migrate

clusters/cl01tl/helm/authentik/Chart.lock

@@ -0,0 +1,12 @@
+dependencies:
+- name: authentik
+  repository: https://charts.goauthentik.io/
+  version: 2025.10.2
+- name: cloudflared
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 1.23.0
+- name: postgres-cluster
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 6.16.0
+digest: sha256:ad51c94c1125890ef60d179205d14c55eb9fdbc2702e3455e233042a48d00146
+generated: "2025-12-01T20:25:07.016724-06:00"

clusters/cl01tl/helm/authentik/Chart.yaml

@@ -0,0 +1,35 @@
+apiVersion: v2
+name: authentik
+version: 1.0.0
+description: Authentik
+keywords:
+  - authentik
+  - sso
+  - oidc
+  - ldap
+  - idp
+  - authentication
+home: https://wiki.alexlebens.dev/s/45ca5171-581f-41d2-b6fb-2b0915029a2d
+sources:
+  - https://github.com/goauthentik/authentik
+  - https://github.com/cloudflare/cloudflared
+  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://github.com/goauthentik/helm
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: authentik
+    version: 2025.10.2
+    repository: https://charts.goauthentik.io/
+  - name: cloudflared
+    alias: cloudflared
+    repository: oci://harbor.alexlebens.net/helm-charts
+    version: 1.23.0
+  - name: postgres-cluster
+    alias: postgres-17-cluster
+    version: 6.16.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
+appVersion: 2025.4.1

clusters/cl01tl/helm/authentik/templates/external-secret.yaml

@@ -0,0 +1,111 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: authentik-key-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: authentik-key-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/authentik/key
+        metadataPolicy: None
+        property: key
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: authentik-cloudflared-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: authentik-cloudflared-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: cf-tunnel-token
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/tunnels/authentik
+        metadataPolicy: None
+        property: token
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: authentik-postgresql-17-cluster-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: authentik-postgresql-17-cluster-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: access
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: secret
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: authentik-postgresql-17-cluster-backup-secret-garage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: authentik-postgresql-17-cluster-backup-secret-garage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_REGION

clusters/cl01tl/helm/authentik/templates/http-route.yaml

@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-authentik
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-authentik
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - authentik.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: authentik-server
+          port: 80
+          weight: 100

clusters/cl01tl/helm/authentik/templates/ingress.yaml

@@ -0,0 +1,29 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: authentik-tailscale
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: authentik-tailscale
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    tailscale.com/proxy-class: no-metrics
+  annotations:
+    tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
+spec:
+  ingressClassName: tailscale
+  tls:
+    - hosts:
+        - auth-cl01tl
+      secretName: auth-cl01tl
+  rules:
+    - host: auth-cl01tl
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: authentik-server
+                port:
+                  number: 80

clusters/cl01tl/helm/authentik/templates/redis-replication.yaml

@@ -0,0 +1,32 @@
+apiVersion: redis.redis.opstreelabs.in/v1beta2
+kind: RedisReplication
+metadata:
+  name: redis-replication-authentik
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: redis-replication-authentik
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  clusterSize: 3
+  podSecurityContext:
+    runAsUser: 1000
+    fsGroup: 1000
+  kubernetesConfig:
+    image: quay.io/opstree/redis:v8.0.3
+    imagePullPolicy: IfNotPresent
+    resources:
+      requests:
+        cpu: 50m
+        memory: 128Mi
+  storage:
+    volumeClaimTemplate:
+      spec:
+        storageClassName: ceph-block
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 1Gi
+  redisExporter:
+    enabled: true
+    image: quay.io/opstree/redis-exporter:v1.48.0

clusters/cl01tl/helm/authentik/templates/service-monitor.yaml

@@ -0,0 +1,19 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: redis-replication-authentik
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: redis-replication-authentik
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    redis-operator: "true"
+    env: production
+spec:
+  selector:
+    matchLabels:
+      redis_setup_type: replication
+  endpoints:
+    - port: redis-exporter
+      interval: 30s
+      scrapeTimeout: 10s

clusters/cl01tl/helm/authentik/values.yaml

@@ -0,0 +1,108 @@
+authentik:
+  global:
+    env:
+      - name: AUTHENTIK_SECRET_KEY
+        valueFrom:
+          secretKeyRef:
+            name: authentik-key-secret
+            key: key
+      - name: AUTHENTIK_POSTGRESQL__HOST
+        valueFrom:
+          secretKeyRef:
+            name: authentik-postgresql-17-cluster-app
+            key: host
+      - name: AUTHENTIK_POSTGRESQL__NAME
+        valueFrom:
+          secretKeyRef:
+            name: authentik-postgresql-17-cluster-app
+            key: dbname
+      - name: AUTHENTIK_POSTGRESQL__USER
+        valueFrom:
+          secretKeyRef:
+            name: authentik-postgresql-17-cluster-app
+            key: user
+      - name: AUTHENTIK_POSTGRESQL__PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: authentik-postgresql-17-cluster-app
+            key: password
+  authentik:
+    redis:
+      host: redis-replication-authentik-master
+  server:
+    name: server
+    replicas: 1
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+    ingress:
+      enabled: false
+  worker:
+    name: worker
+    replicas: 1
+  prometheus:
+    rules:
+      enabled: true
+  postgresql:
+    enabled: false
+  redis:
+    enabled: false
+cloudflared:
+  existingSecretName: authentik-cloudflared-secret
+postgres-17-cluster:
+  mode: recovery
+  cluster:
+    storage:
+      storageClass: local-path
+    walStorage:
+      storageClass: local-path
+    monitoring:
+      enabled: true
+      prometheusRule:
+        enabled: true
+  recovery:
+    method: objectStore
+    objectStore:
+      destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster
+      endpointURL: http://garage-main.garage:3900
+      index: 1
+      endpointCredentials: authentik-postgresql-17-cluster-backup-secret-garage
+  backup:
+    objectStore:
+      - name: external
+        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/authentik/authentik-postgresql-17-cluster
+        index: 1
+        retentionPolicy: "30d"
+        isWALArchiver: false
+      - name: garage-local
+        destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster
+        index: 1
+        endpointURL: http://garage-main.garage:3900
+        endpointCredentials: authentik-postgresql-17-cluster-backup-secret-garage
+        endpointCredentialsIncludeRegion: true
+        retentionPolicy: "3d"
+        isWALArchiver: true
+      # - name: garage-remote
+      #   destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster
+      #   index: 1
+      #   endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
+      #   endpointCredentials: authentik-postgresql-17-cluster-backup-secret-garage
+      #   retentionPolicy: "30d"
+      #   data:
+      #     compression: bzip2
+      #     jobs: 2
+    scheduledBackups:
+      - name: daily-backup
+        suspend: false
+        schedule: "0 0 0 * * *"
+        backupName: external
+      - name: live-backup
+        suspend: false
+        immediate: true
+        schedule: "0 0 0 * * *"
+        backupName: garage-local
+      # - name: weekly-backup
+      #   suspend: false
+      #   schedule: "0 0 4 * * SAT"
+      #   backupName: garage-remote

clusters/cl01tl/helm/backrest/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: app-template
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 4.4.0
+digest: sha256:aa797b99d6d8b7aafe142811938408b7f234df6d429a7e076196337cc63876cb
+generated: "2025-12-01T20:25:09.888407-06:00"

clusters/cl01tl/helm/backrest/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v2
+name: backrest
+version: 1.0.0
+description: backrest
+keywords:
+  - backrest
+  - backup
+home: https://wiki.alexlebens.dev/
+sources:
+  - https://github.com/garethgeorge/backrest
+  - https://hub.docker.com/r/garethgeorge/backrest
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: backrest
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.4.0
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/backrest.png
+appVersion: v1.10.1

clusters/cl01tl/helm/backrest/templates/http-route.yaml

@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-backrest
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-backrest
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - backrest.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: backrest
+          port: 80
+          weight: 100

clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: backrest-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: backrest-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: backrest-nfs-storage
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: backrest-nfs-share
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: backrest-nfs-share
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeName: backrest-nfs-share
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml

@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: backrest-nfs-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: backrest-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /volume2/Storage
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac
+
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: backrest-nfs-share
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: backrest-nfs-share
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: nfs-client
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    path: /volume2/Share
+    server: synologybond.alexlebens.net
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac

clusters/cl01tl/helm/backrest/templates/service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: garage-ps10rp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: garage-ps10rp
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net
+spec:
+  externalName: placeholder
+  type: ExternalName

clusters/cl01tl/helm/backrest/values.yaml

@@ -0,0 +1,84 @@
+backrest:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      containers:
+        main:
+          image:
+            repository: garethgeorge/backrest
+            tag: v1.10.1
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: America/Chicago
+            - name: BACKREST_DATA
+              value: /data
+            - name: BACKREST_CONFIG
+              value: /config/config.json
+            - name: XDG_CACHE_HOME
+              value: /cache
+            - name: TMPDIR
+              value: /tmp
+          resources:
+            requests:
+              cpu: 10m
+              memory: 256Mi
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 9898
+          protocol: TCP
+  persistence:
+    data:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 10Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /data
+              readOnly: false
+    config:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 1Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /config
+              readOnly: false
+    cache:
+      type: emptyDir
+      advancedMounts:
+        main:
+          main:
+            - path: /cache
+              readOnly: false
+    tmp:
+      type: emptyDir
+      advancedMounts:
+        main:
+          main:
+            - path: /tmp
+              readOnly: false
+    storage:
+      existingClaim: backrest-nfs-storage
+      advancedMounts:
+        main:
+          main:
+            - path: /mnt/storage
+              readOnly: true
+    share:
+      existingClaim: backrest-nfs-share
+      advancedMounts:
+        main:
+          main:
+            - path: /mnt/share
+              readOnly: true

clusters/cl01tl/helm/blocky/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: app-template
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 4.4.0
+digest: sha256:0009729bcf7f1941401b767fd4ae952b7a8d44f80053090b4a9224de912a14ef
+generated: "2025-12-01T20:25:13.511406-06:00"

clusters/cl01tl/helm/blocky/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v2
+name: blocky
+version: 1.0.0
+description: Blocky
+keywords:
+  - blocky
+  - dns
+home: https://wiki.alexlebens.dev/s/cf70113d-20bc-48ad-afb8-1e22ed3fd62a
+sources:
+  - https://github.com/0xERR0R/blocky
+  - https://hub.docker.com/r/spx01/blocky
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: blocky
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.4.0
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png
+appVersion: v0.25

clusters/cl01tl/helm/blocky/templates/redis-replication.yaml

@@ -0,0 +1,32 @@
+apiVersion: redis.redis.opstreelabs.in/v1beta2
+kind: RedisReplication
+metadata:
+  name: redis-replication-blocky
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: redis-replication-blocky
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  clusterSize: 3
+  podSecurityContext:
+    runAsUser: 1000
+    fsGroup: 1000
+  kubernetesConfig:
+    image: quay.io/opstree/redis:v8.0.3
+    imagePullPolicy: IfNotPresent
+    resources:
+      requests:
+        cpu: 50m
+        memory: 128Mi
+  storage:
+    volumeClaimTemplate:
+      spec:
+        storageClassName: ceph-block
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 1Gi
+  redisExporter:
+    enabled: true
+    image: quay.io/opstree/redis-exporter:v1.48.0

clusters/cl01tl/helm/blocky/templates/service-monitor.yaml

@@ -0,0 +1,40 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: blocky
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: blocky
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: blocky
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  endpoints:
+    - port: metrics
+      interval: 30s
+      scrapeTimeout: 10s
+      path: /metrics
+
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: redis-replication-blocky
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: redis-replication-blocky
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    redis-operator: "true"
+    env: production
+spec:
+  selector:
+    matchLabels:
+      redis_setup_type: replication
+  endpoints:
+    - port: redis-exporter
+      interval: 30s
+      scrapeTimeout: 10s

clusters/cl01tl/helm/blocky/values.yaml

@@ -0,0 +1,303 @@
+blocky:
+  controllers:
+    main:
+      type: deployment
+      replicas: 3
+      strategy: RollingUpdate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/0xerr0r/blocky
+            tag: v0.28.2@sha256:5f84a54e4ee950c4ab21db905b7497476ece2f4e1a376d23ab8c4855cabddcba
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: US/Central
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+  configMaps:
+    config:
+      enabled: true
+      data:
+        config.yml: |
+          upstreams:
+            init:
+              strategy: fast
+            groups:
+              default:
+                - tcp-tls:1.1.1.1:853
+                - tcp-tls:1.0.0.1:853
+            strategy: parallel_best
+            timeout: 2s
+
+          connectIPVersion: v4
+
+          customDNS:
+            filterUnmappedTypes: false
+            zone: |
+              $ORIGIN alexlebens.net.
+              $TTL 86400
+
+              ;; Name Server
+                                              IN      NS      patryk.ns.cloudflare.com.
+                                              IN      NS      veda.ns.cloudflare.com.
+                                              IN      NS      dns1.
+                                              IN      NS      dns2.
+                                              IN      NS      dns3.
+
+              dns1                            IN      A       10.232.1.22
+              dns2                            IN      A       10.232.1.51
+              dns3                            IN      A       10.232.1.52
+
+
+              ;; Computer Names
+              nw01un                          IN      A       192.168.1.1   ; Unifi Gateway
+
+              ps08rp                          IN      A       10.232.1.51   ; DNS
+              ps09rp                          IN      A       10.232.1.52   ; DNS
+              ps02sn                          IN      A       10.232.1.61   ; Synology Web
+              ps02sn-bond                     IN      A       10.232.1.64   ; Synology Bond for Storage
+
+              pd05wd                          IN      A       10.230.0.115  ; Desktop
+              pl02mc                          IN      A       10.230.0.105  ; Laptop
+
+              dv01hr                          IN      A       10.232.1.72   ; HD Homerun
+              dv02kv                          IN      A       10.232.1.71   ; Pi KVM
+
+              it01ag                          IN      A       10.232.1.83   ; Airgradient
+              it02ph                          IN      A       10.232.1.85   ; Phillips Hue
+              it03tb                          IN      A       10.232.1.81   ; TubesZB ZigBee
+              it04tb                          IN      A       10.232.1.82   ; TubesZB Z-Wave
+              it05sp                          IN      A       10.230.0.100  ; Shelly Plug
+
+
+              ;; Common Names
+              synology                        IN      CNAME   ps02sn
+              synologybond                    IN      CNAME   ps02sn-bond
+              unifi                           IN      CNAME   nw01un
+              airgradient                     IN      CNAME   it01ag
+              hdhr                            IN      CNAME   dv01hr
+              pikvm                           IN      CNAME   dv02kv
+
+
+              ;; Service Names
+              cl01tl                          IN      A       10.232.1.11
+              cl01tl                          IN      A       10.232.1.12
+              cl01tl                          IN      A       10.232.1.13
+
+              cl01tl-api                      IN      A       10.232.1.11
+              cl01tl-api                      IN      A       10.232.1.12
+              cl01tl-api                      IN      A       10.232.1.13
+
+              cl01tl-endpoint                 IN      A       10.232.1.21
+              cl01tl-endpoint                 IN      A       10.232.1.22
+              cl01tl-endpoint                 IN      A       10.232.1.23
+
+              cl01tl-gateway                  IN      A       10.232.1.200
+
+              traefik-cl01tl                  IN      A       10.232.1.21
+              blocky                          IN      A       10.232.1.22
+              plex-lb                         IN      A       10.232.1.23
+
+              ;; Application Names
+              actual                          IN      CNAME   traefik-cl01tl
+              alertmanager                    IN      CNAME   traefik-cl01tl
+              argo-workflows                  IN      CNAME   traefik-cl01tl
+              argocd                          IN      CNAME   traefik-cl01tl
+              audiobookshelf                  IN      CNAME   traefik-cl01tl
+              authentik                       IN      CNAME   traefik-cl01tl
+              backrest                        IN      CNAME   traefik-cl01tl
+              bazarr                          IN      CNAME   traefik-cl01tl
+              booklore                        IN      CNAME   traefik-cl01tl
+              ceph                            IN      CNAME   traefik-cl01tl
+              code-server                     IN      CNAME   traefik-cl01tl
+              ephemera                        IN      CNAME   traefik-cl01tl
+              garage-s3                       IN      CNAME   traefik-cl01tl
+              garage-webui                    IN      CNAME   traefik-cl01tl
+              gatus                           IN      CNAME   traefik-cl01tl
+              gitea                           IN      CNAME   traefik-cl01tl
+              grafana                         IN      CNAME   traefik-cl01tl
+              harbor                          IN      CNAME   traefik-cl01tl
+              headlamp                        IN      CNAME   traefik-cl01tl
+              home                            IN      CNAME   traefik-cl01tl
+              home-assistant                  IN      CNAME   traefik-cl01tl
+              home-assistant-code-server      IN      CNAME   traefik-cl01tl
+              hubble                          IN      CNAME   cl01tl-gateway
+              huntarr                         IN      CNAME   traefik-cl01tl
+              immich                          IN      CNAME   traefik-cl01tl
+              jellyfin                        IN      CNAME   traefik-cl01tl
+              jellystat                       IN      CNAME   traefik-cl01tl
+              kiwix                           IN      CNAME   traefik-cl01tl
+              komodo                          IN      CNAME   traefik-cl01tl
+              kronic                          IN      CNAME   traefik-cl01tl
+              lidarr                          IN      CNAME   traefik-cl01tl
+              lidatube                        IN      CNAME   traefik-cl01tl
+              listenarr                       IN      CNAME   traefik-cl01tl
+              mail                            IN      CNAME   traefik-cl01tl
+              n8n                             IN      CNAME   traefik-cl01tl
+              ntfy                            IN      CNAME   traefik-cl01tl
+              objects                         IN      CNAME   traefik-cl01tl
+              ollama                          IN      CNAME   traefik-cl01tl
+              omni-tools                      IN      CNAME   traefik-cl01tl
+              overseerr                       IN      CNAME   traefik-cl01tl
+              pgadmin                         IN      CNAME   traefik-cl01tl
+              photoview                       IN      CNAME   traefik-cl01tl
+              plex                            IN      CNAME   traefik-cl01tl
+              postiz                          IN      CNAME   traefik-cl01tl
+              prometheus                      IN      CNAME   traefik-cl01tl
+              prowlarr                        IN      CNAME   traefik-cl01tl
+              qbittorrent                     IN      CNAME   traefik-cl01tl
+              qui                             IN      CNAME   traefik-cl01tl
+              radarr                          IN      CNAME   traefik-cl01tl
+              radarr-4k                       IN      CNAME   traefik-cl01tl
+              radarr-anime                    IN      CNAME   traefik-cl01tl
+              radarr-standup                  IN      CNAME   traefik-cl01tl
+              searxng                         IN      CNAME   traefik-cl01tl
+              slskd                           IN      CNAME   traefik-cl01tl
+              sonarr                          IN      CNAME   traefik-cl01tl
+              sonarr-4k                       IN      CNAME   traefik-cl01tl
+              sonarr-anime                    IN      CNAME   traefik-cl01tl
+              stalwart                        IN      CNAME   traefik-cl01tl
+              tautulli                        IN      CNAME   traefik-cl01tl
+              tdarr                           IN      CNAME   traefik-cl01tl
+              tubearchivist                   IN      CNAME   traefik-cl01tl
+              vault                           IN      CNAME   traefik-cl01tl
+              whodb                           IN      CNAME   traefik-cl01tl
+              yamtrack                        IN      CNAME   traefik-cl01tl
+
+          blocking:
+            denylists:
+              sus:
+                - https://v.firebog.net/hosts/static/w3kbl.txt
+              ads:
+                - https://v.firebog.net/hosts/AdguardDNS.txt
+                - https://v.firebog.net/hosts/Admiral.txt
+                - https://v.firebog.net/hosts/Easylist.txt
+                - https://adaway.org/hosts.txt
+              priv:
+                - https://v.firebog.net/hosts/Easyprivacy.txt
+                - https://v.firebog.net/hosts/Prigent-Ads.txt
+              mal:
+                - https://v.firebog.net/hosts/Prigent-Crypto.txt
+                - https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
+              pro:
+                - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro.plus.txt
+            allowlists:
+              sus:
+                - |
+                  *.alexlebens.net
+                  *.alexlebens.dev
+                  *.boreal-beaufort.ts.net
+              ads:
+                - |
+                  *.alexlebens.net
+                  *.alexlebens.dev
+                  *.boreal-beaufort.ts.net
+              priv:
+                - |
+                  *.alexlebens.net
+                  *.alexlebens.dev
+                  *.boreal-beaufort.ts.net
+              mal:
+                - |
+                  *.alexlebens.net
+                  *.alexlebens.dev
+                  *.boreal-beaufort.ts.net
+              pro:
+                - |
+                  *.alexlebens.net
+                  *.alexlebens.dev
+                  *.boreal-beaufort.ts.net
+            clientGroupsBlock:
+              default:
+                - sus
+                - ads
+                - priv
+                - mal
+                - pro
+            blockType: zeroIp
+            blockTTL: 1m
+            loading:
+              refreshPeriod: 24h
+              downloads:
+                timeout: 60s
+                attempts: 5
+                cooldown: 10s
+              concurrency: 16
+              strategy: fast
+              maxErrorsPerSource: 5
+
+          caching:
+            minTime: 5m
+            maxTime: 30m
+            maxItemsCount: 0
+            prefetching: true
+            prefetchExpires: 2h
+            prefetchThreshold: 5
+            prefetchMaxItemsCount: 0
+            cacheTimeNegative: 30m
+
+          redis:
+            address: redis-replication-blocky-master.blocky:6379
+            required: true
+
+          prometheus:
+            enable: true
+            path: /metrics
+
+          queryLog:
+            type: console
+            logRetentionDays: 7
+            creationAttempts: 1
+            creationCooldown: 2s
+            flushInterval: 30s
+
+          minTlsServeVersion: 1.3
+
+          ports:
+            dns: 53
+            http: 4000
+
+          log:
+            level: info
+            format: text
+            timestamp: true
+            privacy: false
+
+  service:
+    dns-external:
+      controller: main
+      type: LoadBalancer
+      annotations:
+        tailscale.com/expose: "true"
+      ports:
+        tcp:
+          port: 53
+          targetPort: 53
+          protocol: TCP
+        udp:
+          port: 53
+          targetPort: 53
+          protocol: UDP
+    metrics:
+      controller: main
+      ports:
+        metrics:
+          port: 4000
+          targetPort: 4000
+          protocol: TCP
+  persistence:
+    config:
+      enabled: true
+      type: configMap
+      name: blocky
+      advancedMounts:
+        main:
+          main:
+            - path: /app/config.yml
+              readOnly: true
+              mountPropagation: None
+              subPath: config.yml

clusters/cl01tl/helm/cert-manager/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: cert-manager
+  repository: https://charts.jetstack.io
+  version: v1.19.1
+digest: sha256:0b1238a5552bc6d457d4b1a2a1f387a3e7f2c19f820ecb64e14d20481a1ed1ce
+generated: "2025-12-01T20:25:17.762628-06:00"

clusters/cl01tl/helm/cert-manager/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+name: cert-manager
+version: 1.0.0
+description: Cert Manager
+keywords:
+  - cert-manager
+  - certificates
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/368fe718-eedb-40e0-a5a7-fad03cdc6b09
+sources:
+  - https://github.com/cert-manager/cert-manager
+  - https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: cert-manager
+    version: v1.19.1
+    repository: https://charts.jetstack.io
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/cert-manager.png
+appVersion: v1.17.2

clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml

@@ -0,0 +1,21 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-issuer
+spec:
+  acme:
+    email: alexanderlebens@gmail.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-issuer-account-key
+    solvers:
+      - selector:
+          dnsZones:
+            - "alexlebens.net"
+            - "*.alexlebens.net"
+        dns01:
+          cloudflare:
+            email: alexanderlebens@gmail.com
+            apiTokenSecretRef:
+              name: cloudflare-api-token
+              key: api-token

clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-api-token
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: cloudflare-api-token
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: api-token
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/alexlebens.net/clusterissuer
+        metadataPolicy: None
+        property: token

clusters/cl01tl/helm/cert-manager/values.yaml

@@ -0,0 +1,15 @@
+cert-manager:
+  crds:
+    enabled: true
+    keep: true
+  replicaCount: 2
+  extraArgs:
+    - --enable-gateway-api
+  prometheus:
+    enabled: true
+    servicemonitor:
+      enabled: true
+      honorLabels: true
+  cainjector:
+    enabled: true
+    replicaCount: 2

clusters/cl01tl/helm/cloudnative-pg/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: cloudnative-pg
+  repository: https://cloudnative-pg.io/charts/
+  version: 0.26.1
+- name: plugin-barman-cloud
+  repository: https://cloudnative-pg.io/charts/
+  version: 0.3.1
+digest: sha256:b38e5104d77ab1737a27a2542eda958e82038443940f07b7c2cbe3b0a477e1e6
+generated: "2025-12-01T20:25:20.341325-06:00"

clusters/cl01tl/helm/cloudnative-pg/Chart.yaml

@@ -0,0 +1,25 @@
+apiVersion: v2
+name: cloudnative-pg
+version: 1.0.0
+description: Cloudnative PG
+keywords:
+  - cloudnative-pg
+  - operator
+  - postgresql
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/9fb10833-0278-4e64-a34c-d348d833839f
+sources:
+  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg
+  - https://github.com/cloudnative-pg/charts/tree/main/charts/plugin-barman-cloud
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: cloudnative-pg
+    version: 0.26.1
+    repository: https://cloudnative-pg.io/charts/
+  - name: plugin-barman-cloud
+    version: 0.3.1
+    repository: https://cloudnative-pg.io/charts/
+icon: https://avatars.githubusercontent.com/u/100373852?s=200&v=4
+appVersion: 1.26.0

clusters/cl01tl/helm/cloudnative-pg/values.yaml

@@ -0,0 +1,16 @@
+cloudnative-pg:
+  replicaCount: 2
+  monitoring:
+    podMonitorEnabled: true
+plugin-barman-cloud:
+  replicaCount: 1
+  image:
+    registry: ghcr.io
+    repository: cloudnative-pg/plugin-barman-cloud
+    tag: v0.9.0
+  sidecarImage:
+    registry: ghcr.io
+    repository: cloudnative-pg/plugin-barman-cloud-sidecar
+    tag: v0.9.0
+  crds:
+    create: true

clusters/cl01tl/helm/democratic-csi-synology-iscsi/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: democratic-csi
+  repository: https://democratic-csi.github.io/charts/
+  version: 0.15.0
+digest: sha256:6fe3d8ad7b990b07ed80a31c75a0a49db8da497c46a956c632615a2093d29d58
+generated: "2025-12-01T20:25:24.972076-06:00"

clusters/cl01tl/helm/democratic-csi-synology-iscsi/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+name: democratic-csi-synology-iscsi
+version: 1.0.0
+description: Democratic CSI
+keywords:
+  - democratic-csi-synology-iscsi
+  - iscsi
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/0cc6ba65-024b-4489-952a-fc0f647fd099
+sources:
+  - https://github.com/democratic-csi/democratic-csi
+  - https://github.com/democratic-csi/charts/tree/master/stable/democratic-csi
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: democratic-csi
+    repository: https://democratic-csi.github.io/charts/
+    version: 0.15.0
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
+appVersion: v1.9.4

clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: synology-iscsi-config-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: synology-iscsi-config-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: driver-config-file.yaml
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/democratic-csi-synology-iscsi/config
+        metadataPolicy: None
+        property: driver-config-file.yaml

clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/namespace.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: democratic-csi-synology-iscsi
+  labels:
+    app.kubernetes.io/name: democratic-csi-synology-iscsi
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml

@@ -0,0 +1,37 @@
+democratic-csi:
+  driver:
+    existingConfigSecret: synology-iscsi-config-secret
+    config:
+      driver: synology-iscsi
+  csiDriver:
+    name: "org.democratic-csi.iscsi-synology"
+  controller:
+    enabled: true
+    rbac:
+      enabled: true
+    replicaCount: 2
+  storageClasses:
+    - name: synology-iscsi-delete
+      defaultClass: false
+      reclaimPolicy: Delete
+      volumeBindingMode: Immediate
+      allowVolumeExpansion: true
+      parameters:
+        fsType: ext4
+    - name: synology-iscsi-retain
+      defaultClass: false
+      reclaimPolicy: Retain
+      volumeBindingMode: Immediate
+      allowVolumeExpansion: true
+      parameters:
+        fsType: ext4
+  node:
+    hostPID: true
+    driver:
+      extraEnv:
+        - name: ISCSIADM_HOST_STRATEGY
+          value: nsenter
+        - name: ISCSIADM_HOST_PATH
+          value: /usr/local/sbin/iscsiadm
+      iscsiDirHostPath: /var/iscsi
+      iscsiDirHostPathType: ""

clusters/cl01tl/helm/descheduler/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: descheduler
+  repository: https://kubernetes-sigs.github.io/descheduler/
+  version: 0.34.0
+digest: sha256:1020c1fc8c179744f308e9b79f010dcaf59a05019f7d007157974be97063e12b
+generated: "2025-12-01T20:25:26.970808-06:00"

clusters/cl01tl/helm/descheduler/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+name: descheduler
+version: 1.0.0
+description: Descheduler
+keywords:
+  - descheduler
+  - kube-scheduler
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/0c38b7e4-4573-487c-82b0-4eeeb00e1276
+sources:
+  - https://github.com/kubernetes-sigs/descheduler
+  - https://github.com/kubernetes-sigs/descheduler/tree/master/charts/descheduler
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: descheduler
+    version: 0.34.0
+    repository: https://kubernetes-sigs.github.io/descheduler/
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
+appVersion: 0.33.0

clusters/cl01tl/helm/descheduler/values.yaml

@@ -0,0 +1,70 @@
+descheduler:
+  kind: Deployment
+  resources:
+    requests:
+      cpu: 10m
+      memory: 64Mi
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    privileged: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 1000
+  deschedulingInterval: 5m
+  replicas: 1
+  leaderElection:
+    enabled: false
+  command:
+  - "/bin/descheduler"
+  cmdOptions:
+    v: 3
+  deschedulerPolicyAPIVersion: "descheduler/v1alpha2"
+  deschedulerPolicy:
+    profiles:
+      - name: default
+        pluginConfig:
+          - name: DefaultEvictor
+            args:
+              ignorePvcPods: true
+              evictLocalStoragePods: false
+              evictDaemonSetPods: false
+          - name: RemoveDuplicates
+          - name: RemovePodsViolatingNodeAffinity
+            args:
+              nodeAffinityType:
+              - requiredDuringSchedulingIgnoredDuringExecution
+          - name: RemovePodsViolatingNodeTaints
+          - name: RemovePodsViolatingInterPodAntiAffinity
+          - name: RemovePodsViolatingTopologySpreadConstraint
+          - name: LowNodeUtilization
+            args:
+              thresholds:
+                cpu: 20
+                memory: 20
+                pods: 20
+              targetThresholds:
+                cpu: 60
+                memory: 60
+                pods: 60
+        plugins:
+          balance:
+            enabled:
+              - RemoveDuplicates
+              - RemovePodsViolatingTopologySpreadConstraint
+              - LowNodeUtilization
+          deschedule:
+            enabled:
+              - RemovePodsViolatingNodeTaints
+              - RemovePodsViolatingNodeAffinity
+              - RemovePodsViolatingInterPodAntiAffinity
+  rbac:
+    create: true
+  serviceAccount:
+    create: true
+  service:
+    enabled: true
+  serviceMonitor:
+    enabled: true

clusters/cl01tl/helm/elastic-operator/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: eck-operator
+  repository: https://helm.elastic.co
+  version: 3.2.0
+digest: sha256:b27ba092ddfa078f763e409dd5db1144a269eff0f45af04f180d844f13466a34
+generated: "2025-12-01T20:25:30.722424-06:00"

clusters/cl01tl/helm/elastic-operator/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v2
+name: elastic-operator
+version: 1.0.0
+description: Elastic Cloud on Kubernetes
+keywords:
+  - elastic-operator
+  - operator
+  - elastic-search
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/
+sources:
+  - https://github.com/elastic/cloud-on-k8s
+  - https://github.com/elastic/cloud-on-k8s/tree/main/deploy/eck-operator
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: eck-operator
+    version: 3.2.0
+    repository: https://helm.elastic.co
+icon: https://helm.elastic.co/icons/eck.png
+appVersion: 1.26.0

clusters/cl01tl/helm/elastic-operator/values.yaml

@@ -0,0 +1,14 @@
+eck-operator:
+  managedNamespaces:
+    - tubearchivist
+    - stalwart
+  installCRDs: true
+  replicaCount: 2
+  telemetry:
+    disabled: true
+  config:
+    logVerbosity: "0"
+    metrics:
+      port: "9000"
+  podMonitor:
+    enabled: true

clusters/cl01tl/helm/eraser/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: eraser
+  repository: https://eraser-dev.github.io/eraser/charts
+  version: 1.3.1
+digest: sha256:17b561a00acc809810dccd226e7b6d757db39b34a6095dee879da761098125f9
+generated: "2025-12-01T20:25:36.491841-06:00"

clusters/cl01tl/helm/eraser/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+name: eraser
+version: 1.0.0
+description: Eraser
+keywords:
+  - eraser
+  - images
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/bb53ffae-0eda-4ed6-9fdd-894e672b4377
+sources:
+  - https://github.com/eraser-dev/eraser
+  - https://github.com/eraser-dev/eraser/tree/main/charts/eraser
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: eraser
+    version: v1.3.1
+    repository: https://eraser-dev.github.io/eraser/charts
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
+appVersion: v1.3.1

clusters/cl01tl/helm/eraser/values.yaml

@@ -0,0 +1,70 @@
+eraser:
+  runtimeConfig:
+    apiVersion: eraser.sh/v1alpha3
+    kind: EraserConfig
+    manager:
+      runtime:
+        name: containerd
+        address: unix:///run/containerd/containerd.sock
+      logLevel: info
+      scheduling:
+        repeatInterval: 24h
+        beginImmediately: true
+      profile:
+        enabled: false
+        port: 6060
+      imageJob:
+        successRatio: 1.0
+        cleanup:
+          delayOnSuccess: 0s
+          delayOnFailure: 24h
+      nodeFilter:
+        type: exclude
+        selectors:
+          - eraser.sh/cleanup.filter
+          - kubernetes.io/os=windows
+    components:
+      collector:
+        enabled: true
+        request:
+          cpu: 10m
+          memory: 128Mi
+      scanner:
+        enabled: false
+        request:
+          cpu: 100m
+          memory: 128Mi
+        config: "" # |
+          # cacheDir: /var/lib/trivy
+          # dbRepo: ghcr.io/aquasecurity/trivy-db
+          # deleteFailedImages: true
+          # deleteEOLImages: true
+          # vulnerabilities:
+          #   ignoreUnfixed: true
+          #   types:
+          #     - os
+          #     - library
+          #   securityChecks:
+          #     - vuln
+          #   severities:
+          #     - CRITICAL
+          #     - HIGH
+          #     - MEDIUM
+          #     - LOW
+          #   ignoredStatuses:
+          # timeout:
+          #   total: 23h
+          #   perImage: 1h
+      remover:
+        request:
+          cpu: 10m
+          memory: 128Mi
+  deploy:
+    securityContext:
+      allowPrivilegeEscalation: false
+    resources:
+      requests:
+        cpu: 10m
+        memory: 30Mi
+    nodeSelector:
+      kubernetes.io/os: linux

clusters/cl01tl/helm/external-dns/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: external-dns
+  repository: https://kubernetes-sigs.github.io/external-dns/
+  version: 1.19.0
+digest: sha256:2216b442cc820ebe561d611fbcca3955d5c94e227a0b3288e5db9f8da7d6ac00
+generated: "2025-12-01T20:25:38.288305-06:00"

clusters/cl01tl/helm/external-dns/Chart.yaml

@@ -0,0 +1,22 @@
+apiVersion: v2
+name: external-dns
+version: 1.0.0
+description: External DNS
+keywords:
+  - external-dns
+  - dns
+  - unifi
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/7b50e4da-5dc1-4f62-baf9-14b5fed64552
+sources:
+  - https://github.com/kubernetes-sigs/external-dns
+  - https://github.com/kubernetes-sigs/external-dns/tree/master/charts/external-dns
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: external-dns
+    alias: external-dns-unifi
+    version: 1.19.0
+    repository: https://kubernetes-sigs.github.io/external-dns/
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
+appVersion: 1.16.1

clusters/cl01tl/helm/external-dns/templates/dns-endpoint.yaml

@@ -0,0 +1,152 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: external-device-names
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: external-device-names
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  endpoints:
+    # Unifi UDM
+    - dnsName: unifi.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 192.168.1.1
+    # Synology Web
+    - dnsName: synology.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.61
+    # Synology Storage
+    - dnsName: synologybond.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.64
+    # HD Homerun
+    - dnsName: hdhr.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.72
+    # Pi KVM
+    - dnsName: pikvm.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.71
+
+---
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: iot-device-names
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: iot-device-names
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  endpoints:
+    # Airgradient
+    - dnsName: it01ag.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.83
+    # Phillips Hue
+    - dnsName: it02ph.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.85
+    # TubesZB ZigBee
+    - dnsName: it03tb.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.81
+    # TubesZB Z-Wave
+    - dnsName: it04tb.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.82
+
+---
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: server-host-names
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: server-host-names
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  endpoints:
+    # Unifi Gateway
+    - dnsName: nw01un.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 192.168.1.1
+    # Synology
+    - dnsName: ps02sn.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.61
+    # Synology Storage
+    - dnsName: ps02sn-bond.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.64
+    # Raspberry Pi
+    - dnsName: ps08rp.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.51
+    # Raspberry Pi
+    - dnsName: ps09rp.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.52
+
+---
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: cluster-service-names
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: cluster-service-names
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  endpoints:
+    # Treafik Proxy
+    - dnsName: traefik-cl01tl.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.21
+    # Treafik Proxy
+    - dnsName: blocky.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.22
+    # Treafik Proxy
+    - dnsName: plex.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.23

clusters/cl01tl/helm/external-dns/templates/external-secret.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: external-dns-unifi-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: external-dns-unifi-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: api-key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /unifi/auth/cl01tl
+        metadataPolicy: None
+        property: api-key

clusters/cl01tl/helm/external-dns/values.yaml

@@ -0,0 +1,46 @@
+external-dns-unifi:
+  fullnameOverride: external-dns-unifi
+  serviceMonitor:
+    enabled: true
+  interval: 1m
+  sources:
+    - ingress
+    - crd
+    - gateway-httproute
+    - gateway-tlsroute
+  policy: sync
+  registry: txt
+  txtOwnerId: default
+  txtPrefix: k8s.
+  domainFilters: ["alexlebens.net"]
+  excludeDomains: []
+  provider:
+    name: webhook
+    webhook:
+      image:
+        repository: ghcr.io/kashalls/external-dns-unifi-webhook
+        tag: v0.7.0
+      env:
+        - name: UNIFI_HOST
+          value: https://192.168.1.1
+        - name: UNIFI_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: external-dns-unifi-secret
+              key: api-key
+        - name: LOG_LEVEL
+          value: debug
+      livenessProbe:
+        httpGet:
+          path: /healthz
+          port: http-webhook
+        initialDelaySeconds: 10
+        timeoutSeconds: 5
+      readinessProbe:
+        httpGet:
+          path: /readyz
+          port: http-webhook
+        initialDelaySeconds: 10
+        timeoutSeconds: 5
+  extraArgs:
+    - --ignore-ingress-tls-spec

clusters/cl01tl/helm/external-secrets/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: external-secrets
+  repository: https://charts.external-secrets.io
+  version: 1.1.0
+digest: sha256:543c98c4f4014f91b05c823444d87990dcdcd9710a0e5ccd953c5dc4e70006ee
+generated: "2025-12-01T20:25:40.642486-06:00"

clusters/cl01tl/helm/external-secrets/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: external-secrets
+version: 1.0.0
+description: External Secrets
+keywords:
+  - external-secrets
+  - secrets
+  - vault
+home: https://wiki.alexlebens.dev/s/d29044fb-0d63-4500-8853-2971964f356a
+sources:
+  - https://github.com/external-secrets/external-secrets
+  - https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets
+dependencies:
+  - name: external-secrets
+    version: 1.1.0
+    repository: https://charts.external-secrets.io
+icon: https://avatars.githubusercontent.com/u/68335991?s=48&v=4
+appVersion: 0.17.0

clusters/cl01tl/helm/external-secrets/templates/cluster-secret-store.yaml

@@ -0,0 +1,19 @@
+apiVersion: external-secrets.io/v1
+kind: ClusterSecretStore
+metadata:
+  name: vault
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: vault
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  provider:
+    vault:
+      server: http://vault-internal.vault:8200
+      path: secret
+      auth:
+        tokenSecretRef:
+          namespace: vault
+          name: vault-token
+          key: token

clusters/cl01tl/helm/garage/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: app-template
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 4.4.0
+digest: sha256:7977708d7681e8d5cbc066bcda4241144b0c8b5b590be89a394740df167c90da
+generated: "2025-12-01T20:25:44.910074-06:00"

clusters/cl01tl/helm/garage/Chart.yaml

@@ -0,0 +1,22 @@
+apiVersion: v2
+name: garage
+version: 1.0.0
+description: Garage
+keywords:
+  - garage
+  - storage
+  - s3
+home: https://wiki.alexlebens.dev/s/
+sources:
+  - https://git.deuxfleurs.fr/Deuxfleurs/garage
+  - https://hub.docker.com/r/dxflrs/garage
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: garage
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.4.0
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
+appVersion: v2.1.0

clusters/cl01tl/helm/garage/templates/external-secret.yaml

@@ -0,0 +1,35 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: garage-token-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: garage-token-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: GARAGE_RPC_SECRET
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/garage/token
+        metadataPolicy: None
+        property: rpc
+    - secretKey: GARAGE_ADMIN_TOKEN
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/garage/token
+        metadataPolicy: None
+        property: admin
+    - secretKey: GARAGE_METRICS_TOKEN
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/garage/token
+        metadataPolicy: None
+        property: metric

clusters/cl01tl/helm/garage/templates/http-route.yaml

@@ -0,0 +1,58 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-garage-webui
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-garage-webui
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - garage-webui.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: garage-webui
+          port: 3909
+          weight: 100
+
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-garage-s3
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-garage-s3
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - garage-s3.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: garage-main
+          port: 3900
+          weight: 100

clusters/cl01tl/helm/garage/templates/service-monitor.yaml

@@ -0,0 +1,22 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: garage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: garage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: garage
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  endpoints:
+    - port: admin
+      interval: 1m
+      scrapeTimeout: 30s
+      path: /metrics
+      bearerTokenSecret:
+        name: garage-token-secret
+        key: GARAGE_METRICS_TOKEN

clusters/cl01tl/helm/garage/values.yaml

@@ -0,0 +1,154 @@
+garage:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: dxflrs/garage
+            tag: v2.1.0
+            pullPolicy: IfNotPresent
+          envFrom:
+            - secretRef:
+                name: garage-token-secret
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+    webui:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: khairul169/garage-webui
+            tag: 1.1.0
+            pullPolicy: IfNotPresent
+          env:
+            - name: API_BASE_URL
+              value: http://garage-main.garage:3903
+            - name: S3_ENDPOINT_URL
+              value: http://garage-main.garage:3900
+            - name: API_ADMIN_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: garage-token-secret
+                  key: GARAGE_ADMIN_TOKEN
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+  configMaps:
+    config:
+      enabled: true
+      data:
+        garage.toml: |
+          replication_factor = 1
+
+          metadata_dir = "/var/lib/garage/meta"
+          data_dir = "/var/lib/garage/data"
+          metadata_snapshots_dir = "/var/lib/garage/snapshots"
+
+          db_engine = "lmdb"
+
+          metadata_auto_snapshot_interval = "6h"
+
+          compression_level = 3
+
+          rpc_bind_addr = "[::]:3901"
+          rpc_public_addr = "127.0.0.1:3901"
+
+          allow_world_readable_secrets = false
+
+          [s3_api]
+          s3_region = "us-east-1"
+          api_bind_addr = "[::]:3900"
+          root_domain = ".garage-s3.alexlebens.net"
+
+          [s3_web]
+          bind_addr = "[::]:3902"
+          root_domain = ".garage-s3.alexlebens.net"
+
+          [admin]
+          api_bind_addr = "[::]:3903"
+          metrics_require_token = true
+  service:
+    main:
+      controller: main
+      ports:
+        s3:
+          port: 3900
+          targetPort: 3900
+          protocol: HTTP
+        rpc:
+          port: 3901
+          targetPort: 3901
+          protocol: HTTP
+        web:
+          port: 3902
+          targetPort: 3902
+          protocol: HTTP
+        admin:
+          port: 3903
+          targetPort: 3903
+          protocol: HTTP
+    webui:
+      controller: webui
+      ports:
+        webui:
+          port: 3909
+          targetPort: 3909
+          protocol: HTTP
+  persistence:
+    config:
+      enabled: true
+      type: configMap
+      name: garage
+      advancedMounts:
+        main:
+          main:
+            - path: /etc/garage.toml
+              readOnly: true
+              mountPropagation: None
+              subPath: garage.toml
+        webui:
+          main:
+            - path: /etc/garage.toml
+              readOnly: true
+              mountPropagation: None
+              subPath: garage.toml
+    db:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 10Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /var/lib/garage/meta
+              readOnly: false
+    data:
+      storageClass: synology-iscsi-delete
+      accessMode: ReadWriteOnce
+      size: 800Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /var/lib/garage/data
+              readOnly: false
+    snapshots:
+      storageClass: synology-iscsi-delete
+      accessMode: ReadWriteOnce
+      size: 50Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /var/lib/garage/snapshots
+              readOnly: false

clusters/cl01tl/helm/generic-device-plugin/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: generic-device-plugin
+  repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
+  version: 0.20.1
+digest: sha256:4579605b405a55d66fd5deae5c12259afe98f5ad93843bf4e75fe6f4d45929de
+generated: "2025-12-01T20:25:48.389977-06:00"

clusters/cl01tl/helm/generic-device-plugin/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+name: generic-device-plugin
+version: 1.0.0
+description: Generic Device Plugin
+keywords:
+  - generic-device-plugin
+  - device
+  - plugin
+home: https://wiki.alexlebens.dev/s/ee9ba1be-119c-4e83-aea9-b087481554f2
+sources:
+  - https://github.com/squat/generic-device-plugin
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/generic-device-plugin
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: generic-device-plugin
+    repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
+    version: 0.20.1
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
+appVersion: 1.0.0

clusters/cl01tl/helm/generic-device-plugin/templates/namespace.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: generic-device-plugin
+  labels:
+    app.kubernetes.io/name: generic-device-plugin
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/generic-device-plugin/values.yaml

@@ -0,0 +1,10 @@
+generic-device-plugin:
+  config:
+    enabled: true
+    data: |
+      devices:
+        - name: tun
+          groups:
+            - count: 1000
+              paths:
+                - path: /dev/net/tun

clusters/cl01tl/helm/gitea/Chart.lock

@@ -0,0 +1,21 @@
+dependencies:
+- name: gitea
+  repository: https://dl.gitea.io/charts/
+  version: 12.4.0
+- name: gitea-actions
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 0.2.1
+- name: app-template
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 4.4.0
+- name: meilisearch
+  repository: https://meilisearch.github.io/meilisearch-kubernetes
+  version: 0.17.1
+- name: cloudflared
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 1.23.0
+- name: postgres-cluster
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 6.16.0
+digest: sha256:6e72cd4abc36e238a5129d0ee471bc296435f8ff1c8be7f3132fc33193a39f23
+generated: "2025-12-01T20:25:50.496342-06:00"

clusters/cl01tl/helm/gitea/Chart.yaml

@@ -0,0 +1,50 @@
+apiVersion: v2
+name: gitea
+version: 1.0.0
+description: Gitea
+keywords:
+  - gitea
+  - git
+  - code
+home: https://wiki.alexlebens.dev/s/94060f71-fd05-4f78-9af2-053f8f221acd
+sources:
+  - https://github.com/go-gitea/gitea
+  - https://github.com/renovatebot/renovate
+  - https://github.com/Angatar/s3cmd
+  - https://github.com/meilisearch/meilisearch
+  - https://github.com/cloudflare/cloudflared
+  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://hub.docker.com/r/gitea/gitea
+  - https://hub.docker.com/r/renovate/renovate
+  - https://hub.docker.com/r/d3fk/s3cmd/
+  - https://gitea.com/gitea/helm-chart
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+  - https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: gitea
+    version: 12.4.0
+    repository: https://dl.gitea.io/charts/
+  - name: gitea-actions
+    repository: oci://harbor.alexlebens.net/helm-charts
+    version: 0.2.1
+  - name: app-template
+    alias: backup
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.4.0
+  - name: meilisearch
+    version: 0.17.1
+    repository: https://meilisearch.github.io/meilisearch-kubernetes
+  - name: cloudflared
+    alias: cloudflared
+    repository: oci://harbor.alexlebens.net/helm-charts
+    version: 1.23.0
+  - name: postgres-cluster
+    alias: postgres-17-cluster
+    version: 6.16.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/gitea.png
+appVersion: 1.23.7

clusters/cl01tl/helm/gitea/templates/external-secret.yaml

@@ -0,0 +1,318 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-admin-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-admin-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: username
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/gitea/auth/admin
+        metadataPolicy: None
+        property: username
+    - secretKey: password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/gitea/auth/admin
+        metadataPolicy: None
+        property: password
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/gitea
+        metadataPolicy: None
+        property: secret
+    - secretKey: key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/gitea
+        metadataPolicy: None
+        property: client
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-runner-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-runner-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: token
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/gitea/runner
+        metadataPolicy: None
+        property: token
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-renovate-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-renovate-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: RENOVATE_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/gitea/renovate
+        metadataPolicy: None
+        property: RENOVATE_ENDPOINT
+    - secretKey: RENOVATE_GIT_AUTHOR
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/gitea/renovate
+        metadataPolicy: None
+        property: RENOVATE_GIT_AUTHOR
+    - secretKey: RENOVATE_TOKEN
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/gitea/renovate
+        metadataPolicy: None
+        property: RENOVATE_TOKEN
+    - secretKey: RENOVATE_GIT_PRIVATE_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/gitea/renovate
+        metadataPolicy: None
+        property: id_rsa
+    - secretKey: RENOVATE_GITHUB_COM_TOKEN
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /github/gitea-cl01tl
+        metadataPolicy: None
+        property: token
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-renovate-ssh-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-renovate-ssh-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: config
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/gitea/renovate
+        metadataPolicy: None
+        property: ssh_config
+    - secretKey: id_rsa
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/gitea/renovate
+        metadataPolicy: None
+        property: id_rsa
+    - secretKey: id_rsa.pub
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/gitea/renovate
+        metadataPolicy: None
+        property: id_rsa.pub
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-s3cmd-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-s3cmd-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: .s3cfg
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/gitea-backup
+        metadataPolicy: None
+        property: s3cfg
+    - secretKey: BUCKET
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/gitea-backup
+        metadataPolicy: None
+        property: BUCKET
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-meilisearch-master-key-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-meilisearch-master-key-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        ISSUE_INDEXER_CONN_STR: "http://:{{ `{{ .MEILI_MASTER_KEY }}` }}@gitea-meilisearch.gitea:7700/"
+  data:
+    - secretKey: MEILI_MASTER_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/gitea/meilisearch
+        metadataPolicy: None
+        property: MEILI_MASTER_KEY
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-cloudflared-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-cloudflared-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: cf-tunnel-token
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/tunnels/gitea
+        metadataPolicy: None
+        property: token
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-postgresql-17-cluster-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-postgresql-17-cluster-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: access
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: secret
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-postgresql-17-cluster-backup-secret-garage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-postgresql-17-cluster-backup-secret-garage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_REGION

clusters/cl01tl/helm/gitea/templates/http-route.yaml

@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-gitea
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-gitea
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - gitea.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: gitea-http
+          port: 3000
+          weight: 100

clusters/cl01tl/helm/gitea/templates/ingress.yaml

@@ -0,0 +1,29 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gitea-tailscale
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-tailscale
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    tailscale.com/proxy-class: no-metrics
+  annotations:
+    tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
+spec:
+  ingressClassName: tailscale
+  tls:
+    - hosts:
+        - gitea-cl01tl
+      secretName: gitea-cl01tl
+  rules:
+    - host: gitea-cl01tl
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: gitea-http
+                port:
+                  name: http

clusters/cl01tl/helm/gitea/templates/namespace.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitea
+  labels:
+    app.kubernetes.io/name: gitea
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/gitea/templates/persistent-volume-claim.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-nfs-storage-backup
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-nfs-storage-backup
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeMode: Filesystem
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-themes-storage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-themes-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  volumeMode: Filesystem
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

clusters/cl01tl/helm/gitea/templates/redis-replication.yaml

@@ -0,0 +1,66 @@
+apiVersion: redis.redis.opstreelabs.in/v1beta2
+kind: RedisReplication
+metadata:
+  name: redis-replication-gitea
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: redis-replication-gitea
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  clusterSize: 3
+  podSecurityContext:
+    runAsUser: 1000
+    fsGroup: 1000
+  kubernetesConfig:
+    image: quay.io/opstree/redis:v8.0.3
+    imagePullPolicy: IfNotPresent
+    resources:
+      requests:
+        cpu: 50m
+        memory: 128Mi
+  storage:
+    volumeClaimTemplate:
+      spec:
+        storageClassName: ceph-block
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 10Gi
+  redisExporter:
+    enabled: true
+    image: quay.io/opstree/redis-exporter:v1.48.0
+
+---
+apiVersion: redis.redis.opstreelabs.in/v1beta2
+kind: RedisReplication
+metadata:
+  name: redis-replication-renovate
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: redis-replication-renovate
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  clusterSize: 3
+  podSecurityContext:
+    runAsUser: 1000
+    fsGroup: 1000
+  kubernetesConfig:
+    image: quay.io/opstree/redis:v8.0.3
+    imagePullPolicy: IfNotPresent
+    resources:
+      requests:
+        cpu: 50m
+        memory: 128Mi
+  storage:
+    volumeClaimTemplate:
+      spec:
+        storageClassName: ceph-block
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 1Gi
+  redisExporter:
+    enabled: true
+    image: quay.io/opstree/redis-exporter:v1.48.0

clusters/cl01tl/helm/gitea/templates/role-binding.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gitea-backup
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-backup
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: gitea-backup
+subjects:
+  - kind: ServiceAccount
+    name: gitea-backup
+    namespace: {{ .Release.Namespace }}

clusters/cl01tl/helm/gitea/templates/role.yaml

@@ -0,0 +1,25 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: gitea-backup
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-backup
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/exec
+    verbs:
+      - create
+      - list
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+    verbs:
+      - get
+      - list

clusters/cl01tl/helm/gitea/templates/service-monitor.yaml

@@ -0,0 +1,39 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: gitea
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: gitea
+      app.kubernetes.io/instance: {{ .Release.Name }}
+    matchExpressions:
+      - { key: app.kubernetes.io/controller, operator: NotIn, values: [backup] }
+  endpoints:
+    - port: http
+
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: redis-replication-gitea
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: redis-replication-gitea
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    redis-operator: "true"
+    env: production
+spec:
+  selector:
+    matchLabels:
+      redis_setup_type: replication
+  endpoints:
+    - port: redis-exporter
+      interval: 30s
+      scrapeTimeout: 10s

clusters/cl01tl/helm/gitea/templates/tcp-route.yaml

@@ -0,0 +1,23 @@
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TCPRoute
+metadata:
+  name: tcp-route-gitea-ssh
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: tcp-route-gitea-ssh
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+      sectionName: ssh
+  rules:
+    - backendRefs:
+        - group: ''
+          kind: Service
+          name: gitea-ssh
+          port: 22
+          weight: 100

clusters/cl01tl/helm/gitea/values.yaml

@@ -0,0 +1,378 @@
+gitea:
+  global:
+    imageRegistry: registry.hub.docker.com
+  replicaCount: 3
+  image:
+    repository: gitea/gitea
+    tag: 1.25.2
+  service:
+    http:
+      type: ClusterIP
+      port: 3000
+      clusterIP: 10.103.160.139
+    ssh:
+      type: ClusterIP
+      port: 22
+      clusterIP: 10.103.160.140
+  ingress:
+    enabled: false
+  persistence:
+    storageClass: ceph-filesystem
+    size: 40Gi
+    accessModes:
+      - ReadWriteMany
+  extraVolumes:
+    - name: gitea-nfs-storage-backup
+      persistentVolumeClaim:
+        claimName: gitea-nfs-storage-backup
+    - name: gitea-themes-storage
+      persistentVolumeClaim:
+        claimName: gitea-themes-storage
+  extraInitVolumeMounts:
+    - name: gitea-themes-storage
+      readOnly: false
+      mountPath: /data/gitea/public/assets/css
+  extraContainerVolumeMounts:
+    - mountPath: /opt/backup
+      name: gitea-nfs-storage-backup
+      readOnly: false
+    - name: gitea-themes-storage
+      readOnly: true
+      mountPath: /data/gitea/public/assets/css
+  initPreScript: |
+    wget https://github.com/catppuccin/gitea/releases/latest/download/catppuccin-gitea.tar.gz;
+    tar -xvzf catppuccin-gitea.tar.gz -C /data/gitea/public/assets/css;
+    rm catppuccin-gitea.tar.gz;
+  gitea:
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: false
+    oauth:
+      - name: Authentik
+        provider: openidConnect
+        existingSecret: gitea-oidc-secret
+        autoDiscoverUrl: https://auth.alexlebens.dev/application/o/gitea/.well-known/openid-configuration
+        iconUrl: https://goauthentik.io/img/icon.png
+        scopes: "email profile"
+    config:
+      APP_NAME: Gitea
+      server:
+        PROTOCOL: http
+        DOMAIN: gitea.alexlebens.dev
+        ROOT_URL: https://gitea.alexlebens.dev
+        LOCAL_ROOT_URL: http://gitea-http.gitea.svc.cluster.local:3000
+        START_SSH_SERVER: true
+        SSH_DOMAIN: gitea.alexlebens.net
+        SSH_PORT: 22
+        SSH_LISTEN_PORT: 22
+        ENABLE_PPROF: true
+        LANDING_PAGE: explore
+      database:
+        DB_TYPE: postgres
+        SCHEMA: public
+      oauth2_client:
+        ENABLE_AUTO_REGISTRATION: true
+      cache:
+        ENABLED: true
+        ADAPTER: redis
+        HOST: redis://redis-replication-gitea-master.gitea:6379
+      queue:
+        TYPE: redis
+        CONN_STR: redis://redis-replication-gitea-master.gitea:6379
+      session:
+        PROVIDER: redis
+        PROVIDER_CONFIG: redis://redis-replication-gitea-master.gitea:6379
+      indexer:
+        ISSUE_INDEXER_ENABLED: true
+        ISSUE_INDEXER_TYPE: meilisearch
+        REPO_INDEXER_ENABLED: false
+      actions:
+        ENABLED: true
+      service:
+        REGISTER_MANUAL_CONFIRM: true
+        SHOW_REGISTRATION_BUTTON: false
+        ALLOW_ONLY_EXTERNAL_REGISTRATION: true
+      explore:
+        REQUIRE_SIGNIN_VIEW: true
+      webhook:
+        ALLOWED_HOST_LIST: private
+      ui:
+        DEFAULT_THEME: gitea-auto
+        THEMES: gitea-light,gitea-dark,gitea-auto,catppuccin-rosewater-auto,catppuccin-flamingo-auto,catppuccin-pink-auto,catppuccin-mauve-auto,catppuccin-red-auto,catppuccin-maroon-auto,catppuccin-peach-auto,catppuccin-yellow-auto,catppuccin-green-auto,catppuccin-teal-auto,catppuccin-sky-auto,catppuccin-sapphire-auto,catppuccin-blue-auto,catppuccin-lavender-auto,catppuccin-latte-rosewater,catppuccin-latte-flamingo,catppuccin-latte-pink,catppuccin-latte-mauve,catppuccin-latte-red,catppuccin-latte-maroon,catppuccin-latte-peach,catppuccin-latte-yellow,catppuccin-latte-green,catppuccin-latte-teal,catppuccin-latte-sky,catppuccin-latte-sapphire,catppuccin-latte-blue,catppuccin-latte-lavender,catppuccin-frappe-rosewater,catppuccin-frappe-flamingo,catppuccin-frappe-pink,catppuccin-frappe-mauve,catppuccin-frappe-red,catppuccin-frappe-maroon,catppuccin-frappe-peach,catppuccin-frappe-yellow,catppuccin-frappe-green,catppuccin-frappe-teal,catppuccin-frappe-sky,catppuccin-frappe-sapphire,catppuccin-frappe-blue,catppuccin-frappe-lavender,catppuccin-macchiato-rosewater,catppuccin-macchiato-flamingo,catppuccin-macchiato-pink,catppuccin-macchiato-mauve,catppuccin-macchiato-red,catppuccin-macchiato-maroon,catppuccin-macchiato-peach,catppuccin-macchiato-yellow,catppuccin-macchiato-green,catppuccin-macchiato-teal,catppuccin-macchiato-sky,catppuccin-macchiato-sapphire,catppuccin-macchiato-blue,catppuccin-macchiato-lavender,catppuccin-mocha-rosewater,catppuccin-mocha-flamingo,catppuccin-mocha-pink,catppuccin-mocha-mauve,catppuccin-mocha-red,catppuccin-mocha-maroon,catppuccin-mocha-peach,catppuccin-mocha-yellow,catppuccin-mocha-green,catppuccin-mocha-teal,catppuccin-mocha-sky,catppuccin-mocha-sapphire,catppuccin-mocha-blue,catppuccin-mocha-lavender
+      mirror:
+        DEFAULT_INTERVAL: 10m
+      repo-archive:
+        ENABLED: false
+    additionalConfigFromEnvs:
+      - name: GITEA__DATABASE__HOST
+        valueFrom:
+          secretKeyRef:
+            name: gitea-postgresql-17-cluster-app
+            key: host
+      - name: GITEA__DATABASE__NAME
+        valueFrom:
+          secretKeyRef:
+            name: gitea-postgresql-17-cluster-app
+            key: dbname
+      - name: GITEA__DATABASE__USER
+        valueFrom:
+          secretKeyRef:
+            name: gitea-postgresql-17-cluster-app
+            key: user
+      - name: GITEA__DATABASE__PASSWD
+        valueFrom:
+          secretKeyRef:
+            name: gitea-postgresql-17-cluster-app
+            key: password
+      - name: GITEA__INDEXER__ISSUE_INDEXER_CONN_STR
+        valueFrom:
+          secretKeyRef:
+            name: gitea-meilisearch-master-key-secret
+            key: ISSUE_INDEXER_CONN_STR
+  valkey-cluster:
+    enabled: false
+  valkey:
+    enabled: false
+  postgresql-ha:
+    enabled: false
+  postgresql:
+    enabled: false
+gitea-actions:
+  enabled: true
+  global:
+    fullnameOverride: gitea-actions
+  statefulset:
+    replicas: 6
+    actRunner:
+      repository: gitea/act_runner
+      tag: 0.2.13
+      config: |
+        log:
+          level: debug
+        cache:
+          enabled: false
+        runner:
+          labels:
+            - "ubuntu-latest:docker://harbor.alexlebens.net/proxy-hub.docker/gitea/runner-images:ubuntu-24.04"
+            - "ubuntu-js:docker://harbor.alexlebens.net/proxy-ghcr.io/catthehacker/ubuntu:js-24.04"
+            - "ubuntu-24.04:docker://harbor.alexlebens.net/proxy-hub.docker/gitea/runner-images:ubuntu-24.04"
+            - "ubuntu-22.04:docker://harbor.alexlebens.net/proxy-hub.docker/gitea/runner-images:ubuntu-22.04"
+    dind:
+      repository: docker
+      tag: 25.0.2-dind
+    persistence:
+      storageClass: ceph-block
+      size: 5Gi
+  init:
+    image:
+      repository: busybox
+      tag: "1.37.0"
+  existingSecret: gitea-runner-secret
+  existingSecretKey: token
+  giteaRootURL: http://gitea-http.gitea:3000
+backup:
+  global:
+    fullnameOverride: gitea-backup
+  controllers:
+    backup:
+      type: cronjob
+      cronjob:
+        suspend: false
+        concurrencyPolicy: Forbid
+        timeZone: US/Central
+        schedule: 0 4 */2 * *
+        startingDeadlineSeconds: 90
+        successfulJobsHistory: 3
+        failedJobsHistory: 3
+        backoffLimit: 3
+        parallelism: 1
+      serviceAccount:
+        name: gitea-backup
+      pod:
+        automountServiceAccountToken: true
+      initContainers:
+        backup:
+          image:
+            repository: bitnami/kubectl
+            tag: latest
+            pullPolicy: IfNotPresent
+          command:
+            - sh
+          args:
+            - -ec
+            - |
+              kubectl exec -it deploy/gitea -n gitea -- rm -f /opt/backup/gitea-backup.zip;
+              kubectl exec -it deploy/gitea -n gitea -- /app/gitea/gitea dump -c /data/gitea/conf/app.ini --file /opt/backup/gitea-backup.zip;
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+      containers:
+        s3-backup:
+          image:
+            repository: d3fk/s3cmd
+            tag: latest@sha256:7bdbd33bb3d044884598898b9e9b383385759fbd6ebf52888700bd9b0e0fab91
+            pullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+          args:
+            - -ec
+            - |
+              echo ">> Running S3 backup for Gitea"
+              s3cmd put --no-check-md5 --no-check-certificate -v /opt/backup/gitea-backup.zip ${BUCKET}/cl01tl/gitea-backup-$(date +"%Y%m%d-%H-%M").zip;
+              mv /opt/backup/gitea-backup.zip /opt/backup/gitea-backup-$(date +"%Y%m%d-%H-%M").zip;
+              echo ">> Completed S3 backup for Gitea"
+          env:
+            - name: BUCKET
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-s3cmd-config
+                  key: BUCKET
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+        s3-prune:
+          image:
+            repository: d3fk/s3cmd
+            tag: latest@sha256:7bdbd33bb3d044884598898b9e9b383385759fbd6ebf52888700bd9b0e0fab91
+            pullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+          args:
+            - -ec
+            - |
+              export DATE_RANGE=$(date -d @$(( $(date +%s) - 604800 )) +%Y%m%d);
+              export FILE_MATCH="$BUCKET/cl01tl/gitea-backup-$DATE_RANGE-09-00.zip"
+              echo ">> Running S3 prune for Gitea backup repository"
+              echo ">> Backups prior to '$DATE_RANGE' will be removed"
+              echo ">> Backups to be removed:"
+              s3cmd ls ${BUCKET}/cl01tl/ |
+                awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}'
+              echo ">> Deleting ..."
+              s3cmd ls ${BUCKET}/cl01tl/ |
+                awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}' |
+                while read file; do
+                  s3cmd del "$file";
+                done;
+              echo ">> Completed S3 prune for Gitea backup repository"
+          env:
+            - name: BUCKET
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-s3cmd-config
+                  key: BUCKET
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+  serviceAccount:
+    gitea-backup:
+      enabled: true
+  persistence:
+    config:
+      existingClaim: gitea-nfs-storage-backup
+      advancedMounts:
+        backup:
+          s3-backup:
+            - path: /opt/backup
+              readOnly: false
+    s3cmd-config:
+      enabled: true
+      type: secret
+      name: gitea-s3cmd-config
+      advancedMounts:
+        backup:
+          s3-backup:
+            - path: /root/.s3cfg
+              readOnly: true
+              mountPropagation: None
+              subPath: .s3cfg
+          s3-prune:
+            - path: /root/.s3cfg
+              readOnly: true
+              mountPropagation: None
+              subPath: .s3cfg
+meilisearch:
+  environment:
+    MEILI_NO_ANALYTICS: true
+    MEILI_ENV: production
+    MEILI_EXPERIMENTAL_DUMPLESS_UPGRADE: true
+  auth:
+    existingMasterKeySecret: gitea-meilisearch-master-key-secret
+  service:
+    type: ClusterIP
+    port: 7700
+  persistence:
+    enabled: true
+    storageClass: ceph-block
+    size: 5Gi
+  resources:
+    requests:
+      cpu: 10m
+      memory: 128Mi
+  serviceMonitor:
+    enabled: true
+cloudflared:
+  existingSecretName: gitea-cloudflared-secret
+postgres-17-cluster:
+  mode: recovery
+  cluster:
+    storage:
+      storageClass: local-path
+    walStorage:
+      storageClass: local-path
+    monitoring:
+      enabled: true
+      prometheusRule:
+        enabled: true
+    resources:
+      requests:
+        memory: 1Gi
+        cpu: 200m
+  recovery:
+    method: objectStore
+    objectStore:
+      destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-17-cluster
+      endpointURL: http://garage-main.garage:3900
+      index: 1
+      endpointCredentials: gitea-postgresql-17-cluster-backup-secret-garage
+  backup:
+    objectStore:
+      - name: external
+        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gitea/gitea-postgresql-17-cluster
+        index: 1
+        retentionPolicy: "30d"
+        isWALArchiver: false
+      - name: garage-local
+        destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-17-cluster
+        index: 1
+        endpointURL: http://garage-main.garage:3900
+        endpointCredentials: gitea-postgresql-17-cluster-backup-secret-garage
+        endpointCredentialsIncludeRegion: true
+        retentionPolicy: "3d"
+        isWALArchiver: true
+      # - name: garage-remote
+      #   destinationPath: s3://postgres-backups/cl01tl/gitea/gitea-postgresql-17-cluster
+      #   index: 1
+      #   endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
+      #   endpointCredentials: gitea-postgresql-17-cluster-backup-secret-garage
+      #   retentionPolicy: "30d"
+      #   data:
+      #     compression: bzip2
+      #     jobs: 2
+    scheduledBackups:
+      - name: daily-backup
+        suspend: false
+        schedule: "0 0 0 * * *"
+        backupName: external
+      - name: live-backup
+        suspend: false
+        immediate: true
+        schedule: "0 0 0 * * *"
+        backupName: garage-local
+      # - name: weekly-backup
+      #   suspend: false
+      #   schedule: "0 0 4 * * SAT"
+      #   backupName: garage-remote

clusters/cl01tl/helm/harbor/Chart.yaml

@@ -0,0 +1,27 @@
+apiVersion: v2
+name: harbor
+version: 1.0.0
+description: Harbor
+keywords:
+  - harbor
+  - images
+  - cache
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/7e132c13-afee-48ec-b3dd-efd656d240c9
+sources:
+  - https://github.com/goharbor
+  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://github.com/goharbor/harbor-helm
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: harbor
+    version: 1.18.0
+    repository: https://helm.goharbor.io
+  - name: postgres-cluster
+    alias: postgres-17-cluster
+    version: 6.16.0
+    repository: http://gitea-http.gitea:3000/api/packages/alexlebens/helm
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/harbor.png
+appVersion: v2.13.0

clusters/cl01tl/helm/harbor/templates/external-secret.yaml

@@ -0,0 +1,202 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: harbor-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: harbor-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: HARBOR_ADMIN_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/harbor/config
+        metadataPolicy: None
+        property: admin-password
+    - secretKey: secretKey
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/harbor/config
+        metadataPolicy: None
+        property: secretKey
+    - secretKey: CSRF_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/harbor/core
+        metadataPolicy: None
+        property: CSRF_KEY
+    - secretKey: secret
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/harbor/core
+        metadataPolicy: None
+        property: secret
+    - secretKey: tls.crt
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/harbor/core
+        metadataPolicy: None
+        property: tls.crt
+    - secretKey: tls.key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/harbor/core
+        metadataPolicy: None
+        property: tls.key
+    - secretKey: JOBSERVICE_SECRET
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/harbor/jobservice
+        metadataPolicy: None
+        property: JOBSERVICE_SECRET
+    - secretKey: REGISTRY_HTTP_SECRET
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/harbor/registry
+        metadataPolicy: None
+        property: REGISTRY_HTTP_SECRET
+    - secretKey: REGISTRY_REDIS_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/harbor/registry
+        metadataPolicy: None
+        property: REGISTRY_REDIS_PASSWORD
+    - secretKey: REGISTRY_HTPASSWD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/harbor/registry
+        metadataPolicy: None
+        property: REGISTRY_HTPASSWD
+    - secretKey: REGISTRY_CREDENTIAL_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/harbor/registry
+        metadataPolicy: None
+        property: REGISTRY_CREDENTIAL_PASSWORD
+    - secretKey: REGISTRY_PASSWD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/harbor/registry
+        metadataPolicy: None
+        property: REGISTRY_CREDENTIAL_PASSWORD
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: harbor-nginx-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: harbor-nginx-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ca.crt
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/harbor/nginx
+        metadataPolicy: None
+        property: ca.crt
+    - secretKey: tls.crt
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/harbor/nginx
+        metadataPolicy: None
+        property: tls.crt
+    - secretKey: tls.key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/harbor/nginx
+        metadataPolicy: None
+        property: tls.key
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: harbor-postgresql-17-cluster-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: harbor-postgresql-17-cluster-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: access
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: secret
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: harbor-postgresql-17-cluster-backup-secret-garage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: harbor-postgresql-17-cluster-backup-secret-garage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_REGION

clusters/cl01tl/helm/harbor/templates/http-route.yaml

@@ -0,0 +1,47 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-harbor
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-harbor
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - harbor.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /api/
+      - path:
+          type: PathPrefix
+          value: /service/
+      - path:
+          type: PathPrefix
+          value: /v2/
+      - path:
+          type: PathPrefix
+          value: /c/
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: harbor-core
+          port: 80
+          weight: 100
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: harbor-portal
+          port: 80
+          weight: 100

clusters/cl01tl/helm/harbor/templates/redis-replication.yaml

@@ -0,0 +1,32 @@
+apiVersion: redis.redis.opstreelabs.in/v1beta2
+kind: RedisReplication
+metadata:
+  name: redis-replication-harbor
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: redis-replication-harbor
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  clusterSize: 3
+  podSecurityContext:
+    runAsUser: 1000
+    fsGroup: 1000
+  kubernetesConfig:
+    image: quay.io/opstree/redis:v8.0.3
+    imagePullPolicy: IfNotPresent
+    resources:
+      requests:
+        cpu: 50m
+        memory: 128Mi
+  storage:
+    volumeClaimTemplate:
+      spec:
+        storageClassName: ceph-block
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 1Gi
+  redisExporter:
+    enabled: true
+    image: quay.io/opstree/redis-exporter:v1.48.0

clusters/cl01tl/helm/harbor/templates/service-monitor.yaml

@@ -0,0 +1,19 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: redis-replication-harbor
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: redis-replication-harbor
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    redis-operator: "true"
+    env: production
+spec:
+  selector:
+    matchLabels:
+      redis_setup_type: replication
+  endpoints:
+    - port: redis-exporter
+      interval: 30s
+      scrapeTimeout: 10s

clusters/cl01tl/helm/harbor/values.yaml

@@ -0,0 +1,152 @@
+harbor:
+  expose:
+    type: clusterIP
+    tls:
+      auto:
+        commonName: harbor.alexlebens.net
+  externalURL: https://harbor.alexlebens.net
+  persistence:
+    enabled: true
+    persistentVolumeClaim:
+      registry:
+        storageClass: ceph-block
+        accessMode: ReadWriteOnce
+        size: 100Gi
+  existingSecretAdminPassword: harbor-secret
+  existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD
+  internalTLS:
+    enabled: false
+  ipFamily:
+    ipv6:
+      enabled: false
+    ipv4:
+      enabled: true
+  updateStrategy:
+    type: Recreate
+  existingSecretSecretKey: harbor-secret
+  enableMigrateHelmHook: true
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  cache:
+    enabled: true
+  nginx:
+    image:
+      repository: goharbor/nginx-photon
+      tag: v2.14.1
+    replicas: 0
+  portal:
+    image:
+      repository: goharbor/harbor-portal
+      tag: v2.14.1
+    replicas: 2
+  core:
+    image:
+      repository: goharbor/harbor-core
+      tag: v2.14.1
+    replicas: 2
+    existingSecret: harbor-secret
+    secretName: harbor-secret
+    existingXsrfSecret: harbor-secret
+  jobservice:
+    image:
+      repository: goharbor/harbor-jobservice
+      tag: v2.14.1
+    replicas: 2
+    jobLoggers:
+      - stdout
+    existingSecret: harbor-secret
+  registry:
+    registry:
+      image:
+        repository: goharbor/registry-photon
+        tag: v2.14.1
+    controller:
+      image:
+        repository: goharbor/harbor-registryctl
+        tag: v2.14.1
+    existingSecret: harbor-secret
+    relativeurls: true
+    credentials:
+      existingSecret: harbor-secret
+    upload_purging:
+      enabled: true
+      age: 72h
+      interval: 24h
+      dryrun: false
+  trivy:
+    enabled: true
+  database:
+    type: external
+    external:
+      host: harbor-postgresql-17-cluster-rw
+      port: "5432"
+      username: app
+      coreDatabase: app
+      existingSecret: harbor-postgresql-17-cluster-app
+  redis:
+    type: external
+    external:
+      addr: "redis-replication-harbor-master.harbor:6379"
+  exporter:
+    image:
+      repository: goharbor/harbor-exporter
+      tag: v2.14.1
+    replicas: 2
+postgres-17-cluster:
+  mode: recovery
+  cluster:
+    storage:
+      storageClass: local-path
+    walStorage:
+      storageClass: local-path
+    monitoring:
+      enabled: true
+      prometheusRule:
+        enabled: true
+  recovery:
+    method: objectStore
+    objectStore:
+      destinationPath: s3://postgres-backups/cl01tl/harbor/harbor-postgresql-17-cluster
+      endpointURL: http://garage-main.garage:3900
+      index: 1
+      endpointCredentials: harbor-postgresql-17-cluster-backup-secret-garage
+  backup:
+    objectStore:
+      - name: external
+        destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/harbor/harbor-postgresql-17-cluster
+        index: 2
+        retentionPolicy: "30d"
+        isWALArchiver: false
+      - name: garage-local
+        destinationPath: s3://postgres-backups/cl01tl/harbor/harbor-postgresql-17-cluster
+        index: 1
+        endpointURL: http://garage-main.garage:3900
+        endpointCredentials: harbor-postgresql-17-cluster-backup-secret-garage
+        endpointCredentialsIncludeRegion: true
+        retentionPolicy: "3d"
+        isWALArchiver: true
+      # - name: garage-remote
+      #   destinationPath: s3://postgres-backups/cl01tl/harbor/harbor-postgresql-17-cluster
+      #   index: 1
+      #   endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
+      #   endpointCredentials: harbor-postgresql-17-cluster-backup-secret-garage
+      #   retentionPolicy: "30d"
+      #   data:
+      #     compression: bzip2
+      #     jobs: 2
+    scheduledBackups:
+      - name: daily-backup
+        suspend: false
+        schedule: "0 0 0 * * *"
+        backupName: external
+      - name: live-backup
+        suspend: false
+        immediate: true
+        schedule: "0 0 0 * * *"
+        backupName: garage-local
+      # - name: weekly-backup
+      #   suspend: false
+      #   schedule: "0 0 4 * * SAT"
+      #   backupName: garage-remote

clusters/cl01tl/helm/intel-device-plugin/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: intel-device-plugins-operator
+  repository: https://intel.github.io/helm-charts/
+  version: 0.34.0
+- name: intel-device-plugins-gpu
+  repository: https://intel.github.io/helm-charts/
+  version: 0.34.0
+digest: sha256:c04a317b7741aeab435e0bff87f15e820c808773b281e83fc54be7e2a83225a4
+generated: "2025-12-01T20:26:07.442178-06:00"

clusters/cl01tl/helm/intel-device-plugin/Chart.yaml

@@ -0,0 +1,25 @@
+apiVersion: v2
+name: intel-device-plugin
+version: 1.0.0
+description: Intel Device Plugin
+keywords:
+  - intel-device-plugin
+  - operator
+  - gpu
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/340746b2-b0ab-4b6b-95eb-323038ecdd35
+sources:
+  - https://github.com/intel/intel-device-plugins-for-kubernetes
+  - https://github.com/intel/helm-charts/tree/main/charts/device-plugin-operator
+  - https://github.com/intel/helm-charts/tree/main/charts/gpu-device-plugin
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: intel-device-plugins-operator
+    version: 0.34.0
+    repository: https://intel.github.io/helm-charts/
+  - name: intel-device-plugins-gpu
+    version: 0.34.0
+    repository: https://intel.github.io/helm-charts/
+icon: https://avatars.githubusercontent.com/u/17888862?s=48&v=4
+appVersion: 0.34.0

clusters/cl01tl/helm/intel-device-plugin/templates/namespace.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: intel-device-plugin
+  labels:
+    app.kubernetes.io/name: intel-device-plugin
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/intel-device-plugin/values.yaml

@@ -0,0 +1,6 @@
+intel-device-plugins-gpu:
+  name: gpudeviceplugin
+  sharedDevNum: 5
+  nodeSelector:
+    intel.feature.node.kubernetes.io/gpu: 'true'
+  nodeFeatureRule: false

clusters/cl01tl/helm/kubernetes-cloudflare-ddns/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: app-template
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 4.4.0
+digest: sha256:78bc8a78724746e0fd60ad691ef3813db7987956351513986eddb609a9f55caf
+generated: "2025-12-01T20:26:22.770276-06:00"

clusters/cl01tl/helm/kubernetes-cloudflare-ddns/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: kubernetes-cloudflare-ddns
+version: 1.0.0
+description: Kubernetes Cloudflare DDNS
+keywords:
+  - kubernetes-cloudflare-ddns
+  - cloudflare
+  - ddns
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/49513b51-cf91-4efd-b2a5-957555bc3ad7
+sources:
+  - https://github.com/kubitodev/kubernetes-cloudflare-ddns
+  - https://hub.docker.com/r/kubitodev/kubernetes-cloudflare-ddns
+  - https://github.com/bjw-s/helm-charts/blob/main/charts/other/app-template/values.yaml
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: kubernetes-cloudflare-ddns
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.4.0
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/cloudflare.png
+appVersion: v2.0.0

clusters/cl01tl/helm/kubernetes-cloudflare-ddns/templates/external-secret.yaml

@@ -0,0 +1,42 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: kubernetes-cloudflare-ddns-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: kubernetes-cloudflare-ddns-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: AUTH_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/alexlebens.net/ddns
+        metadataPolicy: None
+        property: token
+    - secretKey: NAME
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/alexlebens.net/ddns
+        metadataPolicy: None
+        property: name
+    - secretKey: RECORD_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/alexlebens.net/ddns
+        metadataPolicy: None
+        property: record-id
+    - secretKey: ZONE_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/alexlebens.net/ddns
+        metadataPolicy: None
+        property: zone-id

clusters/cl01tl/helm/kubernetes-cloudflare-ddns/values.yaml

@@ -0,0 +1,27 @@
+kubernetes-cloudflare-ddns:
+  controllers:
+    main:
+      type: cronjob
+      cronjob:
+        suspend: false
+        concurrencyPolicy: Forbid
+        timeZone: US/Central
+        schedule: "30 4 * * *"
+        startingDeadlineSeconds: 90
+        successfulJobsHistory: 3
+        failedJobsHistory: 3
+        backoffLimit: 3
+        parallelism: 1
+      containers:
+        main:
+          image:
+            repository: kubitodev/kubernetes-cloudflare-ddns
+            tag: 2.0.0
+            pullPolicy: IfNotPresent
+          envFrom:
+            - secretRef:
+                name: kubernetes-cloudflare-ddns-secret
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi

clusters/cl01tl/helm/local-path-provisioner/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: local-path-provisioner
+  repository: https://charts.containeroo.ch
+  version: 0.0.33
+digest: sha256:323aa6386161d2f5e2f3122082bc1dc63aeae96d2e02520b8d5dc63f80c3be1c
+generated: "2025-12-01T20:26:30.26287-06:00"

clusters/cl01tl/helm/local-path-provisioner/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v2
+name: local-path-provisioner
+version: 1.0.0
+description: Local Path Provisioner
+keywords:
+  - local-path-provisioner
+  - storage
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/fa4d4152-b9dd-4fdc-a6f2-93a2c0df7f4a
+sources:
+  - https://github.com/rancher/local-path-provisioner
+  - https://hub.docker.com/r/rancher/local-path-provisioner
+  - https://github.com/containeroo/helm-charts/tree/master/charts/local-path-provisioner
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: local-path-provisioner
+    version: 0.0.33
+    repository: https://charts.containeroo.ch
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
+appVersion: v0.0.31

clusters/cl01tl/helm/local-path-provisioner/templates/namespace.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: local-path-provisioner
+  labels:
+    app.kubernetes.io/name: local-path-provisioner
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/local-path-provisioner/values.yaml

@@ -0,0 +1,45 @@
+local-path-provisioner:
+  image:
+    repository: rancher/local-path-provisioner
+    tag: v0.0.32
+  helperImage:
+    repository: busybox
+    tag: 1.37.0
+  storageClass:
+    create: true
+    defaultClass: false
+    defaultVolumeType: hostPath
+    name: local-path
+    reclaimPolicy: Delete
+    volumeBindingMode: WaitForFirstConsumer
+  nodePathMap:
+    - node: talos-2di-ktg
+      paths:
+        - /var/local-path-provisioner
+    - node: talos-9vs-6hh
+      paths:
+        - /var/local-path-provisioner
+    - node: talos-aoq-hpv
+      paths:
+        - /var/local-path-provisioner
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+          - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - talos-2di-ktg
+                - talos-9vs-6hh
+                - talos-aoq-hpv
+  configmap:
+    name: local-path-config
+    setup: |-
+      #!/bin/sh
+      set -eu
+      mkdir -m 0777 -p "$VOL_DIR"
+    teardown: |-
+      #!/bin/sh
+      set -eu
+      rm -rf "$VOL_DIR"

clusters/cl01tl/helm/mariadb-operator/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: mariadb-operator
+  repository: https://helm.mariadb.com/mariadb-operator
+  version: 25.10.2
+- name: mariadb-operator-crds
+  repository: https://helm.mariadb.com/mariadb-operator
+  version: 25.10.2
+digest: sha256:aa5f6595d1d6b280351e03d8cb36a08b8003b68b4340b2ac9ba9c88a776f6e5e
+generated: "2025-12-01T20:26:34.810951-06:00"

clusters/cl01tl/helm/mariadb-operator/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: mariadb-operator
+version: 1.0.0
+description: MariaDB Operator
+keywords:
+  - mariadb-operator
+  - database
+  - storage
+  - kubernetes
+home: https://wiki.alexlebens.dev/
+sources:
+  - https://github.com/mariadb-operator/mariadb-operator
+  - https://github.com/mariadb-operator/mariadb-operator/tree/main/deploy/charts/mariadb-operator
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: mariadb-operator
+    version: 25.10.2
+    repository: https://helm.mariadb.com/mariadb-operator
+  - name: mariadb-operator-crds
+    version: 25.10.2
+    repository: https://helm.mariadb.com/mariadb-operator
+icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb_profile.svg
+appVersion: 25.10.2

clusters/cl01tl/helm/mariadb-operator/values.yaml

@@ -0,0 +1,11 @@
+mariadb-operator:
+  ha:
+    enabled: true
+    replicas: 3
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  pdb:
+    enabled: true
+    maxUnavailable: 1

clusters/cl01tl/helm/matrix-synapse/Chart.lock

@@ -0,0 +1,18 @@
+dependencies:
+- name: matrix-synapse
+  repository: https://ananace.gitlab.io/charts
+  version: 3.12.16
+- name: app-template
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 4.4.0
+- name: cloudflared
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 1.23.0
+- name: cloudflared
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 1.23.0
+- name: postgres-cluster
+  repository: oci://harbor.alexlebens.net/helm-charts
+  version: 6.16.0
+digest: sha256:afe8733bac2a302bb2140c8217e8e07cc8c017bb64a49e572443363aacc8d189
+generated: "2025-12-01T20:26:37.153765-06:00"

clusters/cl01tl/helm/matrix-synapse/Chart.yaml

@@ -0,0 +1,59 @@
+apiVersion: v2
+name: matrix-synapse
+version: 1.0.0
+description: Matrix Synapse
+keywords:
+  - matrix-synapse
+  - matrix
+  - chat
+  - bridge
+  - matrix-hookshot
+  - mautrix-discord
+  - mautrix-whatsapp
+home: https://wiki.alexlebens.dev/s/bd7e7f66-136a-41b8-8144-847bacbb3059
+sources:
+  - https://github.com/element-hq/synapse
+  - https://github.com/matrix-org/matrix-hookshot
+  - https://github.com/mautrix/discord
+  - https://github.com/mautrix/whatsapp
+  - https://github.com/cloudflare/cloudflared
+  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://hub.docker.com/r/halfshot/matrix-hookshot
+  - https://mau.dev/mautrix/discord/container_registry
+  - https://mau.dev/mautrix/whatsapp/container_registry
+  - https://gitlab.com/ananace/charts/-/tree/master/charts/matrix-synapse
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: matrix-synapse
+    version: 3.12.16
+    repository: https://ananace.gitlab.io/charts
+  - name: app-template
+    alias: matrix-hookshot
+    version: 4.4.0
+    repository: https://bjw-s-labs.github.io/helm-charts/
+  # - name: app-template
+  #   alias: mautrix-discord
+  #   repository: https://bjw-s-labs.github.io/helm-charts/
+  #   version: 4.0.1
+  # - name: app-template
+  #   alias: mautrix-whatsapp
+  #   repository: https://bjw-s-labs.github.io/helm-charts/
+  #   version: 4.0.1
+  - name: cloudflared
+    alias: cloudflared-synapse
+    version: 1.23.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: cloudflared
+    alias: cloudflared-hookshot
+    version: 1.23.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+  - name: postgres-cluster
+    alias: postgres-17-cluster
+    version: 6.16.0
+    repository: oci://harbor.alexlebens.net/helm-charts
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/matrix.png
+appVersion: 1.129.0

clusters/cl01tl/helm/matrix-synapse/templates/external-secret.yaml

@@ -0,0 +1,481 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: matrix-synapse-config-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-synapse-config-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: oidc.yaml
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/matrix-synapse/config
+        metadataPolicy: None
+        property: oidc.yaml
+    - secretKey: config.yaml
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/matrix-synapse/config
+        metadataPolicy: None
+        property: config.yaml
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: matrix-synapse-signingkey
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-synapse-signingkey
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: signing.key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/matrix-synapse/config
+        metadataPolicy: None
+        property: signing-key
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: matrix-hookshot-config-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot-config-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: config.yml
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/matrix-synapse/hookshot
+        metadataPolicy: None
+        property: config
+    - secretKey: registration.yml
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/matrix-synapse/hookshot
+        metadataPolicy: None
+        property: registration
+    - secretKey: hookshot-registration.yaml
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/matrix-synapse/hookshot
+        metadataPolicy: None
+        property: registration
+    - secretKey: passkey.pem
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/matrix-synapse/hookshot
+        metadataPolicy: None
+        property: passkey
+
+# ---
+# apiVersion: external-secrets.io/v1
+# kind: ExternalSecret
+# metadata:
+#   name: mautrix-discord-config-secret
+#   namespace: {{ .Release.Namespace }}
+  # labels:
+  #   app.kubernetes.io/name: {{ .Release.Name }}
+  #   app.kubernetes.io/instance: {{ .Release.Name }}
+# spec:
+#   secretStoreRef:
+#     kind: ClusterSecretStore
+#     name: vault
+#   data:
+#     - secretKey: config.yaml
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /cl01tl/matrix-synapse/mautrix-discord
+#         metadataPolicy: None
+#         property: config
+#     - secretKey: mautrix-discord-registration.yaml
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /cl01tl/matrix-synapse/mautrix-discord
+#         metadataPolicy: None
+#         property: registration
+
+# ---
+# apiVersion: external-secrets.io/v1
+# kind: ExternalSecret
+# metadata:
+#   name: mautrix-whatsapp-config-secret
+#   namespace: {{ .Release.Namespace }}
+  # labels:
+  #   app.kubernetes.io/name: {{ .Release.Name }}
+  #   app.kubernetes.io/instance: {{ .Release.Name }}
+# spec:
+#   secretStoreRef:
+#     kind: ClusterSecretStore
+#     name: vault
+#   data:
+#     - secretKey: config.yaml
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /cl01tl/matrix-synapse/mautrix-whatsapp
+#         metadataPolicy: None
+#         property: config
+#     - secretKey: mautrix-whatsapp-registration.yaml
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /cl01tl/matrix-synapse/mautrix-whatsapp
+#         metadataPolicy: None
+#         property: registration
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: double-puppet-registration-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: double-puppet-registration-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: double-puppet-registration.yaml
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/matrix-synapse/double-puppet
+        metadataPolicy: None
+        property: registration
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: matrix-synapse-redis-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-synapse-redis-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: password
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/matrix-synapse/redis
+        metadataPolicy: None
+        property: password
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: matrix-synapse-cloudflared-synapse-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-synapse-cloudflared-synapse-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: cf-tunnel-token
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/tunnels/matrix-synapse
+        metadataPolicy: None
+        property: token
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: matrix-synapse-cloudflared-hookshot-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-synapse-cloudflared-hookshot-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: cf-tunnel-token
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/tunnels/matrix-hookshot
+        metadataPolicy: None
+        property: token
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: matrix-synapse-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-synapse-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/matrix-synapse/matrix-synapse"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: S3_BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: access_key
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: secret_key
+
+# ---
+# apiVersion: external-secrets.io/v1
+# kind: ExternalSecret
+# metadata:
+#   name: mautrix-discord-data-backup-secret
+#   namespace: {{ .Release.Namespace }}
+  # labels:
+  #   app.kubernetes.io/name: {{ .Release.Name }}
+  #   app.kubernetes.io/instance: {{ .Release.Name }}
+# spec:
+#   secretStoreRef:
+#     kind: ClusterSecretStore
+#     name: vault
+#   target:
+#     template:
+#       mergePolicy: Merge
+#       engineVersion: v2
+#       data:
+#         RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/matrix-synapse/mautrix-discord-data"
+#   data:
+#     - secretKey: BUCKET_ENDPOINT
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /cl01tl/volsync/restic/config
+#         metadataPolicy: None
+#         property: S3_BUCKET_ENDPOINT
+#     - secretKey: RESTIC_PASSWORD
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /cl01tl/volsync/restic/config
+#         metadataPolicy: None
+#         property: RESTIC_PASSWORD
+#     - secretKey: AWS_DEFAULT_REGION
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /cl01tl/volsync/restic/config
+#         metadataPolicy: None
+#         property: AWS_DEFAULT_REGION
+#     - secretKey: AWS_ACCESS_KEY_ID
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /digital-ocean/home-infra/volsync-backups
+#         metadataPolicy: None
+#         property: access_key
+#     - secretKey: AWS_SECRET_ACCESS_KEY
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /digital-ocean/home-infra/volsync-backups
+#         metadataPolicy: None
+#         property: secret_key
+
+# ---
+# apiVersion: external-secrets.io/v1
+# kind: ExternalSecret
+# metadata:
+#   name: mautrix-whatsapp-data-backup-secret
+#   namespace: {{ .Release.Namespace }}
+  # labels:
+  #   app.kubernetes.io/name: {{ .Release.Name }}
+  #   app.kubernetes.io/instance: {{ .Release.Name }}
+# spec:
+#   secretStoreRef:
+#     kind: ClusterSecretStore
+#     name: vault
+#   target:
+#     template:
+#       mergePolicy: Merge
+#       engineVersion: v2
+#       data:
+#         RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/matrix-synapse/mautrix-whatsapp-data"
+#   data:
+#     - secretKey: BUCKET_ENDPOINT
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /cl01tl/volsync/restic/config
+#         metadataPolicy: None
+#         property: S3_BUCKET_ENDPOINT
+#     - secretKey: RESTIC_PASSWORD
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /cl01tl/volsync/restic/config
+#         metadataPolicy: None
+#         property: RESTIC_PASSWORD
+#     - secretKey: AWS_DEFAULT_REGION
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /cl01tl/volsync/restic/config
+#         metadataPolicy: None
+#         property: AWS_DEFAULT_REGION
+#     - secretKey: AWS_ACCESS_KEY_ID
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /digital-ocean/home-infra/volsync-backups
+#         metadataPolicy: None
+#         property: access_key
+#     - secretKey: AWS_SECRET_ACCESS_KEY
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /digital-ocean/home-infra/volsync-backups
+#         metadataPolicy: None
+#         property: secret_key
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: matrix-synapse-postgresql-17-cluster-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-synapse-postgresql-17-cluster-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: access
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: secret
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: matrix-synapse-postgresql-17-cluster-backup-secret-garage
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-synapse-postgresql-17-cluster-backup-secret-garage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /garage/home-infra/postgres-backups
+        metadataPolicy: None
+        property: ACCESS_REGION

clusters/cl01tl/helm/matrix-synapse/templates/redis-replication.yaml

@@ -0,0 +1,69 @@
+apiVersion: redis.redis.opstreelabs.in/v1beta2
+kind: RedisReplication
+metadata:
+  name: redis-replication-matrix-synapse
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: redis-replication-matrix-synapse
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  clusterSize: 3
+  podSecurityContext:
+    runAsUser: 1000
+    fsGroup: 1000
+  kubernetesConfig:
+    image: quay.io/opstree/redis:v8.0.3
+    imagePullPolicy: IfNotPresent
+    redisSecret:
+      name: matrix-synapse-redis-secret
+      key: password
+    resources:
+      requests:
+        cpu: 50m
+        memory: 128Mi
+  storage:
+    volumeClaimTemplate:
+      spec:
+        storageClassName: ceph-block
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 1Gi
+  redisExporter:
+    enabled: true
+    image: quay.io/opstree/redis-exporter:v1.48.0
+
+---
+apiVersion: redis.redis.opstreelabs.in/v1beta2
+kind: RedisReplication
+metadata:
+  name: redis-replication-hookshot
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: redis-replication-hookshot
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  clusterSize: 3
+  podSecurityContext:
+    runAsUser: 1000
+    fsGroup: 1000
+  kubernetesConfig:
+    image: quay.io/opstree/redis:v8.0.3
+    imagePullPolicy: IfNotPresent
+    resources:
+      requests:
+        cpu: 50m
+        memory: 128Mi
+  storage:
+    volumeClaimTemplate:
+      spec:
+        storageClassName: ceph-block
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 1Gi
+  redisExporter:
+    enabled: true
+    image: quay.io/opstree/redis-exporter:v1.48.0

clusters/cl01tl/helm/matrix-synapse/templates/replication-source.yaml

@@ -0,0 +1,85 @@
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: matrix-synapse-backup-source
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-synapse-backup-source
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: matrix-synapse
+  trigger:
+    schedule: 0 4 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: matrix-synapse-backup-secret
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot
+
+# ---
+# apiVersion: volsync.backube/v1alpha1
+# kind: ReplicationSource
+# metadata:
+#   name: mautrix-discord-data-backup-source
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: mautrix-discord-data-backup-source
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   sourcePVC: mautrix-discord-data
+#   trigger:
+#     schedule: 0 4 * * *
+#   restic:
+#     pruneIntervalDays: 7
+#     repository: mautrix-discord-data-backup-secret
+#     retain:
+#       hourly: 1
+#       daily: 3
+#       weekly: 2
+#       monthly: 2
+#       yearly: 4
+#     moverSecurityContext:
+#       runAsUser: 1337
+#       runAsGroup: 1337
+#     copyMethod: Snapshot
+#     storageClassName: ceph-block
+#     volumeSnapshotClassName: ceph-blockpool-snapshot
+
+# ---
+# apiVersion: volsync.backube/v1alpha1
+# kind: ReplicationSource
+# metadata:
+#   name: mautrix-whatsapp-data-backup-source
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: mautrix-whatsapp-data-backup-source
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   sourcePVC: mautrix-whatsapp-data
+#   trigger:
+#     schedule: 0 4 * * *
+#   restic:
+#     pruneIntervalDays: 7
+#     repository: mautrix-whatsapp-data-backup-secret
+#     retain:
+#       hourly: 1
+#       daily: 3
+#       weekly: 2
+#       monthly: 2
+#       yearly: 4
+#     moverSecurityContext:
+#       runAsUser: 1337
+#       runAsGroup: 1337
+#     copyMethod: Snapshot
+#     storageClassName: ceph-block
+#     volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/helm/matrix-synapse/templates/service-monitor.yaml

@@ -0,0 +1,61 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: matrix-synapse
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-synapse
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: matrix-synapse
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  endpoints:
+    - targetPort: 9090
+      interval: 3m
+      scrapeTimeout: 1m
+      path: /_synapse/metrics
+
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: matrix-hookshot
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: matrix-hookshot
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: matrix-hookshot
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  endpoints:
+    - targetPort: 9001
+      interval: 3m
+      scrapeTimeout: 1m
+      path: /metrics
+
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: redis-replication-matrix-synapse
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: redis-replication-matrix-synapse
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+    redis-operator: "true"
+    env: production
+spec:
+  selector:
+    matchLabels:
+      redis_setup_type: replication
+  endpoints:
+    - port: redis-exporter
+      interval: 30s
+      scrapeTimeout: 10s