add shoko server

.archive/default/matter-server/app/gatus.yaml

@@ -1,21 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: matter-server-gatus-ep
-  labels:
-    gatus.io/enabled: "true"
-data:
-  config.yaml: |
-    endpoints:
-      - name: matter-server
-        group: infrastructure
-        url: ws://matter-server.default.svc.cluster.local:5580
-        interval: 1m
-        ui:
-          hide-url: true
-          hide-hostname: true
-        conditions:
-          - "[CONNECTED] == true"
-        alerts:
-          - type: pushover

.archive/default/matter-server/app/helmrelease.yaml

@@ -1,79 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: &app matter-server
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: app-template
-      version: 3.5.1
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: flux-system
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-      strategy: rollback
-  values:
-    controllers:
-      matter-server:
-        annotations:
-          reloader.stakater.com/auto: "true"
-        containers:
-          app:
-            image:
-              repository: ghcr.io/home-assistant-libs/python-matter-server
-              tag: 6.6.1
-              pullPolicy: IfNotPresent
-            env:
-              TZ: "America/Chicago"
-              MATTER_SERVER__INSTANCE_NAME: *app
-              MATTER_SERVER__PORT: &port 5580
-              MATTER_SERVER__APPLICATION_URL: &host matter.jahanson.tech
-              MATTER_SERVER__LOG_LEVEL: debug
-            resources:
-              requests:
-                memory: "100Mi"
-              limits:
-                memory: "300Mi"
-    defaultPodOptions:
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 568
-        runAsGroup: 568
-        fsGroup: 568
-        fsGroupChangePolicy: OnRootMismatch
-        seccompProfile: { type: RuntimeDefault }
-    service:
-      app:
-        controller: matter-server
-        type: LoadBalancer
-        annotations:
-          external-dns.alpha.kubernetes.io/hostname: *host
-        ports:
-          http:
-            port: *port
-    ingress:
-      app:
-        className: internal-nginx
-        hosts:
-          - host: *host
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: *port
-        tls:
-          - hosts:
-              - *host
-    persistence:
-      data:
-        existingClaim: *app

.archive/default/plex/ks.yaml

@@ -1,55 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app plex
-  namespace: flux-system
-spec:
-  targetNamespace: default
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  path: ./kubernetes/apps/default/plex/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: theshire
-  wait: true
-  dependsOn:
-    - name: rook-ceph-cluster
-    - name: volsync
-    - name: external-secrets-stores
-  interval: 30m
-  timeout: 5m
-  postBuild:
-    substitute:
-      APP: *app
-      GATUS_PATH: /web/index.html
-      VOLSYNC_CAPACITY: 30Gi
----
-# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app kometa-image-maid
-  namespace: flux-system
-spec:
-  targetNamespace: default
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  interval: 30m
-  timeout: 5m
-  path: "./kubernetes/apps/default/plex/kometa-image-maid"
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: theshire
-  wait: false
-  dependsOn:
-    - name: external-secrets-stores
-    - name: plex
-  postBuild:
-    substitute:
-      APP: *app

.archive/default/pterodactyl/app/externalsecret.yaml

@@ -1,30 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: pterodactyl
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: onepassword-connect
-  target:
-    name: pterodactyl-secret
-    template:
-      engineVersion: v2
-      data:
-        APP_SERVICE_AUTHOR: "{{ .PTERODACTYL_APP_EMAIL }}"
-        APP_URL: "https://pt.hsn.dev"
-        DB_DATABASE: "pterodactyl"
-        DB_HOST: "mariadb.database.svc.cluster.local"
-        DB_PASSWORD: "{{ .PTERODACTYL_MARIADB_PANEL_PASSWORD }}"
-        DB_USERNAME: "pterodactyl"
-        REDIS_HOST: "dragonfly.database.svc.cluster.local"
-
-  dataFrom:
-    - extract:
-        key: pterodactyl
-      rewrite:
-        - regexp:
-            source: "(.*)"
-            target: "PTERODACTYL_$1"

.archive/default/pterodactyl/app/helmrelease.yaml

@@ -1,101 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: &app pterodactyl
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: app-template
-      version: 3.6.0
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: flux-system
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-      strategy: rollback
-  values:
-    controllers:
-      pterodactyl:
-        annotations:
-          reloader.stakater.com/auto: "true"
-        containers:
-          app:
-            image:
-              repository: ghcr.io/pterodactyl/panel
-              tag: v1.11.10@sha256:6c9d060396c0a2c273aa5573460ed51f9176016dac59608b414a3cb02b0cc30c
-            env:
-              CACHE_DRIVER: "redis"
-              SESSION_DRIVER: "redis"
-              QUEUE_DRIVER: "redis"
-              APP_ENV: "production"
-              APP_ENVIRONMENT_ONLY: "false"
-              APP_TIMEZONE: America/Chicago
-              TRUSTED_PROXIES: "*"
-              TZ: America/Chicago
-            envFrom:
-              - secretRef:
-                  name: pterodactyl-secret
-            securityContext:
-              allowPrivilegeEscalation: false
-              readOnlyRootFilesystem: true
-              capabilities: { drop: ["ALL"] }
-            resources:
-              requests:
-                cpu: 10m
-              limits:
-                memory: 1Gi
-        pod:
-          securityContext:
-            runAsUser: 568
-            runAsGroup: 568
-            runAsNonRoot: true
-            fsGroup: 568
-            fsGroupChangePolicy: OnRootMismatch
-    service:
-      app:
-        controller: pterodactyl
-        ports:
-          http:
-            port: 80
-    ingress:
-      app:
-        enabled: true
-        className: external-nginx
-        annotations:
-          external-dns.alpha.kubernetes.io/target: external.hsn.dev
-          external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
-        hosts:
-          - host: &host "pt.hsn.dev"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
-    persistence:
-      config:
-        existingClaim: *app
-        advancedMounts:
-          pterodactyl:
-            app:
-              - subPath: "config"
-                path: "/app/var"
-              - subPath: "nginx"
-                path: "/etc/nginx/http.d"
-              - subPath: "applogs"
-                path: "/app/storage/logs"
-              - subPath: "syslogs"
-                path: "/var/log"
-              - subPath: "letsencrypt"
-                path: "/etc/letsencrypt"

.archive/default/pterodactyl/app/kustomization.yaml

@@ -1,10 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ../../../../templates/volsync
-  # - ../../../../templates/gatus/external
-  - ./externalsecret.yaml
-  # - ./helmrelease.yaml
-  - ./mariadb.yaml

.archive/default/pterodactyl/app/mariadb.yaml

@@ -1,46 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/k8s.mariadb.com/database_v1alpha1.json
-apiVersion: k8s.mariadb.com/v1alpha1
-kind: Database
-metadata:
-  name: pterodactyl
-spec:
-  mariaDbRef:
-    name: mariadb
-    namespace: database
-  characterSet: utf8
-  collate: utf8_general_ci
----
-# yaml-language-server: $schema=https://ks.hsn.dev/k8s.mariadb.com/user_v1alpha1.json
-apiVersion: k8s.mariadb.com/v1alpha1
-kind: User
-metadata:
-  name: pterodactyl
-spec:
-  mariaDbRef:
-    name: mariadb
-    namespace: database
-  passwordSecretKeyRef:
-    name: pterodactyl-secret
-    key: DB_PASSWORD
-  maxUserConnections: 20
-  host: "%"
-  cleanupPolicy: Delete
-
----
-# yaml-language-server: $schema=https://ks.hsn.dev/k8s.mariadb.com/grant_v1alpha1.json
-apiVersion: k8s.mariadb.com/v1alpha1
-kind: Grant
-metadata:
-  name: grant-pterodactyl
-spec:
-  mariaDbRef:
-    name: mariadb
-    namespace: database
-  privileges:
-    - ALL PRIVILEGES
-  database: "pterodactyl"
-  table: "*"
-  username: pterodactyl
-  grantOption: true
-  host: "%"

.archive/default/pterodactyl/ks.yaml

@@ -1,31 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app pterodactyl
-  namespace: flux-system
-spec:
-  targetNamespace: default
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  dependsOn:
-    - name: external-secrets
-    - name: dragonfly-cluster
-    - name: mariadb-cluster
-    - name: rook-ceph-cluster
-    - name: volsync
-  path: ./kubernetes/apps/default/pterodactyl/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: theshire
-  wait: false
-  interval: 30m
-  timeout: 5m
-  postBuild:
-    substitute:
-      APP: *app
-      GATUS_SUBDOMAIN: "pt"
-      VOLSYNC_CAPACITY: 10Gi

.archive/vault/app/helmrelease.yaml

@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:

.editorconfig

@@ -1,3 +1,5 @@
+; https://editorconfig.org/
+
 root = true
 
 [*]

.forgejo/workflows/schemas.yaml

@@ -0,0 +1,138 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: "K8S json Schemas --> Cloudflare R2"
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *" # Every day at midnight
+  push:
+    branches: ["main"]
+    paths: [".forgejo/workflows/schemas.yaml"]
+
+jobs:
+  publish:
+    name: Schemas
+    runs-on: ["ubuntu-x86_64"]
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: https://github.com/actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Workflow Tools
+        shell: bash
+        run: |
+          curl -LO "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl"
+          chmod +x kubectl
+          mv kubectl /usr/local/bin/
+
+          curl -LO "https://dl.min.io/client/mc/release/linux-amd64/mc"
+          chmod +x mc
+          mv mc /usr/local/bin/
+
+      - name: Setup Python
+        run: |
+          apt-get update
+          apt-get install -y python3 python3-pip python3-yaml
+          pip3 install --upgrade pip
+
+      - name: Write kubeconfig
+        id: kubeconfig
+        uses: https://github.com/timheuer/base64-to-file@v1
+        with:
+          encodedString: "${{ secrets.KUBECONFIG }}"
+          fileName: kubeconfig
+          fileDir: ${{ env.GITHUB_WORKSPACE }}
+      - name: Write mc
+        id: mcconfig
+        uses: https://github.com/timheuer/base64-to-file@v1
+        with:
+          encodedString: "${{ secrets.MCCONFIG }}"
+          fileName: config.json
+          fileDir: ${{ env.GITHUB_WORKSPACE }}
+
+      - name: Extracting CRDs to yaml and converting to JSON schema
+        env:
+          KUBECONFIG: "${{ steps.kubeconfig.outputs.filePath }}"
+        run: |
+          # kubeconfig
+          echo "kubeconfig location: $KUBECONFIG"
+          # Create temp folder for CRDs
+          TMP_CRD_DIR=$(mktemp -d)
+          echo "Temp directory: $TMP_CRD_DIR"
+
+          # Create final schemas directory
+          SCHEMAS_DIR=$GITHUB_WORKSPACE/crdSchemas
+          mkdir -p $SCHEMAS_DIR
+          echo "Schemas directory: $SCHEMAS_DIR"
+
+          # Create array to store CRD kinds and groups
+          ORGANIZE_BY_GROUP=true
+          declare -A CRD_GROUPS 2>/dev/null
+          if [ $? -ne 0 ]; then
+              # Array creation failed, signal to skip organization by group
+              ORGANIZE_BY_GROUP=false
+          fi
+
+          # Extract CRDs from cluster
+          NUM_OF_CRDS=0
+          while read -r crd
+          do
+              filename=${crd%% *}
+              kubectl get crds "$filename" -o yaml > "$TMP_CRD_DIR/$filename.yaml" 2>&1
+              echo "Extracted CRD: $filename"
+
+              resourceKind=$(grep "kind:" "$TMP_CRD_DIR/$filename.yaml" | awk 'NR==2{print $2}' | tr '[:upper:]' '[:lower:]')
+              resourceGroup=$(grep "group:" "$TMP_CRD_DIR/$filename.yaml" | awk 'NR==1{print $2}')
+
+              # Save name and group for later directory organization
+              CRD_GROUPS["$resourceKind"]="$resourceGroup"
+
+              let ++NUM_OF_CRDS
+          done < <(kubectl get crds 2>&1 | sed -n '/NAME/,$p' | tail -n +2)
+          echo numCRDs: $NUM_OF_CRDS
+
+          # Download converter script
+          curl https://raw.githubusercontent.com/yannh/kubeconform/master/scripts/openapi2jsonschema.py --output $TMP_CRD_DIR/openapi2jsonschema.py 2>/dev/null
+
+          # Convert crds to jsonSchema
+          cd $SCHEMAS_DIR
+          python3 $TMP_CRD_DIR/openapi2jsonschema.py $TMP_CRD_DIR/*.yaml
+          conversionResult=$?
+
+          # Copy and rename files to support kubeval
+          rm -rf $SCHEMAS_DIR/master-standalone
+          mkdir -p $SCHEMAS_DIR/master-standalone
+          cp $SCHEMAS_DIR/*.json $SCHEMAS_DIR/master-standalone
+          find $SCHEMAS_DIR/master-standalone -name '*json' -exec bash -c ' mv -f $0 ${0/\_/-stable-}' {} \;
+
+          # Organize schemas by group
+          if [ $ORGANIZE_BY_GROUP == true ]; then
+              for schema in $SCHEMAS_DIR/*.json
+              do
+              crdFileName=$(basename $schema .json)
+              crdKind=${crdFileName%%_*}
+              crdGroup=${CRD_GROUPS[$crdKind]}
+              if [ -z $crdGroup ]; then
+                  crdGroup="uncategorized"
+                  echo "CRD kind $crdKind has no group, moving to $crdGroup"
+              fi
+              echo making directory $crdGroup
+              mkdir -p $crdGroup
+              mv $schema ./$crdGroup
+              done
+          fi
+
+          rm -rf $TMP_CRD_DIR
+
+      - name: Deploy to Cloudflare R2
+        env:
+          MC_CONFIG_DIR: "${{ steps.mcconfig.outputs.fileDir }}"
+          shell: bash
+        run: |
+          echo $GITHUB_WORKSPACE/crdSchemas/
+          mc cp --recursive $GITHUB_WORKSPACE/crdSchemas/ r2-ks/kubernetes-schema

.gitignore

@@ -24,9 +24,3 @@ omniconfig.yaml
 *.pem
 *.secrets
 config.xml
-
-# syncthing
-**/*sync-conflict*
-
-# Aider
-.aider*

.renovate/packageRules.json5

@@ -4,7 +4,7 @@
     {
       "description": ["Loose versioning for non-semver packages"],
       "matchDatasources": ["docker"],
-      "matchPackagePatterns": ["plex"],
+      "matchPackagePatterns": ["cross-seed", "plex"],
       "versioning": "loose"
     },
     {

.taskfiles/flux/Taskfile.yaml

@@ -18,20 +18,6 @@ tasks:
           | xargs -P 4 -L 1 bash -c \
             'kubectl -n $0 annotate kustomization/$1 reconcile.fluxcd.io/requestedAt="$(date +%s)" --field-manager=flux-client-side-apply --overwrite'
 
-  ks-suspend:
-    desc: Suspend all Flux Kustomizations
-    cmds:
-      - |
-        flux get kustomizations --all-namespaces --no-header | awk '{print $1, $2}' \
-          | xargs -L 1 bash -c 'flux -n $0 suspend kustomization $1'
-
-  ks-resume:
-    desc: Resume all Flux Kustomizations
-    cmds:
-      - |
-        flux get kustomizations --all-namespaces --no-header | awk '{print $1, $2}' \
-          | xargs -L 1 bash -c 'flux -n $0 resume kustomization $1'
-
   hr-sync:
     desc: Sync all Flux HelmReleases
     cmds:

.taskfiles/talos/Taskfile.yaml

@@ -55,99 +55,94 @@ tasks:
 
   generate-clusterconfig:
     desc: Generate clusterconfig for Talos
-    preconditions:
-      - which test talhelper
-      - test -f {{.K8S_CLUSTER_DIR}}/bootstrap/talos/talsecret.sops.yaml
-      - test -f {{.K8S_CLUSTER_DIR}}/bootstrap/talos/talconfig.yaml
-    requires:
-      vars:
-        - K8S_CLUSTER
     cmds:
       - talhelper genconfig
         --env-file {{.K8S_CLUSTER_DIR}}/bootstrap/talos/talenv.sops.yaml
         --secret-file {{.K8S_CLUSTER_DIR}}/bootstrap/talos/talsecret.sops.yaml
         --config-file {{.K8S_CLUSTER_DIR}}/bootstrap/talos/talconfig.yaml
         --out-dir {{.K8S_CLUSTER_DIR}}/bootstrap/talos/clusterconfig
+    requires:
+      vars:
+        - K8S_CLUSTER
+    preconditions:
+      - test -f {{.K8S_CLUSTER_DIR}}/bootstrap/talos/talenv.sops.yaml
+      - test -f {{.K8S_CLUSTER_DIR}}/bootstrap/talos/talsecret.sops.yaml
+      - test -f {{.K8S_CLUSTER_DIR}}/bootstrap/talos/talconfig.yaml
+
+  upgrade:
+    desc: Upgrade Talos version for a node
+    vars:
+      TALOS_VERSION:
+        sh: |
+          yq -r ".talosVersion" {{.K8S_CLUSTER_DIR}}/bootstrap/talos/talconfig.yaml
+      TALOS_IMAGE:
+        sh: |
+          talhelper genurl installer \
+            --env-file {{.K8S_CLUSTER_DIR}}/bootstrap/talos/talenv.sops.yaml \
+            --config-file {{.K8S_CLUSTER_DIR}}/bootstrap/talos/talconfig.yaml \
+          | grep {{.NODE}} \
+          | awk '{split($0,u," "); print u[2]}'
+    cmds:
+      - talosctl upgrade -n {{.NODE}} --image {{.TALOS_IMAGE }}
+    requires:
+      vars:
+        - K8S_CLUSTER
+        - NODE
+    preconditions:
+      - test -f {{.K8S_CLUSTER_DIR}}/bootstrap/talos/talenv.sops.yaml
+      - test -f {{.K8S_CLUSTER_DIR}}/bootstrap/talos/talconfig.yaml
+      - msg: "Talos image could not be determined for node={{.NODE}}"
+        sh: 'test -n "{{.TALOS_IMAGE}}"'
+
+  upgrade-k8s:
+    desc: Upgrade Kubernetes version for a Talos cluster
+    silent: false
+    vars:
+      KUBERNETES_VERSION:
+        sh: |
+          yq -r ".kubernetesVersion" {{.K8S_CLUSTER_DIR}}/bootstrap/talos/talconfig.yaml
+      TALOS_CONTROLLER:
+        sh: talosctl config info --output json | jq --raw-output '.endpoints[]' | shuf -n 1
+    cmds:
+      - until kubectl wait --timeout=5m --for=condition=Complete jobs --all --all-namespaces; do sleep 10; done
+      - talosctl upgrade-k8s -n {{.TALOS_CONTROLLER}} --to {{.KUBERNETES_VERSION}}
+    requires:
+      vars:
+        - K8S_CLUSTER
+    preconditions:
+      - talosctl config info &>/dev/null
+      - talosctl --nodes {{.TALOS_CONTROLLER}} get machineconfig &>/dev/null
 
   apply-clusterconfig:
     desc: Apply clusterconfig for a Talos cluster
     vars:
       CLUSTERCONFIG_FILES:
-        sh: ls {{.K8S_CLUSTER_DIR}}/bootstrap/talos/clusterconfig/*.yaml
-    preconditions:
-      - which ls
-      - test -f "${TALOSCONFIG}"
-    requires:
-      vars:
-        - K8S_CLUSTER
+        sh: find {{.K8S_CLUSTER_DIR}}/bootstrap/talos/clusterconfig -type f -name '*.yaml' -printf '%f\n'
     cmds:
       - for:
           var: CLUSTERCONFIG_FILES
         task: _apply-machineconfig
         vars:
-          FILENAME: "{{.ITEM}}"
-          HOSTNAME: |-
-            {{ trimPrefix (printf "%s-" .K8S_CLUSTER) (base .ITEM) | trimSuffix ".yaml" }}
+          filename: "{{.ITEM}}"
+          hostname: |-
+            {{ trimPrefix (printf "%s-" .K8S_CLUSTER) .ITEM | trimSuffix ".yaml" }}
           DRY_RUN: "{{ .DRY_RUN }}"
-          INSECURE: "{{ .INSECURE }}"
-
-  apply-node:
-    desc: Apply Talos config to a node [NODE=required]
-    preconditions:
-      - which talosctl
-      - test -f "${TALOSCONFIG}"
-      - talosctl --nodes {{.NODE}} get machineconfig
     requires:
       vars:
         - K8S_CLUSTER
-        - NODE
-    vars:
-      FILE:
-        sh: ls {{.K8S_CLUSTER_DIR}}/bootstrap/talos/clusterconfig/{{.K8S_CLUSTER}}-{{.NODE}}*.yaml
-    cmds:
-      - task: _apply-machineconfig
-        vars:
-          FILENAME: "{{.FILE}}"
-          HOSTNAME: "{{.NODE}}"
-      - talosctl --nodes {{.NODE}} health --wait-timeout=10m --server=false
-
-  upgrade-node:
-    desc: Upgrade Talos on a single node [NODE=required]
-    preconditions:
-      - which talosctl
-      - test -f "${TALOSCONFIG}"
-      - talosctl --nodes {{.NODE}} get machineconfig
-    requires:
-      vars:
-        - K8S_CLUSTER
-        - NODE
-    vars:
-      FILE:
-        sh: ls {{.K8S_CLUSTER_DIR}}/bootstrap/talos/clusterconfig/{{.K8S_CLUSTER}}-{{.NODE}}*.yaml
-      TALOS_IMAGE:
-        sh: yq '.machine.install.image' < "{{.FILE}}"
-    cmds:
-      - echo "Upgrading Talos on node {{.NODE}}"
-      - talosctl --nodes {{.NODE}} upgrade --image="{{.TALOS_IMAGE}}" --timeout=10m
-      - talosctl --nodes {{.NODE}} health --wait-timeout=10m --server=false
 
   _apply-machineconfig:
     internal: true
     desc: Apply a single Talos machineConfig to a Talos node
-    vars:
-      MODE: '{{.MODE | default "auto"}}'
-    preconditions:
-      - which talosctl
-      - test -f "{{.FILENAME}}"
+    cmds:
+      - talosctl apply-config
+        --nodes "{{.hostname}}"
+        --file "{{.K8S_CLUSTER_DIR}}/bootstrap/talos/clusterconfig/{{.filename}}"
+        {{ if eq "true" .DRY_RUN }}--dry-run{{ end }}
     requires:
       vars:
         - K8S_CLUSTER
-        - HOSTNAME
-        - FILENAME
-    cmds:
-      - talosctl apply-config
-        --nodes "{{.HOSTNAME}}"
-        --file "{{.FILENAME}}"
-        --mode="{{.MODE}}"
-        {{ if eq "true" .INSECURE }}--insecure{{ end }}
-        {{ if eq "true" .DRY_RUN }}--dry-run{{ end }}
+        - hostname
+        - filename
+    preconditions:
+      - test -f {{.K8S_CLUSTER_DIR}}/bootstrap/talos/clusterconfig/{{.filename}}

.vscode/extensions.json

@@ -1,6 +1,7 @@
 {
     "recommendations": [
         "mikestead.dotenv",
+        "redhat.ansible",
         "redhat.vscode-yaml",
         "signageos.signageos-vscode-sops",
         "pkief.material-icon-theme",

.vscode/settings.json

@@ -1,40 +1,32 @@
 {
   "ansible.validation.lint.arguments": "-c .ansible-lint",
   "files.associations": {
-    "*.json5": "jsonc",
-    "**/ansible/**/*.yaml": "ansible",
-    "**/ansible/**/*.sops.yaml": "yaml",
-    "**/ansible/**/inventory/**/*.yaml": "yaml",
-    "**/kubernetes/**/*.sops.toml": "plaintext",
-    "*.hujson": "jsonc"
+      "*.json5": "jsonc",
+      "**/ansible/**/*.yaml": "ansible",
+      "**/ansible/**/*.sops.yaml": "yaml",
+      "**/ansible/**/inventory/**/*.yaml": "yaml",
+      "**/kubernetes/**/*.sops.toml": "plaintext"
   },
   "material-icon-theme.folders.associations": {
-    ".taskfiles": "utils",
-    "bootstrap": "import",
-    "charts": "kubernetes",
-    "hack": "scripts",
-    "repositories": "database",
-    "vars": "other",
-    "cert-manager": "guard",
-    "external-secrets": "keys",
-    "kube-system": "kubernetes",
-    "monitoring": "event",
-    "networking": "connection",
-    "rook-ceph": "dump"
+      ".taskfiles": "utils",
+      "bootstrap": "import",
+      "charts": "kubernetes",
+      "hack": "scripts",
+      "repositories": "database",
+      "vars": "other",
+      // namespaces
+      "cert-manager": "guard",
+      "external-secrets": "keys",
+      "kube-system": "kubernetes",
+      "monitoring": "event",
+      "networking": "connection",
+      "rook-ceph": "dump",
   },
   "yaml.schemaStore.enable": true,
   "yaml.schemas": {
     "ansible": "ansible/**/*.yaml",
     "kubernetes": "kubernetes/**/*.yaml"
   },
-  "json.schemas": [
-    {
-      "fileMatch": ["*.hujson"],
-      "schema": {
-        "allowTrailingCommas": true
-      }
-    }
-  ],
   "editor.fontFamily": "FiraCode Nerd Font",
   "editor.fontLigatures": true,
   "editor.bracketPairColorization.enabled": true,
@@ -43,7 +35,9 @@
   "editor.guides.highlightActiveBracketPair": true,
   "editor.hover.delay": 1500,
   "editor.stickyScroll.enabled": false,
-  "editor.rulers": [100],
+  "editor.rulers": [
+    100
+  ],
   "explorer.autoReveal": false,
   "files.trimTrailingWhitespace": true,
   "ansible.python.interpreterPath": "/usr/bin/python3",
@@ -52,5 +46,5 @@
   "prettier.quoteProps": "preserve",
   "[jsonc]": {
     "editor.defaultFormatter": "esbenp.prettier-vscode"
-  }
+  },
 }

README.md

@@ -1,11 +1,3 @@
-# Archived due to hardware failure and NICs being too old. 
-
-[Relevant to my NIC issues](https://serverfault.com/questions/616485/e1000e-reset-adapter-unexpectedly-detected-hardware-unit-hang)
-
-Will continue to work on my [nix config](https://github.com/jahanson/mochi) until I can afford better k8s nodes :)
-
----
-
 Talos & 6x Dell USFF nodes with 2 Beefy VM works with GPUs.
 
 

Taskfile.yaml

@@ -9,7 +9,6 @@ vars:
   K8S_CLUSTER_DIR: '{{.KUBERNETES_DIR}}'
   CLUSTER: '{{.CLUSTER | default "theshire"}}'
   CLUSTER_DIR: '{{.KUBERNETES_DIR}}'
-  TALOSCONFIG: "{{.K8S_CLUSTER_DIR}}/talos/clusterconfig/talosconfig"
 
 env:
   KUBECONFIG: "{{.ROOT_DIR}}/kubeconfig"

kubernetes/apps/ai/kustomization.yaml

@@ -6,4 +6,5 @@ resources:
   # Pre Flux-Kustomizations
   - ./namespace.yaml
   # Flux-Kustomizations
+  - ./ollama/ks.yaml
   - ./open-webui/ks.yaml

kubernetes/apps/ai/ollama/app/helmrelease.yaml

@@ -35,7 +35,7 @@ spec:
           app:
             image:
               repository: docker.io/ollama/ollama
-              tag: 0.4.2
+              tag: 0.4.0
             env:
               - name: OLLAMA_HOST
                 value: 0.0.0.0

kubernetes/apps/ai/open-webui/app/helmrelease.yaml

@@ -9,11 +9,13 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       sourceRef:
         kind: HelmRepository
         name: bjw-s
         namespace: flux-system
+  dependsOn:
+    - name: ollama
   install:
     remediation:
       retries: 3
@@ -31,10 +33,10 @@ spec:
           app:
             image:
               repository: ghcr.io/open-webui/open-webui
-              tag: v0.5.4
+              tag: 0.3.35
             env:
               - name: OLLAMA_BASE_URL
-                value: http://10.1.1.61:11434
+                value: http://ollama.ai.svc.cluster.local:11434
               - name: ENABLE_RAG_WEB_SEARCH
                 value: true
               - name: RAG_WEB_SEARCH_ENGINE
@@ -67,19 +69,6 @@ spec:
         tls:
           - hosts:
               - *host
-      tailscale:
-        enabled: true
-        className: tailscale
-        hosts:
-          - host: &host "{{ .Release.Name }}.meerkat-dab.ts.net"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
     persistence:
       config:
         enabled: true

kubernetes/apps/ai/open-webui/ks.yaml

@@ -12,6 +12,7 @@ spec:
       app.kubernetes.io/name: *app
   dependsOn:
     - name: volsync
+    - name: ollama
   path: ./kubernetes/apps/ai/open-webui/app
   prune: true
   sourceRef:

kubernetes/apps/anime/jellyfin/app/helmrelease.yaml

@@ -40,7 +40,7 @@ spec:
           app:
             image:
               repository: ghcr.io/jellyfin/jellyfin
-              tag: 10.10.3@sha256:17c3a8d9dddb97789b5f37112840ebf96566442c14d4754193a6c2eb154bc221
+              tag: 10.10.1@sha256:12b7aa2c8086e5566badc35370fab41b8cc8774dc3a80b07a1d6eb14f282b816
             env:
               DOTNET_SYSTEM_IO_DISABLEFILELOCKING: "true"
               JELLYFIN_FFmpeg__probesize: 50000000

kubernetes/apps/anime/jellyseerr/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       sourceRef:
         kind: HelmRepository
         name: bjw-s
@@ -36,7 +36,7 @@ spec:
           app:
             image:
               repository: fallenbagel/jellyseerr
-              tag: 2.1.0
+              tag: 2.0.1
             env:
               TZ: America/Chicago
               LOG_LEVEL: "info"

kubernetes/apps/anime/kustomization.yaml

@@ -6,6 +6,8 @@ resources:
   # Pre Flux-Kustomizations
   - ./namespace.yaml
   # Flux-Kustomizations
+  - ./jellyfin/ks.yaml    # sqlite
   - ./jellyseerr/ks.yaml  # sqlite
   - ./radarr/ks.yaml      # postgres
+  - ./shoko/ks.yaml       # sqlite
   - ./sonarr/ks.yaml      # postgres

kubernetes/apps/anime/radarr/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       sourceRef:
         kind: HelmRepository
         name: bjw-s
@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/radarr-develop
-              tag: 5.17.2.9580
+              tag: 5.15.0.9412
             env:
               RADARR__APP__INSTANCENAME: Radarr-Anime
               RADARR__APP__THEME: dark
@@ -66,6 +66,11 @@ spec:
               allowPrivilegeEscalation: false
               readOnlyRootFilesystem: true
               capabilities: { drop: ["ALL"] }
+            resources:
+              requests:
+                cpu: 10m
+              limits:
+                memory: 6Gi
         pod:
           securityContext:
             runAsUser: 568
@@ -94,19 +99,6 @@ spec:
         tls:
           - hosts:
               - *host
-      tailscale:
-        enabled: true
-        className: tailscale
-        hosts:
-          - host: &host "{{ .Release.Name }}.meerkat-dab.ts.net"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
     persistence:
       config:
         enabled: true
@@ -115,7 +107,7 @@ spec:
         type: emptyDir
       media:
         type: nfs
-        server: 10.1.1.61
+        server: 10.1.1.13
         path: /eru/media
         globalMounts:
           - path: /data/nas-media

kubernetes/apps/anime/shoko/app/externalsecret.yaml

@@ -0,0 +1,31 @@
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: shokoserver
+spec:
+  refreshInterval: 5m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: shokoserver-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: WIREGUARD_ENDPOINT_IP
+      remoteRef:
+        key: ProtonVPN
+        property: shokoserver_vpn_endpoint_ip
+    - secretKey: WIREGUARD_PUBLIC_KEY
+      remoteRef:
+        key: ProtonVPN
+        property: shokoserver_wireguard_public_key
+    - secretKey: WIREGUARD_PRIVATE_KEY
+      remoteRef:
+        key: ProtonVPN
+        property: shokoserver_wireguard_private_key
+    - secretKey: WIREGUARD_ADDRESSES
+      remoteRef:
+        key: ProtonVPN
+        property: wireguard_addresses

kubernetes/apps/anime/shoko/app/helmrelease.yaml

@@ -0,0 +1,125 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app shokoserver
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.5.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  dependsOn:
+    - name: rook-ceph-cluster
+      namespace: rook-ceph
+    - name: volsync
+      namespace: volsync-system
+  values:
+    controllers:
+      shokoserver:
+        annotations:
+          reloader.stakater.com/auto: "true"
+        initContainers:
+          gluetun:
+            image:
+              repository: ghcr.io/qdm12/gluetun
+              tag: v3.39.1
+            env:
+              DOT: "off"
+              VPN_SERVICE_PROVIDER: protonvpn
+              VPN_TYPE: wireguard
+              VPN_INTERFACE: wg0
+              FIREWALL_INPUT_PORTS: "80"
+            envFrom:
+              - secretRef:
+                  name: shokoserver-secret
+            resources:
+              limits:
+                kernel.org/tun: 1
+            restartPolicy: Always
+            securityContext:
+              capabilities:
+                add: ["NET_ADMIN"]
+              allowPrivilegeEscalation: false
+        containers:
+          app:
+            image:
+              repository: ghcr.io/jahanson/shokoserver
+              tag: v5.0.0@sha256:193aedf3e3f2d7031a76274d5bae0004c3d920c24831d688d991f85d4bb24ce2
+            env:
+              TZ: America/Chicago
+              PORT: &port 80
+            # probes:
+            #   liveness: &probes
+            #     enabled: true
+            #     custom: true
+            #     spec:
+            #       httpGet:
+            #         path: /status
+            #         port: *port
+            #       initialDelaySeconds: 0
+            #       periodSeconds: 10
+            #       timeoutSeconds: 1
+            #       failureThreshold: 3
+            #   readiness: *probes
+            #   startup:
+            #     enabled: false
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 568
+        runAsGroup: 568
+        fsGroup: 568
+        fsGroupChangePolicy: OnRootMismatch
+        seccompProfile: { type: RuntimeDefault }
+    service:
+      app:
+        controller: shokoserver
+        ports:
+          http:
+            port: *port
+            targetPort: 8111
+    ingress:
+      app:
+        className: internal-nginx
+        hosts:
+          - host: "${APP}.jahanson.tech"
+            paths:
+              - path: /
+                service:
+                  identifier: app
+                  port: http
+    persistence:
+      config:
+        existingClaim: "${APP}"
+        globalMounts:
+          - path: /.shoko
+      media:
+        type: nfs
+        server: 10.1.1.61
+        path: /moria/media/
+        globalMounts:
+          - path: /data/moria-media
+      # logs:
+      #   type: emptyDir
+      #   globalMounts:
+      #     - path: /app/config/logs
+      tmp:
+        type: emptyDir

kubernetes/apps/anime/shoko/ks.yaml

@@ -3,22 +3,22 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: &app matter-server
+  name: &app shoko
   namespace: flux-system
 spec:
-  targetNamespace: default
+  targetNamespace: anime
   commonMetadata:
     labels:
       app.kubernetes.io/name: *app
-  path: ./kubernetes/apps/default/matter-server/app
+  path: ./kubernetes/apps/anime/shoko/app
   prune: true
   sourceRef:
     kind: GitRepository
     name: theshire
-  wait: false # no flux ks dependents
+  wait: false
   interval: 30m
   timeout: 5m
   postBuild:
     substitute:
       APP: *app
-      VOLSYNC_CAPACITY: 1Gi
+      VOLSYNC_CAPACITY: 5Gi

kubernetes/apps/anime/sonarr/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       sourceRef:
         kind: HelmRepository
         name: bjw-s
@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/sonarr-develop
-              tag: 4.0.12.2825
+              tag: 4.0.10.2624
             env:
               SONARR__APP__INSTANCENAME: Sonarr-Anime
               SONARR__APP__THEME: dark
@@ -66,6 +66,11 @@ spec:
               allowPrivilegeEscalation: false
               readOnlyRootFilesystem: true
               capabilities: { drop: ["ALL"] }
+            resources:
+              requests:
+                cpu: 10m
+              limits:
+                memory: 6Gi
         pod:
           securityContext:
             runAsUser: 568
@@ -94,19 +99,6 @@ spec:
         tls:
           - hosts:
               - *host
-      tailscale:
-        enabled: true
-        className: tailscale
-        hosts:
-          - host: &host "{{ .Release.Name }}.meerkat-dab.ts.net"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
     persistence:
       config:
         enabled: true
@@ -115,7 +107,7 @@ spec:
         type: emptyDir
       media:
         type: nfs
-        server: 10.1.1.61
+        server: 10.1.1.13
         path: /eru/media
         globalMounts:
           - path: /data/nas-media
@@ -125,14 +117,3 @@ spec:
         path: /moria/media/
         globalMounts:
           - path: /data/moria-media
-      scripts:
-        type: configMap
-        name: sonarr-configmap
-        defaultMode: 0775
-        globalMounts:
-          - path: /scripts/pushover-notify.sh
-            subPath: pushover-notify.sh
-            readOnly: true
-          - path: /scripts/refresh-series.sh
-            subPath: refresh-series.sh
-            readOnly: true

kubernetes/apps/anime/sonarr/app/kustomization.yaml

@@ -6,12 +6,3 @@ resources:
   - ./externalsecret.yaml
   - ./helmrelease.yaml
   - ../../../../templates/volsync
-configMapGenerator:
-  - name: sonarr-configmap
-    files:
-      - pushover-notify.sh=./resources/pushover-notify.sh
-      - refresh-series.sh=./resources/refresh-series.sh
-generatorOptions:
-  disableNameSuffixHash: true
-  annotations:
-    kustomize.toolkit.fluxcd.io/substitute: disabled

kubernetes/apps/anime/sonarr/app/resources/pushover-notify.sh

@@ -1,85 +0,0 @@
-#!/usr/bin/env bash
-# shellcheck disable=SC2154
-set -euo pipefail
-
-# User defined variables for pushover
-PUSHOVER_USER_KEY="${PUSHOVER_USER_KEY:-required}"
-PUSHOVER_TOKEN="${PUSHOVER_TOKEN:-required}"
-PUSHOVER_PRIORITY="${PUSHOVER_PRIORITY:-"-2"}"
-
-if [[ "${sonarr_eventtype:-}" == "Test" ]]; then
-    PUSHOVER_PRIORITY="1"
-    printf -v PUSHOVER_TITLE \
-        "Test Notification"
-    printf -v PUSHOVER_MESSAGE \
-        "Howdy this is a test notification from %s" \
-            "${sonarr_instancename:-Sonarr}"
-    printf -v PUSHOVER_URL \
-        "%s" \
-            "${sonarr_applicationurl:-localhost}"
-    printf -v PUSHOVER_URL_TITLE \
-        "Open %s" \
-            "${sonarr_instancename:-Sonarr}"
-fi
-
-if [[ "${sonarr_eventtype:-}" == "Download" ]]; then
-    printf -v PUSHOVER_TITLE \
-        "Episode %s" \
-            "$( [[ "${sonarr_isupgrade}" == "True" ]] && echo "Upgraded" || echo "Downloaded" )"
-    printf -v PUSHOVER_MESSAGE \
-        "<b>%s (S%02dE%02d)</b><small>\n%s</small><small>\n\n<b>Quality:</b> %s</small><small>\n<b>Client:</b> %s</small>" \
-            "${sonarr_series_title}" \
-            "${sonarr_episodefile_seasonnumber}" \
-            "${sonarr_episodefile_episodenumbers}" \
-            "${sonarr_episodefile_episodetitles}" \
-            "${sonarr_episodefile_quality:-Unknown}" \
-            "${sonarr_download_client:-Unknown}"
-    printf -v PUSHOVER_URL \
-        "%s/series/%s" \
-            "${sonarr_applicationurl:-localhost}" \
-            "${sonarr_series_titleslug}"
-    printf -v PUSHOVER_URL_TITLE \
-        "View series in %s" \
-            "${sonarr_instancename:-Sonarr}"
-fi
-
-if [[ "${sonarr_eventtype:-}" == "ManualInteractionRequired" ]]; then
-    PUSHOVER_PRIORITY="1"
-    printf -v PUSHOVER_TITLE \
-        "Episode import requires intervention"
-    printf -v PUSHOVER_MESSAGE \
-        "<b>%s</b><small>\n<b>Client:</b> %s</small>" \
-            "${sonarr_series_title}" \
-            "${sonarr_download_client:-Unknown}"
-    printf -v PUSHOVER_URL \
-        "%s/activity/queue" \
-            "${sonarr_applicationurl:-localhost}"
-    printf -v PUSHOVER_URL_TITLE \
-        "View queue in %s" \
-            "${sonarr_instancename:-Sonarr}"
-fi
-
-json_data=$(jo \
-    token="${PUSHOVER_TOKEN}" \
-    user="${PUSHOVER_USER_KEY}" \
-    title="${PUSHOVER_TITLE}" \
-    message="${PUSHOVER_MESSAGE}" \
-    url="${PUSHOVER_URL}" \
-    url_title="${PUSHOVER_URL_TITLE}" \
-    priority="${PUSHOVER_PRIORITY}" \
-    html="1"
-)
-
-status_code=$(curl \
-    --silent \
-    --write-out "%{http_code}" \
-    --output /dev/null \
-    --request POST \
-    --header "Content-Type: application/json" \
-    --data-binary "${json_data}" \
-    "https://api.pushover.net/1/messages.json" \
-)
-
-printf "pushover notification returned with HTTP status code %s and payload: %s\n" \
-    "${status_code}" \
-    "$(echo "${json_data}" | jq --compact-output)" >&2

kubernetes/apps/anime/sonarr/app/resources/refresh-series.sh

@@ -1,21 +0,0 @@
-#!/usr/bin/env bash
-# shellcheck disable=SC2154
-set -euo pipefail
-
-CURL_CMD=(curl -fsSL --header "X-Api-Key: ${SONARR__AUTH__APIKEY:-}")
-SONARR_API_URL="http://localhost:${SONARR__SERVER__PORT:-}/api/v3"
-
-if [[ "${sonarr_eventtype:-}" == "Grab" ]]; then
-    tba=$("${CURL_CMD[@]}" "${SONARR_API_URL}/episode?seriesId=${sonarr_series_id:-}" | jq --raw-output '
-        [.[] | select((.title == "TBA") or (.title == "TBD"))] | length
-    ')
-
-    if (( tba > 0 )); then
-        echo "INFO: Refreshing series ${sonarr_series_id:-} due to TBA/TBD episodes found"
-        "${CURL_CMD[@]}" \
-            --request POST \
-            --header "Content-Type: application/json" \
-            --data-binary '{"name": "RefreshSeries", "seriesId": '"${sonarr_series_id:-}"'}' \
-            "${SONARR_API_URL}/command" &>/dev/null
-    fi
-fi

kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml

@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: cert-manager
-      version: v1.16.2
+      version: v1.16.1
       sourceRef:
         kind: HelmRepository
         name: jetstack

kubernetes/apps/cert-manager/webhook-dnsimple/app/helmrelease.yaml

@@ -8,7 +8,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       interval: 30m
       sourceRef:
         kind: HelmRepository

kubernetes/apps/ci-runners/forgejo/app/helmrelease.yaml

@@ -30,7 +30,7 @@ spec:
           runner-register:
             image:
               repository: code.forgejo.org/forgejo/runner
-              tag: 5.0.4
+              tag: 4.0.1
             command:
               - "forgejo-runner"
               - "register"
@@ -63,7 +63,7 @@ spec:
           daemon:
             image:
               repository: docker
-              tag: 27.4.1-dind
+              tag: 27.3.1-dind
             securityContext:
               privileged: true
             env:
@@ -72,7 +72,7 @@ spec:
           app:
             image:
               repository: code.forgejo.org/forgejo/runner
-              tag: 5.0.4
+              tag: 4.0.1
             command:
               - "sh"
               - "-c"

kubernetes/apps/coder/coder/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: coder
-      version: 2.18.2
+      version: 2.16.1
       sourceRef:
         kind: HelmRepository
         name: coder
@@ -29,6 +29,8 @@ spec:
       env:
         - name: CODER_ACCESS_URL
           value: https://coder.hsn.dev
+        - name: CODER_WILDCARD_ACCESS_URL
+          value: "*.coder.hsn.dev"
         - name: CODER_PROMETHEUS_ENABLE
           value: "true"
       envFrom:
@@ -42,3 +44,4 @@ spec:
           external-dns.alpha.kubernetes.io/target: external.hsn.dev
 
         host: "coder.hsn.dev"
+        wildcardHost: "*.coder.hsn.dev"

kubernetes/apps/database/crunchy-postgres-operator/cluster/externalsecret.yaml

@@ -17,12 +17,9 @@ spec:
           [global]
           repo1-s3-key={{ .minio_crunchy_postgres_access_key }}
           repo1-s3-key-secret={{ .minio_crunchy_postgres_secret_key }}
-          repo2-s3-key={{ .hetzner_PGB_ACCESS_KEY }}
-          repo2-s3-key-secret={{ .hetzner_PGB_SECRET_KEY }}
         encryption.conf: |
           [global]
           repo1-cipher-pass={{ .crunchy_postgres_backup_encryption_cipher }}
-          repo2-cipher-pass={{ .crunchy_postgres_backup_encryption_cipher }}
   dataFrom:
     - extract:
         key: crunchy-postgres
@@ -39,12 +36,3 @@ spec:
         - regexp:
             source: "(.*)"
             target: "minio_$1"
-    - extract:
-        key: hetzner
-      rewrite:
-        - regexp:
-            source: "[^a-zA-Z0-9 -]"
-            target: "_"
-        - regexp:
-            source: "(.*)"
-            target: "hetzner_$1"

kubernetes/apps/database/crunchy-postgres-operator/cluster/postgrescluster.yaml

@@ -17,7 +17,7 @@ spec:
     metadata:
       annotations:
         external-dns.alpha.kubernetes.io/hostname: postgres.jahanson.tech
-        lbipam.cilium.io/ips: "10.5.0.52"
+        io.cilium/lb-ipam-ips: 10.1.1.35
 
   monitoring:
     pgmonitor:
@@ -144,11 +144,6 @@ spec:
         - jellyseerr
       password:
         type: AlphaNumeric
-    - name: ptero
-      databases:
-        - ptero
-      password:
-        type: AlphaNumeric
 
 
   backups:
@@ -157,20 +152,16 @@ spec:
         - secret:
             name: crunchy-postgres-secret
       global: &backupFlag
-        archive-timeout: "1d"
+        archive-timeout: "60"
         compress-type: "bz2"
         compress-level: "9"
-        # Minio
+        delta: "y"
         repo1-retention-full-type: "time"
         repo1-retention-full: "14"
         repo1-retention-diff: "30"
         repo1-path: "/crunchy-pgo"
         repo1-s3-uri-style: path
-        # Hetzner
-        repo2-retention-full-type: "time"
-        repo2-retention-full: "7"
-        repo2-path: "/crunchy-pgo"
-        repo2-s3-uri-style: host
+        archive-push-queue-max: 4GiB
       manual:
         repoName: repo1
         options:
@@ -182,20 +173,12 @@ spec:
         - name: repo1 # Minio
           s3: &minio
             bucket: "crunchy-main"
-            endpoint: "s3.jahanson.tech:9000"
+            endpoint: "s3.hsn.dev"
             region: "us-east-1"
           schedules:
             full: "0 1 * * 0" # Sunday at 01:00
             differential: "0 1 * * 1-6" # Mon-Sat at 01:00
             incremental: "0 2-23 * * *" # Every hour except 01:00
-        - name: repo2 # Hetzner Object Storage
-          s3: &hetzner
-            bucket: "hsn-pgb"
-            endpoint: ${CLUSTER_SECRET_HETZNER_PGB_ENDPOINT}
-            region: "fsn1"
-          schedules:
-            full: "0 2 * * 0" # Sunday at 02:00
-            differential: "0 2 * * 1-6/2" # Mon,Wed,Fri at 02:00
 
   dataSource:
     pgbackrest:
@@ -215,7 +198,7 @@ spec:
         metadata:
           annotations:
             external-dns.alpha.kubernetes.io/hostname: pgbouncer.jahanson.tech
-            lbipam.cilium.io/ips: "10.5.0.53"
+            io.cilium/lb-ipam-ips: 10.1.1.36
       metadata:
         labels:
           app.kubernetes.io/name: crunchy-postgres-pgbouncer

kubernetes/apps/database/crunchy-postgres-operator/operator/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: pgo
-      version: 5.7.2
+      version: 5.7.0
       sourceRef:
         kind: HelmRepository
         name: crunchydata

kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrelease.yaml

@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:

kubernetes/apps/database/dragonfly/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       sourceRef:
         kind: HelmRepository
         name: bjw-s
@@ -30,7 +30,7 @@ spec:
           app:
             image:
               repository: ghcr.io/dragonflydb/operator
-              tag: v1.1.8
+              tag: v1.1.7
             command: ["/manager"]
             args:
               - --health-probe-bind-address=:8081

kubernetes/apps/database/dragonfly/app/kustomization.yaml

@@ -4,6 +4,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   # renovate: datasource=github-releases depName=dragonflydb/dragonfly-operator
-  - https://raw.githubusercontent.com/dragonflydb/dragonfly-operator/v1.1.8/manifests/crd.yaml
+  - https://raw.githubusercontent.com/dragonflydb/dragonfly-operator/v1.1.7/manifests/crd.yaml
   - ./helmrelease.yaml
   - ./rbac.yaml

kubernetes/apps/database/dragonfly/cluster/dragonfly.yaml

@@ -5,7 +5,7 @@ kind: Dragonfly
 metadata:
   name: dragonfly
 spec:
-  image: ghcr.io/dragonflydb/dragonfly:v1.25.6
+  image: ghcr.io/dragonflydb/dragonfly:v1.24.0
   replicas: 3
   env:
     - name: MAX_MEMORY

kubernetes/apps/database/emqx/cluster/cluster.yaml

@@ -5,7 +5,7 @@ kind: EMQX
 metadata:
   name: emqx
 spec:
-  image: public.ecr.aws/emqx/emqx:5.8.3
+  image: public.ecr.aws/emqx/emqx:5.8.1
   config:
     mode: Merge
   coreTemplate:
@@ -36,6 +36,6 @@ spec:
   listenersServiceTemplate:
     metadata:
       annotations:
-        io.cilium/lb-ipam-ips: "10.5.0.50"
+        io.cilium/lb-ipam-ips: 10.1.1.38
     spec:
       type: LoadBalancer

kubernetes/apps/database/influxdb/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       sourceRef:
         kind: HelmRepository
         name: bjw-s
@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: docker.io/influxdb
-              tag: 2.7.11-alpine
+              tag: 2.7.10-alpine
               pullPolicy: IfNotPresent
             env:
               INFLUXDB_ADMIN_USER_PASSWORD: "admin"

kubernetes/apps/database/kustomization.yaml

@@ -10,4 +10,3 @@ resources:
   - ./dragonfly/ks.yaml
   - ./emqx/ks.yaml
   - ./influxdb/ks.yaml
-  # - ./mariadb/ks.yaml

kubernetes/apps/database/mariadb/cluster/backup.yaml

@@ -1,78 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/k8s.mariadb.com/backup_v1alpha1.json
-apiVersion: k8s.mariadb.com/v1alpha1
-kind: Backup
-metadata:
-  name: &name mariadb-backup
-spec:
-  mariaDbRef:
-    name: mariadb
-  timeZone: "America/Chicago"
-  schedule:
-    cron: "0 * * * *"
-    suspend: false
-  stagingStorage:
-    persistentVolumeClaim:
-      storageClassName: openebs-hostpath
-      resources:
-        requests:
-          storage: 6Gi
-      accessModes:
-        - ReadWriteOnce
-  podSecurityContext:
-    runAsUser: 568
-    runAsGroup: 568
-    fsGroup: 568
-    fsGroupChangePolicy: OnRootMismatch
-  storage:
-    s3:
-      endpoint: s3.hsn.dev
-      bucket: mariadb
-      prefix: full/
-      accessKeyIdSecretKeyRef:
-        name: mariadb-secret
-        key: AWS_ACCESS_KEY_ID
-      secretAccessKeySecretKeyRef:
-        name: mariadb-secret
-        key: AWS_SECRET_ACCESS_KEY
----
-# yaml-language-server: $schema=https://ks.hsn.dev/k8s.mariadb.com/backup_v1alpha1.json
-apiVersion: k8s.mariadb.com/v1alpha1
-kind: Backup
-metadata:
-  name: &name mariadb-pterodactyl-backup
-  namespace: database
-spec:
-  mariaDbRef:
-    name: mariadb
-    namespace: database
-  timeZone: "America/Chicago"
-  schedule:
-    cron: "0 * * * *"
-    suspend: false
-  stagingStorage:
-    persistentVolumeClaim:
-      storageClassName: openebs-hostpath
-      resources:
-        requests:
-          storage: 6Gi
-      accessModes:
-        - ReadWriteOnce
-  podSecurityContext:
-    runAsUser: 568
-    runAsGroup: 568
-    fsGroup: 568
-    fsGroupChangePolicy: OnRootMismatch
-  databases:
-    - pterodactyl
-  storage:
-    s3:
-      endpoint: s3.hsn.dev
-      bucket: mariadb
-      prefix: pterodactyl/
-      accessKeyIdSecretKeyRef:
-        name: mariadb-secret
-        key: AWS_ACCESS_KEY_ID
-      secretAccessKeySecretKeyRef:
-        name: mariadb-secret
-        key: AWS_SECRET_ACCESS_KEY

kubernetes/apps/database/mariadb/cluster/externalsecret.yaml

@@ -1,27 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: &name mariadb
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: onepassword-connect
-  target:
-    name: mariadb-secret
-    template:
-      engineVersion: v2
-      data:
-        AWS_ACCESS_KEY_ID: "{{ .minio_mariadb_access_key }}"
-        AWS_SECRET_ACCESS_KEY: "{{ .minio_mariadb_secret_key }}"
-  dataFrom:
-    - extract:
-        key: minio
-      rewrite:
-        - regexp:
-            source: "[-]"
-            target: "_"
-        - regexp:
-            source: "(.*)"
-            target: "minio_$1"

kubernetes/apps/database/mariadb/cluster/gatus.yaml

@@ -1,21 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: mariadb-gatus-ep
-  labels:
-    gatus.io/enabled: "true"
-data:
-  config.yaml: |
-    endpoints:
-      - name: mariadb
-        group: infrastructure
-        url: tcp://mariadb.database.svc.cluster.local:3306
-        interval: 1m
-        ui:
-          hide-url: true
-          hide-hostname: true
-        conditions:
-          - "[CONNECTED] == true"
-        alerts:
-          - type: pushover

kubernetes/apps/database/mariadb/cluster/kustomization.yaml

@@ -1,9 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/kustomization
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./backup.yaml
-  - ./externalsecret.yaml
-  - ./gatus.yaml
-  - ./mariadb.yaml

kubernetes/apps/database/mariadb/cluster/mariadb.yaml

@@ -1,32 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/k8s.mariadb.com/mariadb_v1alpha1.json
-apiVersion: k8s.mariadb.com/v1alpha1
-kind: MariaDB
-metadata:
-  name: &name mariadb
-spec:
-  # renovate: datasource=docker depName=docker.io/library/mariadb
-  image: docker.io/library/mariadb:11.6.2
-  replicas: 3
-  storage:
-    size: 5Gi
-    storageClassName: openebs-hostpath
-  # bootstrapFrom:
-  #   backupRef:
-  #     name: mariadb-backup
-  maxScale:
-    enabled: true
-    kubernetesService:
-      type: LoadBalancer
-    connection:
-      secretName: mxs-connection
-      port: 3306
-  galera:
-    enabled: true
-  podSecurityContext:
-    runAsUser: 568
-    runAsGroup: 568
-    fsGroup: 568
-    fsGroupChangePolicy: OnRootMismatch
-  service:
-    type: LoadBalancer

kubernetes/apps/database/mariadb/cluster/restore.yaml

@@ -1,17 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/k8s.mariadb.com/restore_v1alpha1.json
-apiVersion: k8s.mariadb.com/v1alpha1
-kind: Restore
-metadata:
-  name: restore
-spec:
-  mariaDbRef:
-    name: mariadb
-    namespace: database
-  backupRef:
-    name: mariadb-backup
-  podSecurityContext:
-    runAsUser: 568
-    runAsGroup: 568
-    fsGroup: 568
-    fsGroupChangePolicy: OnRootMismatch

kubernetes/apps/database/mariadb/crds/helmrelease.yaml

@@ -1,17 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: mariadb-operator-crds
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: mariadb-operator-crds
-      version: 0.36.0
-      sourceRef:
-        kind: HelmRepository
-        name: mariadb-operator
-        namespace: flux-system
-      interval: 5m

kubernetes/apps/database/mariadb/crds/kustomization.yaml

@@ -1,6 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/kustomization
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - helmrelease.yaml

kubernetes/apps/database/mariadb/ks.yaml

@@ -1,64 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app mariadb-operator
-  namespace: flux-system
-spec:
-  targetNamespace: database
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  dependsOn:
-    - name: external-secrets-stores
-  path: ./kubernetes/apps/database/mariadb/operator
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: theshire
-  wait: true
-  interval: 30m
-  timeout: 5m
----
-# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app mariadb-operator-crds
-  namespace: flux-system
-spec:
-  targetNamespace: database
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  path: ./kubernetes/apps/database/mariadb/crds
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: theshire
-  wait: true
-  interval: 30m
-  timeout: 5m
----
-# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app mariadb-cluster
-  namespace: flux-system
-spec:
-  targetNamespace: database
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  dependsOn:
-    - name: external-secrets-stores
-  path: ./kubernetes/apps/database/mariadb/cluster
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: theshire
-  wait: true
-  interval: 30m
-  timeout: 5m

kubernetes/apps/database/mariadb/operator/helmrelease.yaml

@@ -1,31 +0,0 @@
----
-# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: mariadb-operator
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: mariadb-operator
-      version: 0.36.0
-      sourceRef:
-        kind: HelmRepository
-        name: mariadb-operator
-        namespace: flux-system
-      interval: 5m
-  values:
-    logLevel: debug
-    image:
-      repository: ghcr.io/mariadb-operator/mariadb-operator
-      pullPolicy: IfNotPresent
-    metrics:
-      enabled: true
-      serviceMonitor:
-        enabled: true
-    webhook:
-      certificate:
-        certManager: true
-      serviceMonitor:
-        enabled: true

kubernetes/apps/database/mariadb/operator/kustomization.yaml

@@ -1,6 +0,0 @@
----
-# yaml-language-server: $schema=https://json.schemastore.org/kustomization
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - helmrelease.yaml

kubernetes/apps/default/atuin/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       sourceRef:
         kind: HelmRepository
         name: bjw-s
@@ -32,7 +32,7 @@ spec:
           app:
             image:
               repository: ghcr.io/atuinsh/atuin
-              tag: 18.4.0@sha256:8c6fa0aea944bf2a39665c9c69df1c2c0f9c05207bda5b942d450142285e3ee1
+              tag: 18.3.0@sha256:678def8e9d59652a502759ca431f9c5b54ebdd5e9361507c7fcf24705c9862e0
             env:
               ATUIN_HOST: 0.0.0.0
               ATUIN_PORT: &port 80

kubernetes/apps/default/autobrr/app/externalsecret.yaml

@@ -2,30 +2,6 @@
 # yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
-metadata:
-  name: autobrr-db
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: crunchy-pgo-secrets
-  target:
-    name: autobrr-db-secret
-    template:
-      engineVersion: v2
-      data:
-        AUTOBRR__DATABASE_TYPE: postgres
-        AUTOBRR__POSTGRES_DATABASE: "{{ .dbname }}"
-        AUTOBRR__POSTGRES_HOST: "{{ index . \"pgbouncer-host\" }}"
-        AUTOBRR__POSTGRES_USER: "{{ .user }}"
-        AUTOBRR__POSTGRES_PASS: "{{ .password }}"
-        AUTOBRR__POSTGRES_PORT: "{{ .port }}"
-  dataFrom:
-    - extract:
-        key: postgres-pguser-autobrr
----
-# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
 metadata:
   name: autobrr
 spec:
@@ -37,6 +13,12 @@ spec:
     template:
       engineVersion: v2
       data:
+        AUTOBRR__DATABASE_TYPE: postgres
+        AUTOBRR__POSTGRES_DATABASE: autobrr
+        AUTOBRR__POSTGRES_HOST: "postgres-primary-real.database.svc"
+        AUTOBRR__POSTGRES_USER: "{{ .AUTOBRR_POSTGRES_USER }}"
+        AUTOBRR__POSTGRES_PASS: "{{ .AUTOBRR_POSTGRES_PASSWORD }}"
+        AUTOBRR__POSTGRES_PORT: "5432"
         AUTOBRR__SESSION_SECRET: "{{ .AUTOBRR_SESSION_SECRET }}"
   dataFrom:
     - extract:

kubernetes/apps/default/autobrr/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       sourceRef:
         kind: HelmRepository
         name: bjw-s
@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/autobrr/autobrr
-              tag: v1.57.0@sha256:fbc0fea58925c43357a2a43dad543dcda5b354a28a95a28e5d7289d34dc5edb9
+              tag: v1.48.0@sha256:0ae19e3beedf491396e450b024c23e9e24df4d692286c0442a81fa699493def0
             env:
               AUTOBRR__CHECK_FOR_UPDATES: "false"
               AUTOBRR__HOST: 0.0.0.0
@@ -40,8 +40,6 @@ spec:
             envFrom:
               - secretRef:
                   name: autobrr-secret
-              - secretRef:
-                  name: autobrr-db-secret
             probes:
               liveness: &probes
                 enabled: true
@@ -86,16 +84,3 @@ spec:
                 service:
                   identifier: app
                   port: http
-      tailscale:
-        enabled: true
-        className: tailscale
-        hosts:
-          - host: &host "{{ .Release.Name }}.meerkat-dab.ts.net"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host

kubernetes/apps/default/excalidraw/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       sourceRef:
         kind: HelmRepository
         name: bjw-s
@@ -30,7 +30,7 @@ spec:
           app:
             image:
               repository: docker.io/excalidraw/excalidraw
-              tag: latest@sha256:56163a0c3eaeaf3444b3addf60d7cb6011a56bd17a7d0e1c24f11e62324a5d07
+              tag: latest@sha256:4d5423c1d80f353458307324b169500df334856eccc2e39fc6fa13808a64e1c2
               pullPolicy: IfNotPresent
             probes:
               liveness:

kubernetes/apps/default/home-assistant/app/helmrelease.yaml

@@ -36,7 +36,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/home-assistant
-              tag: 2024.11.3@sha256:f45f502b1738e46eb435fbc8947cdcc2574f3713b156c6738129ea2ea9b49018
+              tag: 2024.11.0@sha256:23a1ba70e7d5518527e6324d28ccb07f1cbf7c334dbb6326a0b413ef8fe5fafd
             env:
               TZ: America/Chicago
             envFrom:
@@ -54,7 +54,7 @@ spec:
           code-server:
             image:
               repository: ghcr.io/coder/code-server
-              tag: 4.95.3@sha256:6d74583d68179cbb6ddadc2518b450d2ac3eaec2d342474fe1941e03371cd2cf
+              tag: 4.93.1@sha256:c69e398d1b64589b3b77a7becfd03f4ec524982def20e6bffbb51b1b839e72ba
             args: [
               "--auth", "none",
               "--user-data-dir", "/config/.vscode",

kubernetes/apps/default/home-assistant/app/kustomization.yaml

@@ -3,6 +3,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./gatus.yaml
+  - ./externalsecret.yaml
   - ./helmrelease.yaml
+  - ../../../../templates/gatus/internal
   - ../../../../templates/volsync

kubernetes/apps/default/it-tools/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       interval: 30m
       sourceRef:
         kind: HelmRepository

kubernetes/apps/default/kustomization.yaml

@@ -9,19 +9,21 @@ resources:
   - ./atuin/ks.yaml
   - ./autobrr/ks.yaml
   - ./excalidraw/ks.yaml
+  - ./home-assistant/ks.yaml
   - ./it-tools/ks.yaml
   - ./linkwarden/ks.yaml
   - ./maintainerr/ks.yaml
   - ./morphos/ks.yaml
   - ./omegabrr/ks.yaml
   - ./overseerr/ks.yaml
+  - ./piped/ks.yaml
   - ./plex/ks.yaml
   - ./prowlarr/ks.yaml
-  # - ./pterodactyl/ks.yaml
   - ./radarr/ks.yaml
   - ./recyclarr/ks.yaml
   - ./redlib/ks.yaml
   - ./sabnzbd/ks.yaml
+  - ./scrypted/ks.yaml
   - ./searxng/ks.yaml
   - ./sonarr/ks.yaml
   - ./stirling-pdf/ks.yaml

kubernetes/apps/default/linkwarden/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       sourceRef:
         kind: HelmRepository
         name: bjw-s
@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/linkwarden/linkwarden
-              tag: v2.9.2@sha256:20a07b21d2cfc464cfa175f8f833803bd92839299baca5cd522c4d23734b8600
+              tag: v2.7.1@sha256:bbd22798ee726184d4571ea4f4d831d57475c86c4965c2bb1c3c2d3de88c728a
             env:
               TIMEZONE: "America/Chicago"
               NEXTAUTH_URL: "https://{{ .Release.Name }}.jahanson.tech/api/v1/auth"
@@ -59,19 +59,6 @@ spec:
         tls:
           - hosts:
               - *host
-      tailscale:
-        enabled: true
-        className: tailscale
-        hosts:
-          - host: &host "{{ .Release.Name }}.meerkat-dab.ts.net"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
     persistence:
       config:
         existingClaim: linkwarden

kubernetes/apps/default/maintainerr/app/helmrelease.yaml

@@ -8,7 +8,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       interval: 30m
       sourceRef:
         kind: HelmRepository
@@ -32,7 +32,7 @@ spec:
           app:
             image:
               repository: ghcr.io/jorenn92/maintainerr
-              tag: 2.7.0@sha256:28c66be8b3992f88dd71b63446574836fdb64a6907bea316df8f74dddea34b9f
+              tag: 2.2.0@sha256:fbb2c0341b8af502e4488f3664e34992f24947708c7dac10dcbee592f99a946c
             env:
               TZ: America/Chicago
             resources:
@@ -68,19 +68,6 @@ spec:
         tls:
           - hosts:
               - *host
-      tailscale:
-        enabled: true
-        className: tailscale
-        hosts:
-          - host: &host "{{ .Release.Name }}.meerkat-dab.ts.net"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
 
     persistence:
       data:

kubernetes/apps/default/morphos/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       sourceRef:
         kind: HelmRepository
         name: bjw-s

kubernetes/apps/default/omegabrr/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       sourceRef:
         kind: HelmRepository
         name: bjw-s
@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/autobrr/omegabrr
-              tag: v1.16.0@sha256:fe529c331217e0624c505a1aa47d2a089314e8a284d38a621135b848eeef64ad
+              tag: v1.14.0@sha256:6f65c7967609746662815933ecc8168c8c25a3b82d909f49833fcce2b47ee052
             env:
               TZ: America/Chicago
             securityContext:

kubernetes/apps/default/overseerr/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       sourceRef:
         kind: HelmRepository
         name: bjw-s

kubernetes/apps/default/plex/app/helmrelease.yaml

@@ -38,7 +38,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/plex
-              tag: 1.41.2.9200-c6bbc1b53@sha256:47c6f3d85f4e739210860934a0bb24126170fa2f6a602fb909467f17a035c311
+              tag: 1.41.1.9057-af5eaea7a@sha256:5926b77196bb7c9f75b52f431d0483abea0fef1f576b7201592b385449201456
             env:
               TZ: America/Chicago
               PLEX_ADVERTISE_URL: https://plex.hsn.dev:443,http://10.1.1.39:32400
@@ -87,6 +87,8 @@ spec:
       app:
         controller: plex
         type: LoadBalancer
+        annotations:
+          io.cilium/lb-ipam-ips: 10.1.1.39
         ports:
           http:
             port: 32400

kubernetes/apps/default/plex/ks.yaml

@@ -2,6 +2,35 @@
 # yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
+metadata:
+  name: &app plex
+  namespace: flux-system
+spec:
+  targetNamespace: default
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/default/plex/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: theshire
+  wait: true
+  dependsOn:
+    - name: rook-ceph-cluster
+    - name: volsync
+    - name: external-secrets-stores
+  interval: 30m
+  timeout: 5m
+  postBuild:
+    substitute:
+      APP: *app
+      GATUS_PATH: /web/index.html
+      VOLSYNC_CAPACITY: 30Gi
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
 metadata:
   name: &app plex-trakt-sync
   namespace: flux-system
@@ -22,7 +51,34 @@ spec:
     - name: rook-ceph-cluster
     - name: volsync
     - name: external-secrets-stores
+    - name: plex
   postBuild:
     substitute:
       APP: *app
       VOLSYNC_CAPACITY: 1Gi
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app kometa-image-maid
+  namespace: flux-system
+spec:
+  targetNamespace: default
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  interval: 30m
+  timeout: 5m
+  path: "./kubernetes/apps/default/plex/kometa-image-maid"
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: theshire
+  wait: false
+  dependsOn:
+    - name: external-secrets-stores
+    - name: plex
+  postBuild:
+    substitute:
+      APP: *app

kubernetes/apps/default/plex/trakt-sync/helmrelease.yaml

@@ -8,7 +8,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       interval: 30m
       sourceRef:
         kind: HelmRepository
@@ -33,12 +33,12 @@ spec:
           app:
             image:
               repository: ghcr.io/taxel/plextraktsync
-              tag: 0.32.7
+              tag: 0.32.0
             args:
               - sync
             env:
-              PLEX_BASEURL: http://10.1.1.61:32400
-              PLEX_LOCALURL: http://10.1.1.61:32400
+              PLEX_BASEURL: http://plex.default.svc.cluster.local:32400
+              PLEX_LOCALURL: http://plex.default.svc.cluster.local:32400
               PLEX_USERNAME: veriwind
               TRAKT_USERNAME: jahanson
             probes:

kubernetes/apps/default/prowlarr/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       sourceRef:
         kind: HelmRepository
         name: bjw-s
@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/prowlarr-develop
-              tag: 1.29.2.4915@sha256:b258cc8fe38a25af3742964a2d5a749c645562b3433ef79aa5e1748070ca99d3
+              tag: 1.26.0.4833@sha256:face4aa669a4eb68b041dcf73ed4848cfe8f673826ef3032398a5e267eb1eac0
             env:
               # Ref: https://github.com/Radarr/Radarr/issues/7030#issuecomment-1039689518
               # Ref: https://github.com/dotnet/runtime/issues/9336
@@ -98,19 +98,6 @@ spec:
         tls:
           - hosts:
               - *host
-      tailscale:
-        enabled: true
-        className: tailscale
-        hosts:
-          - host: &host "{{ .Release.Name }}.meerkat-dab.ts.net"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
     persistence:
       config:
         enabled: true

kubernetes/apps/default/radarr/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       sourceRef:
         kind: HelmRepository
         name: bjw-s
@@ -31,7 +31,7 @@ spec:
           app:
             image:
               repository: ghcr.io/onedr0p/radarr-develop
-              tag: 5.17.2.9580
+              tag: 5.15.0.9412
             env:
               RADARR__APP__INSTANCENAME: Radarr
               RADARR__APP__THEME: dark
@@ -64,6 +64,11 @@ spec:
               allowPrivilegeEscalation: false
               readOnlyRootFilesystem: true
               capabilities: { drop: ["ALL"] }
+            resources:
+              requests:
+                cpu: 10m
+              limits:
+                memory: 16Gi
         pod:
           securityContext:
             runAsUser: 568
@@ -92,19 +97,6 @@ spec:
         tls:
           - hosts:
               - *host
-      tailscale:
-        enabled: true
-        className: tailscale
-        hosts:
-          - host: &host "{{ .Release.Name }}.meerkat-dab.ts.net"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
     persistence:
       config:
         enabled: true
@@ -113,7 +105,7 @@ spec:
         type: emptyDir
       media:
         type: nfs
-        server: 10.1.1.61
+        server: 10.1.1.13
         path: /eru/media
         globalMounts:
           - path: /data/nas-media

kubernetes/apps/default/recyclarr/app/helmrelease.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 3.6.0
+      version: 3.5.1
       sourceRef:
         kind: HelmRepository
         name: bjw-s
@@ -34,7 +34,7 @@ spec:
           app:
             image:
               repository: ghcr.io/recyclarr/recyclarr
-              tag: 7.4.0@sha256:619c3b8920a179f2c578acd0f54e9a068f57c049aff840469eed66e93a4be2cf
+              tag: 7.3.0@sha256:2aaa0205a93171b93a159e4665004ccee1a5aacd60359fb8d7683db0ae7e774b
             env:
               # Ref: https://github.com/Radarr/Radarr/issues/7030#issuecomment-1039689518
               # Ref: https://github.com/dotnet/runtime/issues/9336