Update php Docker tag to v8.5.0

.gitea/workflows/lint-test-helm-pull.yaml

@@ -31,7 +31,7 @@ jobs:
         uses: azure/setup-helm@v4
         with:
           token: ${{ secrets.GITEA_TOKEN }}
-          version: v3.19.2
+          version: latest
 
       - name: Lint Helm Chart
         if: steps.check-branch-exists.outputs.exists == 'true'
@@ -67,11 +67,6 @@ jobs:
           echo "$CHANGED_CHARTS"
 
           echo "$CHANGED_CHARTS" | while read -r chart; do
-            helm dependency list --max-col-width 120 $chart 2> /dev/null \
-              | tail +2 | head -n -1 \
-              | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do echo "$cmd" | sh; done || true
-
             echo ">> Building dependency for "$chart" ..."
             helm dependency build "$chart"
             echo ">> Linting $chart..."

.gitea/workflows/lint-test-helm-push.yaml

@@ -20,10 +20,12 @@ jobs:
         uses: azure/setup-helm@v4
         with:
           token: ${{ secrets.GITEA_TOKEN }}
-          version: v3.19.2
+          version: latest
 
       - name: Lint Helm Chart
         run: |
+          set -e  # Exit immediately if a command exits with a non-zero status.
+
           TARGET_BRANCH="origin/main"
           echo ">> Target branch for diff is: $TARGET_BRANCH"
 
@@ -53,11 +55,6 @@ jobs:
           echo "$CHANGED_CHARTS"
 
           echo "$CHANGED_CHARTS" | while read -r chart; do
-            helm dependency list --max-col-width 120 $chart 2> /dev/null \
-              | tail +2 | head -n -1 \
-              | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do echo "$cmd" | sh; done || true
-
             echo ">> Building dependency for "$chart" ..."
             helm dependency build "$chart"
             echo ">> Linting $chart..."

.gitea/workflows/render-manifests.yaml

@@ -5,27 +5,24 @@ on:
     branches:
       - main
     paths:
-      - 'clusters/cl01tl/helm/**'
+      - 'clusters/**/helm/*'
 
   workflow_dispatch:
 
 env:
-  CLUSTER: cl01tl
+  CLUSTERS: cl01tl
   BASE_BRANCH: manifests
-  BRANCH_NAME: auto/update-manifests
-  ASSIGNEE: alexlebens
   MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
   MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
 
 jobs:
-  render-manifests:
+  render-manifests-helm:
     runs-on: ubuntu-js
     steps:
-      - name: Checkout Main
+      - name: Checkout
         uses: actions/checkout@v6
         with:
           path: infrastructure
-          fetch-depth: 0
 
       - name: Checkout Manifests
         uses: actions/checkout@v6
@@ -39,133 +36,61 @@ jobs:
           token: ${{ secrets.GITEA_TOKEN }}
           version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
 
-      - name: Prepare Manifest Branch
+      - name: Remove Prior Manifests
         run: |
-          cd ${MANIFEST_DIR}
+          cd ${MANIFEST_DIR}/clusters
-
+          rm -rf ./*
-          echo ">> Configure git to use gitea-bot as user ..."
-          git config user.name "gitea-bot"
-          git config user.email "gitea-bot@alexlebens.net"
-
-          echo ">> Checking if PR branch exists ..."
-          if [[ $(git ls-remote --heads origin "${BRANCH_NAME}" | wc -l) -gt 0 ]]; then
-            echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
-            git fetch origin "${BRANCH_NAME}"
-            git checkout "${BRANCH_NAME}"
-            git pull --rebase
-
-          else
-            echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
-            git checkout -b $BRANCH_NAME
-          fi
-
-      - name: Check which Directories have Changes
-        id: check-dir-changes
-        run: |
-          cd ${MAIN_DIR}
-
-          GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u | grep "clusters/cl01tl/helm/")
-          CHANGED_DIR=()
-
-          echo ">> Checking for changes .."
-          echo "$GIT_DIFF"
-
-          if [ -n $GIT_DIFF ]; then
-            echo ">> Changes detected"
-
-            for path in $GIT_DIFF; do
-              CHANGED_DIR+=$(echo "$path" | awk -F '/' '{print $4}')
-            done
-
-            echo ">> Changes Directories:"
-            echo "$(printf "%s\n" "$CHANGED_DIR" | sort -u)"
-
-            echo "changes-detected=true" >> $GITEA_OUTPUT
-            echo "changed-dir=$(printf "%s\n" "$CHANGED_DIR" | sort -u)" >> $GITEA_OUTPUT
-          else
-            echo ">> No changes detected, skipping rendering"
-            exit 0
-          fi
 
       - name: Add Repositories
-        if: steps.check-dir-changes.outputs.changes-detected == 'true'
-        env:
-          CHANGED_DIR: ${{ steps.check-dir-changes.outputs.changed-dir }}
         run: |
-          cd ${MAIN_DIR}
+          for cluster in ${CLUSTERS}; do
-
+            echo ">> Adding repositories for chart dependencies of cluster $cluster ..."
-          echo ">> Adding repositories for chart dependencies ..."
+            for chart_path in ${MAIN_DIR}/clusters/$cluster/helm/*; do
-          for dir in ${CHANGED_DIR}; do
+              helm dependency list --max-col-width 120 $chart_path 2> /dev/null \
-            helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
+                | tail +2 | head -n -1 \
-              | tail +2 | head -n -1 \
+                | awk '{ print "helm repo add " $1 " " $3 }' \
-              | awk '{ print "helm repo add " $1 " " $3 }' \
+                | while read cmd; do echo "$cmd" | sh; done || true
-              | while read cmd; do echo "$cmd" | sh; done || true
+            done
-          done
-
-      - name: Remove Changed Manifest Files
-        if: steps.check-dir-changes.outputs.changes-detected == 'true'
-        env:
-          CHANGED_DIR: ${{ steps.check-dir-changes.outputs.changed-dir }}
-        run: |
-          cd ${MANIFEST_DIR}
-
-          echo ">> Remove manfiest files and rebuild from source ..."
-
-          for dir in ${CHANGED_DIR}; do
-            chart_path=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$dir
-
-            echo ">> Removing from $chart_path ..."
-            rm -rf $chart_path/*
           done
 
       - name: Render Helm Manifests
-        id: render-manifests
-        if: steps.check-dir-changes.outputs.changes-detected == 'true'
-        env:
-          CHANGED_DIR: ${{ steps.check-dir-changes.outputs.changed-dir }}
         run: |
-          cd ${MAIN_DIR}
+          for cluster in ${CLUSTERS}; do
+            for chart_path in ${MAIN_DIR}/clusters/$cluster/helm/*; do
+              chart_name=$(basename "$chart_path")
+              echo ">> Rendering chart: $chart_name"
 
-          echo ">> Rendering Manifests ..."
+              if [ -f "$chart_path/Chart.yaml" ]; then
+                mkdir -p ${MANIFEST_DIR}/clusters/$cluster/manifests/$chart_name
+                OUTPUT_FILE="${MANIFEST_DIR}/clusters/$cluster/manifests/$chart_name/$chart_name.yaml"
 
-          for dir in ${CHANGED_DIR}; do
+                cd $chart_path
-            chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
-            chart_name=$(basename "$chart_path")
 
-            echo ">> Rendering chart: $chart_name"
+                echo ""
-            echo ">> Chart path $chart_path"
+                echo ">> Building helm dependency ..."
+                helm dependency build
 
-            if [ -f "$chart_path/Chart.yaml" ]; then
+                echo ""
-              mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
+                echo ">> Linting helm ..."
-              OUTPUT_FILE="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/$chart_name.yaml"
+                helm lint --namespace "$chart_name" --with-subcharts
 
-              cd $chart_path
+                echo ""
+                echo ">> Rendering templates ..."
+                helm template "$chart_name" ./ --namespace "$chart_name" --include-crds > "$OUTPUT_FILE"
 
-              echo ""
+                echo ""
-              echo ">> Building helm dependency ..."
+                echo ">> Manifests for $chart_name rendered to $OUTPUT_FILE"
-              helm dependency build
+                echo ""
-
+              else
-              echo ""
+                echo ""
-              echo ">> Linting helm ..."
+                echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
-              helm lint --namespace "$chart_name"
+                echo ""
-
+              fi
-              echo ""
+            done
-              echo ">> Rendering templates ..."
-              helm template "$chart_name" ./ --namespace "$chart_name" --include-crds > "$OUTPUT_FILE"
-
-              echo ""
-              echo ">> Manifests for $chart_name rendered to $OUTPUT_FILE"
-              echo ""
-            else
-              echo ""
-              echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
-              echo ""
-            fi
           done
 
       - name: Check for Changes
         id: check-changes
-        if: steps.check-dir-changes.outputs.changes-detected == 'true'
         run: |
           cd ${MANIFEST_DIR}
 
@@ -184,68 +109,30 @@ jobs:
         run: |
           cd ${MANIFEST_DIR}
 
-          echo ">> Commiting changes to ${BRANCH_NAME} ..."
+          BRANCH_NAME="auto/update-manifests-$(date +%s)"
+
+          # Configure Git
+          echo ">> Configure git to use gitea-bot as user ..."
+          git config user.name "gitea-bot"
+          git config user.email "gitea-bot@alexlebens.net"
+
+          # Create a new branch and stage all changes
+          echo ">> Creating and commiting to $BRANCH_NAME ..."
+          git checkout -b $BRANCH_NAME
           git add .
           git commit -m "chore: Update manifests after change"
 
-          echo ">> Pushing changes to $REPO_URL ..."
+          # Push the new branch to the remote repository
           REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
-          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
+          echo ">> Pushing changes to $REPO_URL ..."
+          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" $BRANCH_NAME
 
-          echo "HEAD_BRANCH=${BRANCH_NAME}" >> $GITEA_OUTPUT
+          echo "HEAD_BRANCH=$BRANCH_NAME" >> $GITEA_OUTPUT
           echo "push=true" >> $GITEA_OUTPUT
 
-      - name: Check for Pull Request
-        id: check-for-pull-requst
-        if: steps.commit-push.outputs.push == 'true'
-        env:
-          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
-          GITEA_URL: ${{ secrets.REPO_URL }}
-          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
-        run: |
-          cd ${MANIFEST_DIR}
-
-          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls/${BASE_BRANCH}/${HEAD_BRANCH}"
-
-          echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
-          echo ">> With Endpoint of:"
-          echo "$API_ENDPOINT"
-
-          HTTP_STATUS=$(
-            curl -X GET \
-              --silent \
-              --write-out '%{http_code}' \
-              --output response_body.json \
-              --dump-header response_headers.txt \
-              -H "Authorization: token ${GITEA_TOKEN}" \
-              -H "Content-Type: application/json" \
-              "$API_ENDPOINT" 2> response_errors.txt
-          )
-
-          echo ">> HTTP Status Code: $HTTP_STATUS"
-          echo ">> Response Output ..."
-          echo "----"
-          cat response_body.json
-          echo "----"
-          cat response_headers.txt
-          echo "----"
-          cat response_errors.txt
-          echo "----"
-
-          if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .state)" == "open" ]; then
-            echo ">> Pull Request has been found open, will update"
-            PR_INDEX=$(cat response_body.json | jq -r .number)
-            echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
-            echo "pull-request-index=true" >> $GITEA_OUTPUT
-
-          else
-            echo ">> Pull Request not found"
-            echo "pull-request-exists=false" >> $GITEA_OUTPUT
-          fi
-
       - name: Create Pull Request
         id: create-pull-request
-        if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
+        if: steps.commit-push.outputs.push == 'true'
         env:
           GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
           GITEA_URL: ${{ secrets.REPO_URL }}
@@ -258,10 +145,9 @@ jobs:
           PAYLOAD=$( jq -n \
             --arg head "${HEAD_BRANCH}" \
             --arg base "${BASE_BRANCH}" \
-            --arg assignee "${ASSIGNEE}" \
+            --arg title "Automated Manifest Update: $(date +%F)" \
-            --arg title "Automated Manifest Update" \
             --arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
-            '{head: $head, base: $base, assignee: $assignee, title: $title, body: $body'} )
+            '{head: $head, base: $base, title: $title, body: $body'} )
 
           echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
           echo ">> With Endpoint of:"
@@ -293,13 +179,13 @@ jobs:
 
           if [ "$HTTP_STATUS" == "201" ]; then
             echo ">> Pull Request created successfully!"
+
             PR_URL=$(cat response_body.json | jq -r .html_url)
             echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
             echo "pull-request-operation=created" >> $GITEA_OUTPUT
 
           elif [ "$HTTP_STATUS" == "422" ]; then
             echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
-
           else
             echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
             exit 1

clusters/cl01tl/applications/actual/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v2
+name: actual
+version: 1.0.0
+description: Actual
+keywords:
+  - actual
+  - budget
+home: https://wiki.alexlebens.dev/s/86192f45-94b7-45de-872c-6ef3fec7df5e
+sources:
+  - https://github.com/actualbudget/actual
+  - https://github.com/actualbudget/actual/pkgs/container/actual
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: actual
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.4.0
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
+appVersion: v25.5.0

clusters/cl01tl/applications/actual/templates/external-secret.yaml

@@ -0,0 +1,55 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: actual-data-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: actual-data-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/actual/actual-data"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: S3_BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/volsync/restic/config
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: access_key
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/volsync-backups
+        metadataPolicy: None
+        property: secret_key

clusters/cl01tl/applications/actual/templates/http-route.yaml

@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-actual
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-actual
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - actual.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: actual
+          port: 80
+          weight: 100

clusters/cl01tl/applications/actual/templates/replication-source.yaml

@@ -0,0 +1,25 @@
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: actual-data-backup-source
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: actual-data-backup-source
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  sourcePVC: actual-data
+  trigger:
+    schedule: 0 4 * * *
+  restic:
+    pruneIntervalDays: 7
+    repository: actual-data-backup-secret
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/applications/actual/values.yaml

@@ -0,0 +1,56 @@
+actual:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: ghcr.io/actualbudget/actual
+            tag: 25.11.0
+            pullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: US/Central
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+          probes:
+            liveness:
+              enabled: true
+              custom: true
+              spec:
+                exec:
+                  command:
+                  - /usr/bin/env
+                  - bash
+                  - -c
+                  - node src/scripts/health-check.js
+                failureThreshold: 5
+                initialDelaySeconds: 60
+                periodSeconds: 10
+                successThreshold: 1
+                timeoutSeconds: 10
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 5006
+          protocol: HTTP
+  persistence:
+    data:
+      forceRename: actual-data
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 2Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /data
+              readOnly: false

clusters/cl01tl/applications/bazarr/values.yaml

@@ -15,7 +15,7 @@ bazarr:
         main:
           image:
             repository: ghcr.io/linuxserver/bazarr
-            tag: 1.5.3@sha256:ec11e988e8e13411c994a4d9f43ed9b97409aa92c1da54d9f23926c3da7c2032
+            tag: 1.5.3@sha256:2be164c02c0bb311b6c32e57d3d0ddc2813d524e89ab51a3408c1bf6fafecda5
             pullPolicy: IfNotPresent
           env:
             - name: TZ