:
-        - regexp:
-            source: "(.*)"
-            target: "authentik_$1"
-    - extract:
-        key: grafana
-      rewrite:
-        - regexp:
-            source: "(.*)"
-            target: "grafana_$1"

.archive/kubernetes/observability/grafana/app/helmrelease.yaml

@@ -1,401 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: grafana
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: grafana
-      version: 8.3.7
-      sourceRef:
-        kind: HelmRepository
-        name: grafana
-        namespace: flux-system
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  dependsOn:
-    - name: kube-prometheus-stack
-      namespace: observability
-    - name: loki
-      namespace: observability
-  values:
-    replicas: 1
-    envFromSecret: grafana-secret
-    dashboardProviders:
-      dashboardproviders.yaml:
-        apiVersion: 1
-        providers:
-          - name: default
-            orgId: 1
-            folder: ""
-            type: file
-            disableDeletion: false
-            editable: true
-            options:
-              path: /var/lib/grafana/dashboards/default-folder
-          - name: ceph
-            orgId: 1
-            folder: Ceph
-            type: file
-            disableDeletion: false
-            editable: true
-            options:
-              path: /var/lib/grafana/dashboards/ceph-folder
-          - name: crunchy-postgres
-            orgId: 1
-            folder: Crunchy-postgres
-            type: file
-            disableDeletion: false
-            editable: true
-            options:
-              path: /var/lib/grafana/dashboards/crunchy-postgres-folder
-          - name: flux
-            orgId: 1
-            folder: Flux
-            type: file
-            disableDeletion: false
-            editable: true
-            options:
-              path: /var/lib/grafana/dashboards/flux-folder
-          - name: kubernetes
-            orgId: 1
-            folder: Kubernetes
-            type: file
-            disableDeletion: false
-            editable: true
-            options:
-              path: /var/lib/grafana/dashboards/kubernetes-folder
-          - name: nginx
-            orgId: 1
-            folder: Nginx
-            type: file
-            disableDeletion: false
-            editable: true
-            options:
-              path: /var/lib/grafana/dashboards/nginx-folder
-          - name: prometheus
-            orgId: 1
-            folder: Prometheus
-            type: file
-            disableDeletion: false
-            editable: true
-            options:
-              path: /var/lib/grafana/dashboards/prometheus-folder
-          - name: thanos
-            orgId: 1
-            folder: Thanos
-            type: file
-            disableDeletion: false
-            editable: true
-            options:
-              path: /var/lib/grafana/dashboards/thanos-folder
-          - name: unifi
-            orgId: 1
-            folder: Unifi
-            type: file
-            disableDeletion: false
-            editable: true
-            options:
-              path: /var/lib/grafana/dashboards/unifi-folder
-    datasources:
-      datasources.yaml:
-        apiVersion: 1
-        deleteDatasources:
-          - { name: Alertmanager, orgId: 1 }
-          - { name: Loki, orgId: 1 }
-          - { name: Prometheus, orgId: 1 }
-        datasources:
-          - name: Prometheus
-            type: prometheus
-            uid: prometheus
-            access: proxy
-            url: http://thanos-query-frontend.observability.svc.cluster.local:10902
-            jsonData:
-              prometheusType: Thanos
-              timeInterval: 1m
-            isDefault: true
-          - name: Loki
-            type: loki
-            uid: loki
-            access: proxy
-            url: http://loki-gateway.observability.svc.cluster.local
-            jsonData:
-              maxLines: 250
-          - name: Alertmanager
-            type: alertmanager
-            uid: alertmanager
-            access: proxy
-            url: http://alertmanager-operated.observability.svc.cluster.local:9093
-            jsonData:
-              implementation: prometheus
-    dashboards:
-      default:
-        cloudflared:
-          # renovate: depName="Cloudflare Tunnels (cloudflared)"
-          gnetId: 17457
-          revision: 6
-          datasource:
-            - { name: DS_PROMETHEUS, value: Prometheus }
-        external-dns:
-          # renovate: depName="External-dns"
-          gnetId: 15038
-          revision: 3
-          datasource: Prometheus
-        minio:
-          # renovate: depName="MinIO Dashboard"
-          gnetId: 13502
-          revision: 25
-          datasource:
-            - { name: DS_PROMETHEUS, value: Prometheus }
-        node-exporter-full:
-          # renovate: depName="Node Exporter Full"
-          gnetId: 1860
-          revision: 33
-          datasource: Prometheus
-        postgres:
-          # renovate: depName="PostgreSQL Database"
-          gnetId: 9628
-          revision: 7
-          datasource:
-            - { name: DS_PROMETHEUS, value: Prometheus }
-        smartctl-exporter:
-          # renovate: depName="smartctl_exporter"
-          gnetId: 20204
-          revision: 1
-          datasource:
-            - { name: DS_PROMETHEUS, value: Prometheus }
-        spegel:
-          # renovate: depName="Spegel"
-          gnetId: 18089
-          revision: 1
-          datasource:
-            - { name: DS_PROMETHEUS, value: Prometheus }
-        unpackerr:
-          # renovate: depName="Unpackerr"
-          gnetId: 18817
-          revision: 1
-          datasource:
-            - { name: DS_PROMETHEUS, value: Prometheus }
-        zfs:
-          # renovate: depName="ZFS"
-          gnetId: 7845
-          revision: 4
-          datasource: Prometheus
-        dragonflydb:
-          url: https://raw.githubusercontent.com/dragonflydb/dragonfly/main/tools/local/monitoring/grafana/provisioning/dashboards/dashboard.json
-          datasource:
-            - { name: DS_PROMETHEUS, value: Prometheus }
-        cert-manager:
-          url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/cert-manager/dashboards/cert-manager.json
-          datasource: Prometheus
-        external-secrets:
-          url: https://raw.githubusercontent.com/external-secrets/external-secrets/main/docs/snippets/dashboard.json
-          datasource: Prometheus
-        node-feature-discovery:
-          url: https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/examples/grafana-dashboard.json
-          datasource: Prometheus
-      crunchy-postgres:
-        pgbackrest:
-          url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/pgbackrest.json
-          datasource:
-            - { name: DS_PROMETHEUS, value: Prometheus }
-        pods:
-          url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/pod_details.json
-          datasource:
-            - { name: DS_PROMETHEUS, value: Prometheus }
-        postgresql:
-          url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/postgresql_details.json
-          datasource:
-            - { name: DS_PROMETHEUS, value: Prometheus }
-        postgresql-overview:
-          url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/postgresql_overview.json
-          datasource:
-            - { name: DS_PROMETHEUS, value: Prometheus }
-        postgresql-health:
-          url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/postgresql_service_health.json
-          datasource:
-            - { name: DS_PROMETHEUS, value: Prometheus }
-        postgresql-alerts:
-          url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/prometheus_alerts.json
-          datasource:
-            - { name: DS_PROMETHEUS, value: Prometheus }
-        query-stats:
-          url: https://raw.githubusercontent.com/CrunchyData/pgmonitor/development/grafana/containers/query_statistics.json
-          datasource:
-            - { name: DS_PROMETHEUS, value: Prometheus }
-      ceph:
-        ceph-cluster:
-          # renovate: depName="Ceph Cluster"
-          gnetId: 2842
-          revision: 17
-          datasource: Prometheus
-        ceph-osd:
-          # renovate: depName="Ceph - OSD (Single)"
-          gnetId: 5336
-          revision: 9
-          datasource: Prometheus
-        ceph-pools:
-          # renovate: depName="Ceph - Pools"
-          gnetId: 5342
-          revision: 9
-          datasource: Prometheus
-      flux:
-        flux-cluster:
-          url: https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/main/monitoring/configs/dashboards/cluster.json
-          datasource: Prometheus
-        flux-control-plane:
-          url: https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/main/monitoring/configs/dashboards/control-plane.json
-          datasource: Prometheus
-      kubernetes:
-        kubernetes-api-server:
-          # renovate: depName="Kubernetes / System / API Server"
-          gnetId: 15761
-          revision: 16
-          datasource: Prometheus
-        kubernetes-coredns:
-          # renovate: depName="Kubernetes / System / CoreDNS"
-          gnetId: 15762
-          revision: 17
-          datasource: Prometheus
-        kubernetes-global:
-          # renovate: depName="Kubernetes / Views / Global"
-          gnetId: 15757
-          revision: 37
-          datasource: Prometheus
-        kubernetes-namespaces:
-          # renovate: depName="Kubernetes / Views / Namespaces"
-          gnetId: 15758
-          revision: 34
-          datasource: Prometheus
-        kubernetes-nodes:
-          # renovate: depName="Kubernetes / Views / Nodes"
-          gnetId: 15759
-          revision: 29
-          datasource: Prometheus
-        kubernetes-pods:
-          # renovate: depName="Kubernetes / Views / Pods"
-          gNetId: 15760
-          revision: 21
-          datasource: Prometheus
-        kubernetes-volumes:
-          # renovate: depName="K8s / Storage / Volumes / Cluster"
-          gnetId: 11454
-          revision: 14
-          datasource: Prometheus
-      nginx:
-        nginx:
-          url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json
-          datasource: Prometheus
-        nginx-request-handling-performance:
-          url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/request-handling-performance.json
-          datasource: Prometheus
-      prometheus:
-        prometheus:
-          # renovate: depName="Prometheus"
-          gnetId: 19105
-          revision: 3
-          datasource: Prometheus
-      thanos:
-        thanos-bucket-replicate:
-          url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/bucket-replicate.json
-          datasource: Prometheus
-        thanos-compact:
-          url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/compact.json
-          datasource: Prometheus
-        thanos-overview:
-          url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/overview.json
-          datasource: Prometheus
-        thanos-query:
-          url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/query.json
-          datasource: Prometheus
-        thanos-query-frontend:
-          url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/query-frontend.json
-          datasource: Prometheus
-        thanos-receieve:
-          url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/receive.json
-          datasource: Prometheus
-        thanos-rule:
-          url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/rule.json
-          datasource: Prometheus
-        thanos-sidecar:
-          url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/sidecar.json
-          datasource: Prometheus
-        thanos-store:
-          url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/store.json
-          datasource: Prometheus
-      unifi:
-        unifi-insights:
-          # renovate: depName="UniFi-Poller: Client Insights - Prometheus"
-          gnetId: 11315
-          revision: 9
-          datasource: Prometheus
-        unifi-network-sites:
-          # renovate: depName="UniFi-Poller: Network Sites - Prometheus"
-          gnetId: 11311
-          revision: 5
-          datasource: Prometheus
-        unifi-uap:
-          # renovate: depName="UniFi-Poller: UAP Insights - Prometheus"
-          gnetId: 11314
-          revision: 10
-          datasource: Prometheus
-        unifi-usw:
-          # renovate: depName="UniFi-Poller: USW Insights - Prometheus"
-          gnetId: 11312
-          revision: 9
-          datasource: Prometheus
-    sidecar:
-      dashboards:
-        enabled: true
-        searchNamespace: ALL
-        labelValue: ""
-        label: grafana_dashboard
-        folderAnnotation: grafana_folder
-        provider:
-          disableDelete: true
-          foldersFromFilesStructure: true
-      datasources:
-        enabled: true
-        searchNamespace: ALL
-        labelValue: ""
-    plugins:
-      - grafana-clock-panel
-      - grafana-piechart-panel
-      - grafana-worldmap-panel
-      - natel-discrete-panel
-      - pr0ps-trackmap-panel
-      - vonage-status-panel
-    serviceMonitor:
-      enabled: true
-    ingress:
-      enabled: true
-      ingressClassName: external-nginx
-      annotations:
-        external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
-        external-dns.alpha.kubernetes.io/target: external.hsn.dev
-      hosts:
-        - &host grafana.hsn.dev
-      tls:
-        - hosts:
-            - *host
-    persistence:
-      enabled: false
-    testFramework:
-      enabled: false
-    topologySpreadConstraints:
-      - maxSkew: 1
-        topologyKey: kubernetes.io/hostname
-        whenUnsatisfiable: DoNotSchedule
-        labelSelector:
-          matchLabels:
-            app.kubernetes.io/name: grafana

.archive/kubernetes/observability/kube-prometheus-stack/app/helmrelease.yaml

@@ -1,190 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: kube-prometheus-stack
-spec:
-  interval: 30m
-  timeout: 15m
-  chart:
-    spec:
-      chart: kube-prometheus-stack
-      version: 61.6.0
-      sourceRef:
-        kind: HelmRepository
-        name: prometheus-community
-        namespace: flux-system
-  install:
-    crds: CreateReplace
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    crds: CreateReplace
-    remediation:
-      strategy: rollback
-      retries: 3
-  values:
-    crds:
-      enabled: true
-    cleanPrometheusOperatorObjectNames: true
-    alertmanager:
-      ingress:
-        enabled: true
-        pathType: Prefix
-        ingressClassName: internal-nginx
-        hosts:
-          - &host alertmanager.jahanson.tech
-        tls:
-          - hosts:
-              - *host
-      alertmanagerSpec:
-        replicas: 1
-        useExistingSecret: true
-        configSecret: alertmanager-secret
-        storage:
-          volumeClaimTemplate:
-            spec:
-              storageClassName: openebs-hostpath
-              resources:
-                requests:
-                  storage: 1Gi
-    kubelet:
-      enabled: true
-      serviceMonitor:
-        metricRelabelings:
-          # Drop high cardinality labels
-          - action: labeldrop
-            regex: (uid)
-          - action: labeldrop
-            regex: (id|name)
-          - action: drop
-            sourceLabels: ["__name__"]
-            regex: (rest_client_request_duration_seconds_bucket|rest_client_request_duration_seconds_sum|rest_client_request_duration_seconds_count)
-    kubeApiServer:
-      enabled: true
-      serviceMonitor:
-        metricRelabelings:
-          # Drop high cardinality labels
-          - action: drop
-            sourceLabels: ["__name__"]
-            regex: (apiserver|etcd|rest_client)_request(|_sli|_slo)_duration_seconds_bucket
-          - action: drop
-            sourceLabels: ["__name__"]
-            regex: (apiserver_response_sizes_bucket|apiserver_watch_events_sizes_bucket)
-    kubeControllerManager:
-      enabled: true
-      endpoints: &cp
-        - 10.1.1.61
-    kubeEtcd:
-      enabled: true
-      endpoints: *cp
-    kubeScheduler:
-      enabled: true
-      endpoints: *cp
-    kubeProxy:
-      enabled: false
-    prometheus:
-      ingress:
-        enabled: true
-        ingressClassName: internal-nginx
-        pathType: Prefix
-        hosts:
-          - &host prometheus.jahanson.tech
-        tls:
-          - hosts:
-              - *host
-      thanosService:
-        enabled: true
-      thanosServiceMonitor:
-        enabled: true
-      # thanosServiceExternal:
-      #   enabled: true
-      #   type: LoadBalancer
-      #   annotations:
-      #     external-dns.alpha.kubernetes.io/hostname: thanos.jahanson.tech
-      #     io.cilium/lb-ipam-ips: 10.45.0.6
-      #   externalTrafficPolicy: Cluster
-      prometheusSpec:
-        podMetadata:
-          annotations:
-            secret.reloader.stakater.com/reload: &secret thanos-objstore-config
-        replicas: 1
-        replicaExternalLabelName: __replica__
-        scrapeInterval: 1m # Must match interval in Grafana Helm chart
-        ruleSelectorNilUsesHelmValues: false
-        serviceMonitorSelectorNilUsesHelmValues: false
-        podMonitorSelectorNilUsesHelmValues: false
-        probeSelectorNilUsesHelmValues: false
-        scrapeConfigSelectorNilUsesHelmValues: false
-        enableAdminAPI: true
-        walCompression: true
-        enableFeatures:
-          - auto-gomemlimit
-          - memory-snapshot-on-shutdown
-          - new-service-discovery-manager
-        image:
-          registry: quay.io
-          repository: prometheus/prometheus
-          tag: v2.51.0-dedupelabels
-        thanos:
-          image: quay.io/thanos/thanos:${THANOS_VERSION}
-          version: "${THANOS_VERSION#v}"
-          objectStorageConfig:
-            existingSecret:
-              name: *secret
-              key: config
-        retention: 2d
-        retentionSize: 15GB
-        externalLabels:
-          cluster: main
-        storageSpec:
-          volumeClaimTemplate:
-            spec:
-              storageClassName: openebs-hostpath
-              resources:
-                requests:
-                  storage: 20Gi
-    nodeExporter:
-      enabled: true
-    prometheus-node-exporter:
-      fullnameOverride: node-exporter
-      prometheus:
-        monitor:
-          enabled: true
-          relabelings:
-            - action: replace
-              regex: (.*)
-              replacement: $1
-              sourceLabels:
-                - __meta_kubernetes_pod_node_name
-              targetLabel: kubernetes_node
-    kubeStateMetrics:
-      enabled: true
-    kube-state-metrics:
-      fullnameOverride: kube-state-metrics
-      metricLabelsAllowlist:
-        - pods=[*]
-        - deployments=[*]
-        - persistentvolumeclaims=[*]
-      prometheus:
-        monitor:
-          enabled: true
-          relabelings:
-            - action: replace
-              regex: (.*)
-              replacement: $1
-              sourceLabels:
-                - __meta_kubernetes_pod_node_name
-              targetLabel: kubernetes_node
-    grafana:
-      enabled: false
-      forceDeployDashboards: true
-      sidecar:
-        dashboards:
-          annotations:
-            grafana_folder: Kubernetes
-          multicluster:
-            etcd:
-              enabled: true

.archive/kubernetes/observability/kube-prometheus-stack/app/podmonitors/crunchy-postgres.yaml

@@ -1,34 +0,0 @@
-# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/podmonitor_v1.json
----
-apiVersion: monitoring.coreos.com/v1
-kind: PodMonitor
-metadata:
-  name: crunchy-postgres-exporter
-spec:
-  selector:
-    matchLabels:
-      postgres-operator.crunchydata.com/crunchy-postgres-exporter: 'true'
-  namespaceSelector:
-    matchNames:
-      - database
-      - media
-  podMetricsEndpoints:
-    - port: "exporter"
-      relabelings:
-        - sourceLabels: [__meta_kubernetes_pod_container_port_number]
-          action: keep
-          regex: "9187"
-        - sourceLabels: [__meta_kubernetes_namespace]
-          targetLabel: kubernetes_namespace
-        - sourceLabels: [__meta_kubernetes_pod_name]
-          targetLabel: pod
-        - sourceLabels: [__meta_kubernetes_namespace, __meta_kubernetes_pod_label_postgres_operator_crunchydata_com_cluster]
-          separator: ":"
-          targetLabel: pg_cluster
-          replacement: "$1$2"
-        - sourceLabels: [__meta_kubernetes_pod_ip]
-          targetLabel: ip
-        - sourceLabels: [__meta_kubernetes_pod_label_postgres_operator_crunchydata_com_instance]
-          targetLabel: deployment
-        - sourceLabels: [__meta_kubernetes_pod_label_postgres_operator_crunchydata_com_role]
-          targetLabel: role

.archive/kubernetes/observability/kube-prometheus-stack/app/prometheusrules/prometheusrule.yaml

@@ -1,37 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/prometheusrule_v1.json
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
-metadata:
-  name: miscellaneous-rules
-  labels:
-    prometheus: k8s
-    role: alert-rules
-spec:
-  groups:
-    - name: dockerhub
-      rules:
-        - alert: BootstrapRateLimitRisk
-          annotations:
-            summary: Kubernetes cluster at risk of being rate limited by dockerhub on bootstrap
-          expr: count(time() - container_last_seen{image=~"(docker.io).*",container!=""} < 30) > 100
-          for: 15m
-          labels:
-            severity: critical
-    - name: oom
-      rules:
-        - alert: OOMKilled
-          annotations:
-            summary: Container {{ $labels.container }} in pod {{ $labels.namespace }}/{{ $labels.pod }} has been OOMKilled {{ $value }} times in the last 10 minutes.
-          expr: (kube_pod_container_status_restarts_total - kube_pod_container_status_restarts_total offset 10m >= 1) and ignoring (reason) min_over_time(kube_pod_container_status_last_terminated_reason{reason="OOMKilled"}[10m]) == 1
-          labels:
-            severity: critical
-    - name: zfs
-      rules:
-        - alert: ZfsUnexpectedPoolState
-          annotations:
-            summary: ZFS pool {{$labels.zpool}} on {{$labels.instance}} is in a unexpected state {{$labels.state}}
-          expr: node_zfs_zpool_state{state!="online"} > 0
-          for: 15m
-          labels:
-            severity: critical

.archive/kubernetes/observability/kube-prometheus-stack/app/resources/alertmanager.yaml

@@ -1,68 +0,0 @@
----
-global:
-  resolve_timeout: 5m
-route:
-  group_by: ["alertname", "job"]
-  group_interval: 10m
-  group_wait: 1m
-  receiver: pushover
-  repeat_interval: 12h
-  routes:
-    - receiver: heartbeat
-      group_interval: 5m
-      group_wait: 0s
-      matchers:
-        - alertname =~ "Watchdog"
-      repeat_interval: 5m
-    - receiver: "null"
-      matchers:
-        - alertname =~ "InfoInhibitor"
-    - receiver: pushover
-      continue: true
-      matchers:
-        - severity = "critical"
-inhibit_rules:
-  - equal: ["alertname", "namespace"]
-    source_matchers:
-      - severity = "critical"
-    target_matchers:
-      - severity = "warning"
-receivers:
-  - name: heartbeat
-    webhook_configs:
-      - send_resolved: true
-        url: "{{ .alertmanager_heartbeat_url }}"
-  - name: "null"
-  - name: pushover
-    pushover_configs:
-      - html: true
-        # Compooters are hard
-        message: |-
-          {{ "{{-" }} range .Alerts {{ "}}" }}
-            {{ "{{-" }} if ne .Annotations.description "" {{ "}}" }}
-              {{ "{{" }} .Annotations.description {{ "}}" }}
-            {{ "{{-" }} else if ne .Annotations.summary "" {{ "}}" }}
-              {{ "{{" }} .Annotations.summary {{ "}}" }}
-            {{ "{{-" }} else if ne .Annotations.message "" {{ "}}" }}
-              {{ "{{" }} .Annotations.message {{ "}}" }}
-            {{ "{{-" }} else {{ "}}" }}
-              Alert description not available
-            {{ "{{-" }} end {{ "}}" }}
-            {{ "{{-" }} if gt (len .Labels.SortedPairs) 0 {{ "}}" }}
-              <small>
-              {{ "{{-" }} range .Labels.SortedPairs {{ "}}" }}
-                <b>{{ "{{" }} .Name {{ "}}" }}:</b> {{ "{{" }} .Value {{ "}}" }}
-              {{ "{{-" }} end {{ "}}" }}
-              </small>
-            {{ "{{-" }} end {{ "}}" }}
-          {{ "{{-" }} end {{ "}}" }}
-        priority: |-
-          {{ "{{" }} if eq .Status "firing" {{ "}}" }}1{{ "{{" }} else {{ "}}" }}0{{ "{{" }} end {{ "}}" }}
-        send_resolved: true
-        sound: gamelan
-        title: >-
-          {{ "{{" }} .CommonLabels.alertname {{ "}}" }}
-          [{{ "{{" }} .Status | toUpper {{ "}}" }}{{ "{{" }} if eq .Status "firing" {{ "}}" }}:{{ "{{" }} .Alerts.Firing | len {{ "}}" }}{{ "{{" }} end {{ "}}" }}]
-        token: "{{ .alertmanager_token }}"
-        url_title: View in Alertmanager
-        user_key: "{{ .userkey_jahanson }}"

.archive/kubernetes/observability/kube-prometheus-stack/app/scrapeconfigs/kustomization.yaml

@@ -1,7 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/kustomization
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./node-exporter.yaml
-  - ./zfs-exporter.yaml

.archive/kubernetes/observability/kube-prometheus-stack/app/scrapeconfigs/node-exporter.yaml

@@ -1,11 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/scrapeconfig_v1alpha1.json
-apiVersion: monitoring.coreos.com/v1alpha1
-kind: ScrapeConfig
-metadata:
-  name: node-exporter
-spec:
-  staticConfigs:
-    - targets:
-        - 10.1.1.1:9100
-  metricsPath: /metrics

.archive/kubernetes/observability/kube-prometheus-stack/app/scrapeconfigs/zfs-exporter.yaml

@@ -1,11 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/monitoring.coreos.com/scrapeconfig_v1alpha1.json
-apiVersion: monitoring.coreos.com/v1alpha1
-kind: ScrapeConfig
-metadata:
-  name: zfs-exporter
-spec:
-  staticConfigs:
-    - targets:
-        - 10.1.1.13:9134
-  metricsPath: /metrics

.archive/kubernetes/observability/kube-prometheus-stack/ks.yaml

@@ -1,29 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app kube-prometheus-stack
-  namespace: flux-system
-spec:
-  targetNamespace: observability
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  dependsOn:
-    - name: external-secrets-stores
-    - name: openebs
-    - name: volsync
-  path: ./kubernetes/apps/observability/kube-prometheus-stack/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: homelab
-  wait: false
-  interval: 30m
-  retryInterval: 1m
-  timeout: 15m
-  postBuild:
-    substitute:
-      # renovate: datasource=docker depName=quay.io/thanos/thanos
-      THANOS_VERSION: v0.34.1

.archive/kubernetes/observability/loki/app/externalsecret.yaml

@@ -1,28 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: loki
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: onepassword-connect
-  target:
-    name: loki-secret
-    creationPolicy: Owner
-    template:
-      engineVersion: v2
-      data:
-        S3_HOST: s3.hsn.dev
-        S3_BUCKET: "{{ .minio_thanos_bucket_name }}"
-        S3_ACCESS_KEY: "{{ .minio_loki_access_key }}"
-        S3_SECRET_KEY: "{{ .minio_loki_secret_key }}"
-        S3_REGION: us-east-1
-  dataFrom:
-    - extract:
-        key: minio
-      rewrite:
-        - regexp:
-            source: "(.*)"
-            target: "minio_$1"

.archive/kubernetes/observability/loki/app/helmrelease.yaml

@@ -1,138 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: loki
-spec:
-  interval: 30m
-  timeout: 15m
-  chart:
-    spec:
-      chart: loki
-      version: 6.7.3
-      sourceRef:
-        kind: HelmRepository
-        name: grafana
-        namespace: flux-system
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      strategy: uninstall
-      retries: 3
-  valuesFrom:
-    - targetPath: loki.storage.bucketNames.chunks
-      kind: Secret
-      name: loki-secret
-      valuesKey: S3_BUCKET
-    - targetPath: loki.storage.s3.endpoint
-      kind: Secret
-      name: loki-secret
-      valuesKey: S3_HOST
-    - targetPath: loki.storage.s3.region
-      kind: Secret
-      name: loki-secret
-      valuesKey: S3_REGION
-    - targetPath: loki.storage.s3.accessKeyId
-      kind: Secret
-      name: loki-secret
-      valuesKey: S3_ACCESS_KEY
-    - targetPath: loki.storage.s3.secretAccessKey
-      kind: Secret
-      name: loki-secret
-      valuesKey: S3_SECRET_KEY
-  values:
-    deploymentMode: SimpleScalable
-    loki:
-      podAnnotations:
-        secret.reloader.stakater.com/reload: loki-secret
-      ingester:
-        chunk_encoding: snappy
-      storage:
-        type: s3
-        s3:
-          s3ForcePathStyle: true
-          insecure: true
-      schemaConfig:
-        configs:
-          - from: "2024-04-01"
-            store: tsdb
-            object_store: s3
-            schema: v13
-            index:
-              prefix: loki_index_
-              period: 24h
-      structuredConfig:
-        auth_enabled: false
-        server:
-          log_level: info
-          http_listen_port: 3100
-          grpc_listen_port: 9095
-          grpc_server_max_recv_msg_size: 8388608
-          grpc_server_max_send_msg_size: 8388608
-        limits_config:
-          ingestion_burst_size_mb: 128
-          ingestion_rate_mb: 64
-          max_query_parallelism: 100
-          per_stream_rate_limit: 64M
-          per_stream_rate_limit_burst: 128M
-          reject_old_samples: true
-          reject_old_samples_max_age: 168h
-          retention_period: 30d
-          shard_streams:
-            enabled: true
-          split_queries_by_interval: 1h
-        query_scheduler:
-          max_outstanding_requests_per_tenant: 4096
-        frontend:
-          max_outstanding_per_tenant: 4096
-        ruler:
-          enable_api: true
-          enable_alertmanager_v2: true
-          alertmanager_url: http://alertmanager-operated.observability.svc.cluster.local:9093
-          storage:
-            type: local
-            local:
-              directory: /rules
-          rule_path: /rules/fake
-        analytics:
-          reporting_enabled: false
-    backend:
-      replicas: 1
-      persistence:
-        size: 20Gi
-        storageClass: openebs-hostpath
-    gateway:
-      replicas: 1
-      image:
-        registry: ghcr.io
-      ingress:
-        enabled: true
-        ingressClassName: internal-nginx
-        hosts:
-          - host: &host loki.jahanson.tech
-            paths:
-              - path: /
-                pathType: Prefix
-        tls:
-          - hosts: [*host]
-    read:
-      replicas: 1
-    write:
-      replicas: 1
-      persistence:
-        size: 20Gi
-        storageClass: openebs-hostpath
-    sidecar:
-      image:
-        repository: ghcr.io/kiwigrid/k8s-sidecar
-      rules:
-        searchNamespace: ALL
-        folder: /rules/fake
-    lokiCanary:
-      enabled: false
-    test:
-      enabled: false

.archive/kubernetes/observability/thanos/app/externalsecret.yaml

@@ -1,28 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: thanos
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: onepassword-connect
-  target:
-    name: thanos-secret
-    creationPolicy: Owner
-    template:
-      engineVersion: v2
-      data:
-        S3_HOST: s3.hsn.dev
-        S3_BUCKET: "{{ .minio_thanos_bucket_name }}"
-        S3_ACCESS_KEY: "{{ .minio_thanos_access_key }}"
-        S3_SECRET_KEY: "{{ .minio_thanos_secret_key }}"
-        S3_REGION: us-east-1
-  dataFrom:
-    - extract:
-        key: Minio
-      rewrite:
-        - regexp:
-            source: "(.*)"
-            target: "minio_$1"

.archive/kubernetes/observability/thanos/app/helmrelease.yaml

@@ -1,120 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: thanos
-spec:
-  interval: 30m
-  timeout: 15m
-  chart:
-    spec:
-      chart: thanos
-      version: 1.17.2
-      sourceRef:
-        kind: HelmRepository
-        name: stevehipwell
-        namespace: flux-system
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      strategy: rollback
-      retries: 3
-  valuesFrom:
-    - targetPath: objstoreConfig.value.config.bucket
-      kind: Secret
-      name: thanos-secret
-      valuesKey: S3_BUCKET
-    - targetPath: objstoreConfig.value.config.endpoint
-      kind: Secret
-      name: thanos-secret
-      valuesKey: S3_HOST
-    - targetPath: objstoreConfig.value.config.region
-      kind: Secret
-      name: thanos-secret
-      valuesKey: S3_REGION
-    - targetPath: objstoreConfig.value.config.access_key
-      kind: Secret
-      name: thanos-secret
-      valuesKey: S3_ACCESS_KEY
-    - targetPath: objstoreConfig.value.config.secret_key
-      kind: Secret
-      name: thanos-secret
-      valuesKey: S3_SECRET_KEY
-  values:
-    objstoreConfig:
-      value:
-        type: s3
-        config:
-          insecure: false
-    additionalEndpoints:
-      - dnssrv+_grpc._tcp.kube-prometheus-stack-thanos-discovery.observability.svc.cluster.local
-    additionalReplicaLabels: ["__replica__"]
-    serviceMonitor:
-      enabled: true
-    compact:
-      enabled: true
-      extraArgs:
-        - --compact.concurrency=4
-        - --delete-delay=30m
-        - --retention.resolution-raw=14d
-        - --retention.resolution-5m=30d
-        - --retention.resolution-1h=60d
-      persistence: &persistence
-        enabled: true
-        storageClass: openebs-hostpath
-        size: 10Gi
-    query:
-      replicas: 1
-      extraArgs: ["--alert.query-url=https://thanos.jahanson.tech"]
-    queryFrontend:
-      enabled: true
-      replicas: 1
-      extraEnv: &extraEnv
-        - name: THANOS_CACHE_CONFIG
-          valueFrom:
-            configMapKeyRef:
-              name: &configMap thanos-cache-configmap
-              key: cache.yaml
-      extraArgs: ["--query-range.response-cache-config=$(THANOS_CACHE_CONFIG)"]
-      ingress:
-        enabled: true
-        ingressClassName: internal-nginx
-        hosts:
-          - &host thanos.jahanson.tech
-        tls:
-          - hosts: [*host]
-      podAnnotations: &podAnnotations
-        configmap.reloader.stakater.com/reload: *configMap
-    rule:
-      enabled: true
-      replicas: 1
-      extraArgs: ["--web.prefix-header=X-Forwarded-Prefix"]
-      alertmanagersConfig:
-        value: |-
-          alertmanagers:
-            - api_version: v2
-              static_configs:
-                - dnssrv+_http-web._tcp.alertmanager-operated.observability.svc.cluster.local
-      rules:
-        value: |-
-          groups:
-            - name: PrometheusWatcher
-              rules:
-                - alert: PrometheusDown
-                  annotations:
-                    summary: A Prometheus has disappeared from Prometheus target discovery
-                  expr: absent(up{job="kube-prometheus-stack-prometheus"})
-                  for: 5m
-                  labels:
-                    severity: critical
-      persistence: *persistence
-    storeGateway:
-      replicas: 1
-      extraEnv: *extraEnv
-      extraArgs: ["--index-cache.config=$(THANOS_CACHE_CONFIG)"]
-      persistence: *persistence
-      podAnnotations: *podAnnotations

.archive/kubernetes/observability/thanos/app/resources/cache.yml

@@ -1,5 +0,0 @@
----
-type: REDIS
-config:
-  addr: dragonfly.database.svc.cluster.local:6379
-  db: 1

.archive/kubernetes/observability/vector/app/agent/helmrelease.yaml

@@ -1,103 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: vector-agent
-spec:
-  interval: 30m
-  timeout: 15m
-  chart:
-    spec:
-      chart: app-template
-      version: 3.3.0
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: flux-system
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-      strategy: rollback
-  dependsOn:
-    - name: vector-aggregator
-      namespace: observability
-  values:
-    controllers:
-      vector:
-        type: daemonset
-        strategy: RollingUpdate
-        annotations:
-          reloader.stakater.com/auto: "true"
-        containers:
-          app:
-            image:
-              repository: docker.io/timberio/vector
-              tag: 0.40.0-alpine@sha256:7a81fdd62e056321055a9e4bdec4073d752ecf68f4c192e676b85001721523c2
-            env:
-              PROCFS_ROOT: /host/proc
-              SYSFS_ROOT: /host/sys
-              VECTOR_SELF_NODE_NAME:
-                valueFrom:
-                  fieldRef:
-                    apiVersion: v1
-                    fieldPath: spec.nodeName
-              VECTOR_SELF_POD_NAME:
-                valueFrom:
-                  fieldRef:
-                    apiVersion: v1
-                    fieldPath: metadata.name
-              VECTOR_SELF_POD_NAMESPACE:
-                valueFrom:
-                  fieldRef:
-                    apiVersion: v1
-                    fieldPath: metadata.namespace
-            args: ["--config", "/etc/vector/vector.yaml"]
-            securityContext:
-              privileged: true
-    serviceAccount:
-      create: true
-      name: vector-agent
-    persistence:
-      config:
-        enabled: true
-        type: configMap
-        name: vector-agent-configmap
-        globalMounts:
-          - path: /etc/vector/vector.yaml
-            subPath: vector.yaml
-            readOnly: true
-      data:
-        type: emptyDir
-        globalMounts:
-          - path: /vector-data-dir
-      procfs:
-        type: hostPath
-        hostPath: /proc
-        hostPathType: Directory
-        globalMounts:
-          - path: /host/proc
-            readOnly: true
-      sysfs:
-        type: hostPath
-        hostPath: /sys
-        hostPathType: Directory
-        globalMounts:
-          - path: /host/sys
-            readOnly: true
-      var-lib:
-        type: hostPath
-        hostPath: /var/lib
-        hostPathType: Directory
-        globalMounts:
-          - readOnly: true
-      var-log:
-        type: hostPath
-        hostPath: /var/log
-        hostPathType: Directory
-        globalMounts:
-          - readOnly: true

.archive/kubernetes/observability/vector/app/agent/rbac.yaml

@@ -1,22 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: vector-agent
-rules:
-  - apiGroups: [""]
-    resources: ["namespaces", "nodes", "pods"]
-    verbs: ["list", "watch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: vector-agent
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: vector-agent
-subjects:
-  - kind: ServiceAccount
-    name: vector-agent
-    namespace: observability

.archive/kubernetes/observability/vector/app/aggregator/helmrelease.yaml

@@ -1,91 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: &app vector-aggregator
-spec:
-  interval: 30m
-  timeout: 15m
-  chart:
-    spec:
-      chart: app-template
-      version: 3.3.0
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: flux-system
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-      strategy: rollback
-  values:
-    controllers:
-      vector-aggregator:
-        replicas: 1
-        strategy: RollingUpdate
-        annotations:
-          reloader.stakater.com/auto: "true"
-        initContainers:
-          init-geoip:
-            image:
-              repository: ghcr.io/maxmind/geoipupdate
-              tag: v7.0.1@sha256:80c57598a9ff552953e499cefc589cfe7b563d64262742ea42f2014251b557b0
-            env:
-              GEOIPUPDATE_EDITION_IDS: GeoLite2-City
-              GEOIPUPDATE_FREQUENCY: "0"
-              GEOIPUPDATE_VERBOSE: "1"
-            envFrom:
-              - secretRef:
-                  name: vector-aggregator-secret
-        containers:
-          app:
-            image:
-              repository: docker.io/timberio/vector
-              tag: 0.40.0-alpine@sha256:7a81fdd62e056321055a9e4bdec4073d752ecf68f4c192e676b85001721523c2
-            args: ["--config", "/etc/vector/vector.yaml"]
-        pod:
-          topologySpreadConstraints:
-            - maxSkew: 1
-              topologyKey: kubernetes.io/hostname
-              whenUnsatisfiable: DoNotSchedule
-              labelSelector:
-                matchLabels:
-                  app.kubernetes.io/name: *app
-    service:
-      app:
-        controller: vector-aggregator
-        type: LoadBalancer
-        annotations:
-          external-dns.alpha.kubernetes.io/hostname: vector.jahanson.tech
-          io.cilium/lb-ipam-ips: 10.1.1.33
-        ports:
-          http:
-            port: 8686
-          journald:
-            port: 6000
-          kubernetes:
-            port: 6010
-          vyos:
-            port: 6020
-    persistence:
-      config:
-        enabled: true
-        type: configMap
-        name: vector-aggregator-configmap
-        globalMounts:
-          - path: /etc/vector/vector.yaml
-            subPath: vector.yaml
-            readOnly: true
-      data:
-        type: emptyDir
-        globalMounts:
-          - path: /vector-data-dir
-      geoip:
-        type: emptyDir
-        globalMounts:
-          - path: /usr/share/GeoIP

.archive/kubernetes/observability/vector/app/aggregator/resources/vector.yaml

@@ -1,132 +0,0 @@
----
-data_dir: /vector-data-dir
-api:
-  enabled: true
-  address: 0.0.0.0:8686
-
-enrichment_tables:
-  geoip_table:
-    type: geoip
-    path: /usr/share/GeoIP/GeoLite2-City.mmdb
-
-#
-# Sources
-#
-
-sources:
-  journald_source:
-    type: vector
-    version: "2"
-    address: 0.0.0.0:6000
-
-  kubernetes_source:
-    type: vector
-    version: "2"
-    address: 0.0.0.0:6010
-
-  vyos_source:
-    type: syslog
-    address: 0.0.0.0:6020
-    mode: tcp
-
-#
-# Transforms
-#
-
-transforms:
-  kubernetes_remap:
-    type: remap
-    inputs: ["kubernetes_source"]
-    source: |
-      # Standardize 'app' index
-      .custom_app_name = .pod_labels."app.kubernetes.io/name" || .pod_labels.app || .pod_labels."k8s-app" || "unknown"
-      # Drop pod_labels
-      del(.pod_labels)
-
-  # [63950.153039] [wan-local-default-D]IN=eth4 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=60610 PROTO=TCP SPT=53451 DPT=2002 WINDOW=1024 RES=0x00 SYN URGP=0
-  vyos_firewall_route:
-    type: route
-    inputs: ["vyos_source"]
-    route:
-      firewall: |
-        .facility == "kern" && match!(.message, r'^\[(.*?)\].(.*)')
-
-  vyos_firewall_remap:
-    type: remap
-    inputs: ["vyos_firewall_route.firewall"]
-    source: |
-      # Parse firewall rule message
-      split_message, split_err = parse_regex(.message, r'^\[.*\].\[(?P<rule>.*?)\](?P<fields>.*)')
-      if split_err != null {
-          abort
-      }
-      # Extract separate fields from message
-      split_message.fields, split_err = strip_whitespace(split_message.fields)
-      if split_err != null {
-          abort
-      }
-      .message, parse_err = parse_key_value(split_message.fields, whitespace: "strict")
-      if parse_err != null {
-          abort
-      }
-      # Add more information about the triggered rule
-      .message.RULE, parse_err = parse_regex(split_message.rule, r'^ipv4-(?P<from_zone>\w+)-(?P<to_zone>\w+)-(?P<id>\w+)-(?P<action>\w+)$')
-      if parse_err != null {
-          abort
-      }
-
-  vyos_firewall_wan_route:
-    type: route
-    inputs: ["vyos_firewall_remap"]
-    route:
-      from_wan: .message.RULE.from_zone == "wan"
-
-  vyos_firewall_geoip_remap:
-    type: remap
-    inputs: ["vyos_firewall_wan_route.from_wan"]
-    source: |
-      .geoip = get_enrichment_table_record!(
-          "geoip_table", {
-              "ip": .message.SRC
-          }
-      )
-
-#
-# Sinks
-#
-
-sinks:
-  journald:
-    inputs: ["journald_source"]
-    type: loki
-    endpoint: http://loki-gateway.observability.svc.cluster.local
-    encoding: { codec: json }
-    out_of_order_action: accept
-    remove_label_fields: true
-    remove_timestamp: true
-    labels:
-      hostname: '{{ host }}'
-
-  kubernetes:
-    inputs: ["kubernetes_remap"]
-    type: loki
-    endpoint: http://loki-gateway.observability.svc.cluster.local
-    encoding: { codec: json }
-    out_of_order_action: accept
-    remove_label_fields: true
-    remove_timestamp: true
-    labels:
-      app: '{{ custom_app_name }}'
-      namespace: '{{ kubernetes.pod_namespace }}'
-      node: '{{ kubernetes.pod_node_name }}'
-
-  vyos:
-    inputs: ["vyos_source", "vyos_firewall_geoip_remap"]
-    type: loki
-    endpoint: http://loki-gateway.observability.svc.cluster.local
-    encoding: { codec: json }
-    out_of_order_action: accept
-    remove_label_fields: true
-    remove_timestamp: true
-    labels:
-      hostname: '{{ host }}'

.archive/kubernetes/openebs-system/kustomization.yaml

@@ -1,9 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/kustomization
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  # Pre Flux-Kustomizations
-  - ./namespace.yaml
-  # Flux-Kustomizations
-  - ./openebs/ks.yaml

.archive/kubernetes/openebs-system/namespace.yaml

@@ -1,8 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: openebs-system
-  annotations:
-    kustomize.toolkit.fluxcd.io/prune: disabled
-    volsync.backube/privileged-movers: "true"

.archive/kubernetes/openebs-system/openebs/cluster/kustomization.yaml

@@ -1,7 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/kustomization
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./storageclass.yaml
-  - ./volumesnapshotclass.yaml

.archive/kubernetes/openebs-system/openebs/cluster/storageclass.yaml

@@ -1,16 +0,0 @@
----
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-  name: openebs-zfs
-  annotations:
-    storageclass.kubevirt.io/is-default-virt-class: "true"
-    storageclass.kubernetes.io/is-default-class: "true"
-provisioner: zfs.csi.openebs.io
-parameters:
-  recordsize: "128k"
-  compression: "off"
-  dedup: "off"
-  fstype: "zfs"
-  poolname: "nahar"
-allowVolumeExpansion: true

.archive/kubernetes/openebs-system/openebs/cluster/volumesnapshotclass.yaml

@@ -1,10 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/snapshot.storage.k8s.io/volumesnapshotclass_v1.json
-kind: VolumeSnapshotClass
-apiVersion: snapshot.storage.k8s.io/v1
-metadata:
-  name: openebs-zfs
-  annotations:
-    snapshot.storage.kubernetes.io/is-default-class: "true"
-driver: zfs.csi.openebs.io
-deletionPolicy: Delete

.archive/kubernetes/rook-ceph/rook-ceph/app/rook-ceph-dashboard-password.secret.sops.yaml

@@ -1,26 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: rook-ceph-dashboard-password
-stringData:
-    password: ENC[AES256_GCM,data:WWTt7SN6ssndLahsOA1gujEeGAM=,iv:YbHGNN+11wA/MLq9vFVM6v4mhPO58JmwXBDj0Qs7+Wk=,tag:5Xn0tqpiIiEt8ZWZHRTM3w==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzb2ZpaDd0azNHNTJoUTB6
-            VVpKbm94ZEprSHplb2UrQnkzTzdGUEFjcGxBCnhxR1BwNmFIOExtMW5GRkVJWTl5
-            blQzSmZ0Tm5CWTk3N25nUUM0dFpKUTQKLS0tIEgwSHNlVXNRdHZvcE10VzExU0hE
-            L0dGK1lFd0ZSQ0lTcEdMNTBkSDJ6WWsKQuiJmRSLbvmgenlu4F2/CQYCCbZTtS/K
-            nz7NsY2om+mWMvPSvLAp1pOHDAdFW79ggQAiCyslDi9iOkaD8MOnxQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-16T23:22:39Z"
-    mac: ENC[AES256_GCM,data:djsWoz/MuUhEKsM03+iaGV/dZUjRAGkiBEz4hROi+rfNWeHLJG2/xXPSKYYgT3h7JOZGh2Gnz7NXiB7TuixlWrAfT2BUBzd+2o9/hzg3xQzLAjApSfZdyap6oafatKxZAR/JHBSw7s0saVNnop9d/DZK4c1Fb1qNKoTrnWqqrF8=,iv:oitjHdZl07CaoBtNtX/sOPLHu7AS/R4YE4TKBJKrUBw=,tag:Br8mBH+mATEwsLzSZmoVYg==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.8.1

.archive/system-upgrade/kustomization.yaml

@@ -6,4 +6,4 @@ resources:
   # Pre Flux-Kustomizations
   - ./namespace.yaml
   # Flux-Kustomizations
-  - ./democratic-csi/ks.yaml
+  - ./system-upgrade-controller/ks.yaml

.archive/system-upgrade/namespace.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: system-upgrade
+  annotations:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    volsync.backube/privileged-movers: "true"
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Provider
+metadata:
+  name: alert-manager
+  namespace: system-upgrade
+spec:
+  type: alertmanager
+  address: http://alertmanager.observability.svc.cluster.local:9093/api/v2/alerts/
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Alert
+metadata:
+  name: alert-manager
+  namespace: system-upgrade
+spec:
+  providerRef:
+    name: alert-manager
+  eventSeverity: error
+  eventSources:
+    - kind: HelmRelease
+      name: "*"
+  exclusionList:
+    - "error.*lookup github\\.com"
+    - "error.*lookup raw\\.githubusercontent\\.com"
+    - "dial.*tcp.*timeout"
+    - "waiting.*socket"
+  suspend: false

.archive/system-upgrade/system-upgrade-controller/app/helmrelease.yaml

@@ -0,0 +1,101 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app system-upgrade-controller
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.5.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    controllers:
+      system-upgrade-controller:
+        strategy: RollingUpdate
+        containers:
+          app:
+            image:
+              repository: docker.io/rancher/system-upgrade-controller
+              tag: v0.14.2@sha256:3cdbfdd90f814702cefb832fc4bdb09ea93865a4d06c6bafd019d1dc6a9f34c9
+            env:
+              SYSTEM_UPGRADE_CONTROLLER_DEBUG: false
+              SYSTEM_UPGRADE_CONTROLLER_THREADS: 2
+              SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: 900
+              SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: 99
+              SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: IfNotPresent
+              SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: registry.k8s.io/kubectl:v1.31.1
+              SYSTEM_UPGRADE_JOB_POD_REPLACEMENT_POLICY: Failed
+              SYSTEM_UPGRADE_JOB_PRIVILEGED: true
+              SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: 900
+              SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: 15m
+              SYSTEM_UPGRADE_CONTROLLER_NAME: *app
+              SYSTEM_UPGRADE_CONTROLLER_NAMESPACE:
+                valueFrom:
+                  fieldRef:
+                    fieldPath: metadata.namespace
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+              seccompProfile:
+                type: RuntimeDefault
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+        seccompProfile: { type: RuntimeDefault }
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: node-role.kubernetes.io/control-plane
+                    operator: Exists
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: NoSchedule
+        - key: node-role.kubernetes.io/master
+          operator: Exists
+          effect: NoSchedule
+    serviceAccount:
+      create: true
+      name: system-upgrade
+    persistence:
+      tmp:
+        type: emptyDir
+      etc-ssl:
+        type: hostPath
+        hostPath: /etc/ssl
+        hostPathType: DirectoryOrCreate
+        globalMounts:
+          - readOnly: true
+      etc-pki:
+        type: hostPath
+        hostPath: /etc/pki
+        hostPathType: DirectoryOrCreate
+        globalMounts:
+          - readOnly: true
+      etc-ca-certificates:
+        type: hostPath
+        hostPath: /etc/ca-certificates
+        hostPathType: DirectoryOrCreate
+        globalMounts:
+          - readOnly: true

.archive/system-upgrade/system-upgrade-controller/app/kustomization.yaml

@@ -3,5 +3,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./agent
-  - ./aggregator
+  - helmrelease.yaml
+  - rbac.yaml

.archive/system-upgrade/system-upgrade-controller/app/rbac.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system-upgrade
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: system-upgrade
+    namespace: system-upgrade
+---
+apiVersion: talos.dev/v1alpha1
+kind: ServiceAccount
+metadata:
+  name: talos
+spec:
+  roles:
+    - os:admin

.archive/system-upgrade/system-upgrade-controller/ks.yaml

@@ -0,0 +1,50 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app system-upgrade-controller
+  namespace: flux-system
+spec:
+  targetNamespace: system-upgrade
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: node-feature-discovery-rules
+  path: ./kubernetes/apps/system-upgrade/system-upgrade-controller/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: theshire
+  wait: true
+  interval: 30m
+  timeout: 5m
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app system-upgrade-controller-plans
+  namespace: flux-system
+spec:
+  targetNamespace: system-upgrade
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: system-upgrade-controller
+  path: ./kubernetes/apps/system-upgrade/system-upgrade-controller/plans
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: theshire
+  wait: false
+  interval: 30m
+  timeout: 5m
+  postBuild:
+    substitute:
+      # renovate: datasource=docker depName=ghcr.io/siderolabs/installer
+      TALOS_VERSION: v1.8.2
+      # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
+      KUBERNETES_VERSION: v1.30.2

.archive/system-upgrade/system-upgrade-controller/plans/kubernetes.yaml

@@ -0,0 +1,45 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/upgrade.cattle.io/plan_v1.json
+apiVersion: upgrade.cattle.io/v1
+kind: Plan
+metadata:
+  name: kubernetes
+spec:
+  version: ${KUBERNETES_VERSION}
+  serviceAccountName: system-upgrade
+  secrets:
+    - name: talos
+      path: /var/run/secrets/talos.dev
+      ignoreUpdates: true
+  concurrency: 1
+  exclusive: true
+  nodeSelector:
+    matchExpressions:
+      - key: feature.node.kubernetes.io/system-os_release.ID
+        operator: In
+        values: ["talos"]
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+  tolerations:
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - key: node-role.kubernetes.io/control-plane
+      operator: Exists
+      effect: NoSchedule
+  prepare: &prepare
+    image: ghcr.io/siderolabs/talosctl:${TALOS_VERSION}
+    envs:
+      - name: NODE_IP
+        valueFrom:
+          fieldRef:
+            fieldPath: status.hostIP
+    args:
+      - --nodes=$(NODE_IP)
+      - health
+      - --server=false
+  upgrade:
+    <<: *prepare
+    args:
+      - --nodes=$(NODE_IP)
+      - upgrade-k8s
+      - --to=$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION)

.archive/system-upgrade/system-upgrade-controller/plans/kustomization.yaml

@@ -3,4 +3,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./prometheusrule.yaml
+  - ./kubernetes.yaml
+  - ./talos.yaml

.archive/system-upgrade/system-upgrade-controller/plans/talos.yaml

@@ -0,0 +1,51 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/upgrade.cattle.io/plan_v1.json
+apiVersion: upgrade.cattle.io/v1
+kind: Plan
+metadata:
+  name: talos
+spec:
+  version: ${TALOS_VERSION}
+  serviceAccountName: system-upgrade
+  secrets:
+    - name: talos
+      path: /var/run/secrets/talos.dev
+      ignoreUpdates: true
+  concurrency: 1
+  exclusive: true
+  nodeSelector:
+    matchExpressions:
+      - key: feature.node.kubernetes.io/system-os_release.ID
+        operator: In
+        values: ["talos"]
+      - key: feature.node.kubernetes.io/system-os_release.VERSION_ID
+        operator: NotIn
+        values: ["${TALOS_VERSION}"]
+  tolerations:
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - key: node-role.kubernetes.io/control-plane
+      operator: Exists
+      effect: NoSchedule
+  prepare: &prepare
+    image: ghcr.io/siderolabs/talosctl:${TALOS_VERSION}
+    envs:
+      - name: NODE_IP
+        valueFrom:
+          fieldRef:
+            fieldPath: status.hostIP
+      - name: TALOS_SCHEMATIC_ID
+        valueFrom:
+          fieldRef:
+            fieldPath: metadata.annotations['extensions.talos.dev/schematic']
+    args:
+      - --nodes=$(NODE_IP)
+      - health
+      - --server=false
+  upgrade:
+    <<: *prepare
+    args:
+      - --nodes=$(NODE_IP)
+      - upgrade
+      - --image=factory.talos.dev/installer/$(TALOS_SCHEMATIC_ID):$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION)
+      - --wait=false

.archive/vault/app/externalsecret.yaml

@@ -0,0 +1,27 @@
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: vault
+  namespace: security
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: vault-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        key: vault
+        property: AWS_SECRET_ACCESS_KEY
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        key: vault
+        property: AWS_ACCESS_KEY_ID
+    - secretKey: VAULT_AWSKMS_SEAL_KEY_ID
+      remoteRef:
+        key: vault
+        property: VAULT_AWSKMS_SEAL_KEY_ID

.archive/vault/app/helmrelease.yaml

@@ -0,0 +1,141 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: vault
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: vault
+      version: 0.28.1
+      sourceRef:
+        kind: HelmRepository
+        name: hashicorp
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+      strategy: uninstall
+  values:
+    server:
+      image:
+        repository: public.ecr.aws/hashicorp/vault
+        tag: "1.17.5"
+      logLevel: "info"
+      logFormat: "json"
+      ingress:
+        enabled: true
+        ingressClassName: internal-nginx
+        hosts:
+          - host: &host "vault.jahanson.tech"
+            paths: []
+        tls:
+          - hosts:
+              - *host
+      service:
+        type: "ClusterIP"
+        port: &port 8200
+        targetPort: *port
+      # off until it's online for the first time
+      readinessProbe:
+        enabled: true
+        path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
+      livenessProbe:
+        enabled: true
+        path: "/v1/sys/health?standbyok=true"
+        initialDelaySeconds: 60
+        # If you need to use a http path instead of the default exec
+        # path: /v1/sys/health?standbyok=true
+        # Port number on which readinessProbe will be checked.
+        port: *port
+      extraEnvironmentVars:
+        # This is required because they will lose their values when the pod is upgraded in my experience.
+        # Probably a Flux thing.
+        VAULT_CLUSTER_ADDR: http://$(HOSTNAME).vault-internal:8201
+      extraSecretEnvironmentVars:
+        - envName: AWS_SECRET_ACCESS_KEY
+          secretName: vault-secret
+          secretKey: AWS_SECRET_ACCESS_KEY
+        - envName: AWS_ACCESS_KEY_ID
+          secretName: vault-secret
+          secretKey: AWS_ACCESS_KEY_ID
+        - envName: VAULT_AWSKMS_SEAL_KEY_ID
+          secretName: vault-secret
+          secretKey: VAULT_AWSKMS_SEAL_KEY_ID
+      # These are defaults but explicitly set here for clarity.
+      dataStorage:
+        size: 4Gi
+        mountPath: /vault/data
+        storageClass: ceph-block
+      auditStorage:
+        enabled: true
+        size: 10Gi
+        mountPath: /vault/audit
+        storageClass: ceph-block
+      # We want high availability. If standalone is true it sets the storage backend to file
+      # and the max replicas can only be 1.
+      standalone:
+        enabled: false
+      ha:
+        enabled: true
+        # maxUnavailable will default to (n/2)-1 where n is the number of replicas
+        # so if you have 6 replicas, maxUnavailable will be 2 unless you set it specifically.
+        replicas: 3
+        config: ""
+        raft:
+          enabled: true
+          config: |
+            ui = true
+
+            listener "tcp" {
+              tls_disable = 1
+              address = "[::]:8200"
+              cluster_address = "[::]:8201"
+              # For prometheus!
+              telemetry {
+                unauthenticated_metrics_access = "true"
+              }
+            }
+
+            storage "raft" {
+              path = "/vault/data"
+                retry_join {
+                  auto_join = "provider=k8s label_selector=\"app.kubernetes.io/name=vault,component=server\" namespace=\"security\""
+                  auto_join_scheme = "http"
+                }
+            }
+
+            seal "awskms" {
+              region = "us-east-2"
+            }
+
+            service_registration "kubernetes" {}
+      statefulSet:
+        securityContext:
+          pod:
+            runAsUser: 568
+            runAsGroup: 568
+            runAsNonRoot: true
+            fsGroup: 568
+            fsGroupChangePolicy: OnRootMismatch
+            supplementalGroups: [10000]
+          container:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: false
+            capabilities:
+              drop:
+                - "ALL"
+    ui:
+      enabled: true
+      publishNotReadyAddresses: true
+      # The service should only contain selectors for active Vault pod
+      activeVaultPodOnly: true
+      serviceType: "LoadBalancer"
+      externalPort: *port
+      targetPort: *port

.archive/vault/app/kustomization.yaml

@@ -2,10 +2,7 @@
 # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+namespace: security
 resources:
   - ./externalsecret.yaml
   - ./helmrelease.yaml
-  - ./pvc.yaml
-
-generatorOptions:
-  disableNameSuffixHash: true

.archive/vault/ks.yaml

@@ -3,17 +3,18 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: &appname thelounge
+  name: &app vault
   namespace: flux-system
 spec:
-  targetNamespace: default
   commonMetadata:
     labels:
-      app.kubernetes.io/name: *appname
-  interval: 10m
-  path: "./kubernetes/apps/default/thelounge/app"
+      app.kubernetes.io/name: *app
+  interval: 1m
+  path: "./kubernetes/apps/security/vault/app"
   prune: true
   sourceRef:
     kind: GitRepository
-    name: homelab
+    name: theshire
   wait: false
+  dependsOn:
+    - name: rook-ceph-cluster

.envrc

@@ -2,6 +2,12 @@
 export KUBECONFIG="$(expand_path ./kubeconfig)"
 export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)"
 export TALOSCONFIG="$(expand_path ./kubernetes/bootstrap/talos/clusterconfig/talosconfig)"
-export KREW_ROOT="$(expand_path ~/.krew/bin)";
+export KREW_ROOT="$(expand_path ~/.krew/bin)"
+export CLUSTER="theshire"
+export KUBERNETES_DIR="$(expand_path ./kubernetes)"
+#export MQTTUI_BROKER="mqtt://10.1.1.38"
+#export MQTTUI_BROKER=$(op item get "emqx [jahanson]" --fields broker)
+#export MQTTUI_USERNAME=$(op item get "emqx [jahanson]" --fields username)
+#export MQTTUI_PASSWORD=$(op item get "emqx [jahanson]" --fields mqtt-password)
 PATH_add $KREW_ROOT
 use nix

.forgejo/workflows/schemas.yaml

@@ -1,6 +1,6 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
-name: "Schemas"
+name: "K8S json Schemas --> Cloudflare R2"
 
 on:
   workflow_dispatch:
@@ -53,7 +53,7 @@ jobs:
         with:
           encodedString: "${{ secrets.MCCONFIG }}"
           fileName: config.json
-          fileDir: $HOME/.mc
+          fileDir: ${{ env.GITHUB_WORKSPACE }}
 
       - name: Extracting CRDs to yaml and converting to JSON schema
         env:
@@ -130,6 +130,9 @@ jobs:
           rm -rf $TMP_CRD_DIR
 
       - name: Deploy to Cloudflare R2
+        env:
+          MC_CONFIG_DIR: "${{ steps.mcconfig.outputs.fileDir }}"
           shell: bash
         run: |
+          echo $GITHUB_WORKSPACE/crdSchemas/
           mc cp --recursive $GITHUB_WORKSPACE/crdSchemas/ r2-ks/kubernetes-schema

.gitignore

@@ -1,21 +1,29 @@
+# OS generated files
 .DS_Store
 Thumbs.db
+
+# Development environments
 .direnv
-.private/
+.idea/
 .venv/
+.pytest_cache/
+
+# Infrastructure and deployment
 .terraform
-.direnv
 *.tfvars
+kubeconfig*
+*talosconfig.yaml
+omniconfig.yaml
+
+# Security and credentials
+.private/
 .decrypted~*
 *.agekey
 *.pub
 *.key
 *.pem
-kubeconfig*
-*talosconfig.yaml
-omniconfig.yaml
+*.secrets
 config.xml
-.idea/
-.env
-.secrets
-.github
+
+# syncthing
+**/*sync-conflict*

.krmignore

@@ -0,0 +1,4 @@
+.archive
+.forgejo
+.git
+.taskfiles