chore(release): 0.13.0 [skip ci]

# [0.13.0](http://gitea-http.gitea:3000/alexlebens/site-documentation/compare/0.12.0...0.13.0) (2026-03-31)

### Features

* documentation on vault ssh ([648fb31](648fb319b1))

CHANGELOG.md

@@ -1,3 +1,19 @@
+# [0.13.0](http://gitea-http.gitea:3000/alexlebens/site-documentation/compare/0.12.0...0.13.0) (2026-03-31)
+
+
+### Features
+
+* documentation on vault ssh ([648fb31](http://gitea-http.gitea:3000/alexlebens/site-documentation/commit/648fb319b192ecd7826fe03599f7a0ee55a419ea))
+
+# [0.12.0](http://gitea-http.gitea:3000/alexlebens/site-documentation/compare/0.11.0...0.12.0) (2026-03-30)
+
+
+### Features
+
+* add more apps ([e13f3e3](http://gitea-http.gitea:3000/alexlebens/site-documentation/commit/e13f3e30e2a73a712008f65cc5932cbe1e71adb2))
+* add more apps ([ef4ff67](http://gitea-http.gitea:3000/alexlebens/site-documentation/commit/ef4ff67818d2758e21b9f0076519ca9221f74bb0))
+* add more apps ([32eacf8](http://gitea-http.gitea:3000/alexlebens/site-documentation/commit/32eacf8df7cd07eaf33a46d9df88e22f22d0cbf6))
+
 # [0.11.0](http://gitea-http.gitea:3000/alexlebens/site-documentation/compare/0.10.0...0.11.0) (2026-03-27)
 
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "site-documentation",
   "type": "module",
-  "version": "0.11.0",
+  "version": "0.13.0",
   "scripts": {
     "dev": "astro dev",
     "build": "astro build",

src/content/docs/applications/gatus.mdx

@@ -0,0 +1,15 @@
+---
+title: Gatus
+description: Gatus is a developer-oriented health dashboard that gives you the ability to monitor your services using HTTP, ICMP, TCP, and even DNS queries as well as evaluate the result of said queries by using a list of conditions on values like the status code, the response time, the certificate expiration, the body and many others.
+hero:
+  tagline: Gatus is a developer-oriented health dashboard that gives you the ability to monitor your services using HTTP, ICMP, TCP, and even DNS queries as well as evaluate the result of said queries by using a list of conditions on values like the status code, the response time, the certificate expiration, the body and many others.
+  image:
+    file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/gatus.webp
+  actions:
+    - text: Source
+      link: https://github.com/TwiN/gatus
+      icon: right-arrow
+    - text: Deployment Chart
+      link: https://gitea.alexlebens.dev/alexlebens/infrastructure/src/branch/main/clusters/cl01tl/helm/gatus
+      icon: right-arrow
+---

src/content/docs/applications/generic-device-plugin.mdx

@@ -0,0 +1,15 @@
+---
+title: Generic Device Plugin
+description: Generic Device Plugin enables allocating generic Linux devices, such as serial devices, the FUSE device, or video cameras, to Kubernetes Pods. 
+hero:
+  tagline: Generic Device Plugin enables allocating generic Linux devices, such as serial devices, the FUSE device, or video cameras, to Kubernetes Pods. 
+  image:
+    file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/kubernetes.webp
+  actions:
+    - text: Source
+      link: https://github.com/squat/generic-device-plugin
+      icon: right-arrow
+    - text: Deployment Chart
+      link: https://gitea.alexlebens.dev/alexlebens/infrastructure/src/branch/main/clusters/cl01tl/helm/generic-device-plugin
+      icon: right-arrow
+---

src/content/docs/applications/gitea.mdx

@@ -0,0 +1,15 @@
+---
+title: Gitea
+description: Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
+hero:
+  tagline: Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
+  image:
+    file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/gitea.webp
+  actions:
+    - text: Source
+      link: https://github.com/go-gitea/gitea
+      icon: right-arrow
+    - text: Deployment Chart
+      link: https://gitea.alexlebens.dev/alexlebens/infrastructure/src/branch/main/clusters/cl01tl/helm/gitea
+      icon: right-arrow
+---

src/content/docs/applications/grafana-operator.mdx

@@ -0,0 +1,15 @@
+---
+title: Grafana Operator
+description: Grafana Operator is a Kubernetes operator built to help you manage your Grafana instances and its resources in and outside of Kubernetes.
+hero:
+  tagline: Grafana Operator is a Kubernetes operator built to help you manage your Grafana instances and its resources in and outside of Kubernetes.
+  image:
+    file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/grafana.webp
+  actions:
+    - text: Source
+      link: https://github.com/grafana/grafana-operator
+      icon: right-arrow
+    - text: Deployment Chart
+      link: https://gitea.alexlebens.dev/alexlebens/infrastructure/src/branch/main/clusters/cl01tl/helm/grafana-operator
+      icon: right-arrow
+---

src/content/docs/applications/harbor.mdx

@@ -0,0 +1,15 @@
+---
+title: Harbor
+description: Harbor is an open source trusted cloud native registry project that stores, signs, and scans content.
+hero:
+  tagline: Harbor is an open source trusted cloud native registry project that stores, signs, and scans content.
+  image:
+    file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/harbor.webp
+  actions:
+    - text: Source
+      link: https://github.com/goharbor/harbor
+      icon: right-arrow
+    - text: Deployment Chart
+      link: https://gitea.alexlebens.dev/alexlebens/infrastructure/src/branch/main/clusters/cl01tl/helm/harbor
+      icon: right-arrow
+---

src/content/docs/applications/headlamp.mdx

@@ -0,0 +1,15 @@
+---
+title: Headlamp
+description: Headlamp is an easy-to-use and extensible Kubernetes web UI and was created to blend the traditional feature set of other web UIs/dashboards with added functionality.
+hero:
+  tagline: Headlamp is an easy-to-use and extensible Kubernetes web UI and was created to blend the traditional feature set of other web UIs/dashboards with added functionality.
+  image:
+    file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/headlamp.webp
+  actions:
+    - text: Source
+      link: https://github.com/kubernetes-sigs/headlamp
+      icon: right-arrow
+    - text: Deployment Chart
+      link: https://gitea.alexlebens.dev/alexlebens/infrastructure/src/branch/main/clusters/cl01tl/helm/headlamp
+      icon: right-arrow
+---

src/content/docs/applications/home-assistant.mdx

@@ -0,0 +1,15 @@
+---
+title: Home Assistant
+description: Open source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts.
+hero:
+  tagline: Open source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts.
+  image:
+    file: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/home-assistant.webp
+  actions:
+    - text: Source
+      link: https://github.com/home-assistant/core
+      icon: right-arrow
+    - text: Deployment Chart
+      link: https://gitea.alexlebens.dev/alexlebens/infrastructure/src/branch/main/clusters/cl01tl/helm/home-assistant
+      icon: right-arrow
+---

src/content/docs/guides/vault-ssh-ca.md

@@ -0,0 +1,105 @@
+---
+title: Vault SSH Certificate Authority
+description: Steps followed to enable using Vault as a CA for ssh login
+---
+
+# Setup
+
+[Reference Vault Documentation](https://developer.hashicorp.com/vault/docs/secrets/ssh/signed-ssh-certificates#host-key-signing)
+
+I have set the documenation to use my own defaults and configuration. This also assumes a running and active Vault instance.
+
+## Enable the SSH CA
+
+I followed the defaults mostly in the docs, reference the above link for details. Use either root or a role with permissions for the endpoints.
+
+Start with enabling the mount.
+```bash
+vault secrets enable -path=ssh-client-signer ssh
+```
+
+Generate a key. This will be used only for signing and not for client authentication. Keep it in a secure location, rename the path the key will be written to.
+```bash
+ssh-keygen -t rsa -C "alexanderlebens@gmail.com"
+```
+
+Add the above signing key.
+```bash
+vault write ssh-client-signer/config/ca private_key="..." public_key="..."
+```
+
+## Create Client Role and Key
+
+Once the above is complete, create a role to use to sign your own client cert. I used my common username and configurations. This can also be done in the Vault UI.
+```bash
+vault write ssh-client-signer/roles/alexlebens -<<"EOH"
+{
+  "algorithm_signer": "rsa-sha2-256",
+  "allow_user_certificates": true,
+  "allowed_users": "*",
+  "allowed_extensions": "permit-pty,permit-port-forwarding",
+  "default_extensions": {
+    "permit-pty": ""
+  },
+  "key_type": "ca",
+  "default_user": "alexlebens",
+  "ttl": "30m0s"
+}
+EOH
+```
+
+## Create Client Key
+
+Generate the ssh key to use to authenticate to your hosts. This is the one to keep in ~/.ssh.
+```bash
+ssh-keygen -t rsa -C "alexanderlebens@gmail.com"
+```
+
+## Configure SSH to use the Key and Cert
+
+SSH will defailt to using the cert when using the matching name "id_rsa_host-cert.pub" as shown in the renewal certificate section. Use the principal as signed by Vault as the User and set the IdentityFile to the Key as generated above.
+```
+Host ps08rp
+    Hostname 10.232.1.51
+    User alexlebens
+    IdentityFile ~/.ssh/id_rsa_host
+```
+
+# Operations
+
+## Prepare Target Host
+
+Download the public cert from the endpoint.
+```bash
+curl -o /etc/ssh/trusted-user-ca-keys.pem https://vault.alexlebens.net/v1/ssh-client-signer/public_key
+```
+
+Then add that file to the sshd config.
+```
+TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem
+```
+
+### Automation
+
+This step is currently manual as I have few hosts that I need ssh for. The most common tool for automation would be Ansible. But this would only be useful for my RaspberyPis and I plan to migrate those to Talos and Kubernetes in the future.
+
+## Renew Client Certificate
+
+Sign the client cert, on your machine, with the Vault CA.
+```bash
+vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub
+```
+
+I added the following to my .zshrc to make this easier. So now I just run "vault-renew" before I need to ssh.
+```
+# Vault
+export VAULT_ADDR="https://vault.alexlebens.net"
+alias vault-renew='vault write -field=signed_key ssh-client-signer/sign/alexlebens public_key=@$HOME/.ssh/id_rsa_host.pub > ~/.ssh/id_rsa_host-cert.pub'
+```
+
+### View Cert Details
+
+For troubleshooting purposes or clafification use the follow to inspect the cert.
+```bash
+ssh-keygen -Lf ~/.ssh/id_rsa_host-cert.pub
+```