chore(deps): update alpine docker tag to v3.23

.gitignore

@@ -10,3 +10,4 @@ devenv.local.yaml
 
 # pre-commit
 .pre-commit-config.yaml
+.opencode

.vscode/extensions.json

@@ -2,6 +2,7 @@
   "recommendations": [
     "jnoortheen.nix-ide",
     "detachhead.basedpyright",
-    "mkhl.direnv"
+    "mkhl.direnv",
+    "mermaidchart.vscode-mermaid-chart"
   ]
 }

Makefile

@@ -1,3 +1,7 @@
+SHELL := /usr/bin/env bash
+
+.PHONY: install-router gen-talos-config apply-talos-config get-kubeconfig garm-image-build garm-image-push garm-image-build-push
+
 install-router:
 	ansible-playbook ansible/playbook.yml -i ansible/hosts
 
@@ -23,3 +27,19 @@ apply-talos-config:
 
 get-kubeconfig:
 	talosctl -n anapistula-delrosalae kubeconfig talos/generated/kubeconfig
+
+garm-image-build:
+	set -euo pipefail; \
+	source apps/garm/image-source.env; \
+	docker build \
+		-f docker/garm/Dockerfile \
+		--build-arg GARM_COMMIT=$$GARM_COMMIT \
+		-t $$GARM_IMAGE \
+		.
+
+garm-image-push:
+	set -euo pipefail; \
+	source apps/garm/image-source.env; \
+	docker push $$GARM_IMAGE
+
+garm-image-build-push: garm-image-build garm-image-push

apps/authentik/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - postgres-volume.yaml
+  - postgres-cluster.yaml
+  - secret.yaml
+  - release.yaml

apps/authentik/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authentik

apps/authentik/postgres-cluster.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: authentik-postgresql-cluster-lvmhdd
+  namespace: authentik
+spec:
+  instances: 1
+
+  imageName: ghcr.io/cloudnative-pg/postgresql:17.4
+
+  bootstrap:
+    initdb:
+      database: authentik
+      owner: authentik
+
+  storage:
+    pvcTemplate:
+      storageClassName: hdd-lvmpv
+      resources:
+        requests:
+          storage: 10Gi
+      volumeName: authentik-postgresql-cluster-lvmhdd-1

apps/authentik/postgres-volume.yaml

@@ -0,0 +1,33 @@
+apiVersion: local.openebs.io/v1alpha1
+kind: LVMVolume
+metadata:
+  labels:
+    kubernetes.io/nodename: anapistula-delrosalae
+  name: authentik-postgresql-cluster-lvmhdd-1
+  namespace: openebs
+spec:
+  capacity: 10Gi
+  ownerNodeID: anapistula-delrosalae
+  shared: "yes"
+  thinProvision: "no"
+  vgPattern: ^openebs-hdd$
+  volGroup: openebs-hdd
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: authentik-postgresql-cluster-lvmhdd-1
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: hdd-lvmpv
+  volumeMode: Filesystem
+  csi:
+    driver: local.csi.openebs.io
+    fsType: btrfs
+    volumeHandle: authentik-postgresql-cluster-lvmhdd-1
+---
+# PVCs are dynamically created by the Postgres operator

apps/authentik/release.yaml

@@ -0,0 +1,61 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: authentik
+  namespace: authentik
+spec:
+  interval: 24h
+  url: https://charts.goauthentik.io
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: authentik
+  namespace: authentik
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: authentik
+      version: 2026.2.1
+      sourceRef:
+        kind: HelmRepository
+        name: authentik
+        namespace: authentik
+      interval: 12h
+  values:
+    authentik:
+      postgresql:
+        host: authentik-postgresql-cluster-lvmhdd-rw
+        name: authentik
+        user: authentik
+
+    global:
+      env:
+        - name: AUTHENTIK_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: authentik-secret
+              key: secret_key
+        - name: AUTHENTIK_POSTGRESQL__PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: authentik-postgresql-cluster-lvmhdd-app
+              key: password
+
+    postgresql:
+      enabled: false
+
+    server:
+      ingress:
+        enabled: true
+        ingressClassName: nginx-ingress
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt
+        hosts:
+          - authentik.lumpiasty.xyz
+        tls:
+          - secretName: authentik-ingress
+            hosts:
+              - authentik.lumpiasty.xyz

apps/authentik/secret.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: authentik-secret
+  namespace: authentik
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: authentik
+  namespace: authentik
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: authentik
+    serviceAccount: authentik-secret
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: authentik-secret
+  namespace: authentik
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: authentik
+
+  destination:
+    create: true
+    name: authentik-secret
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: authentik

apps/garm/README.md

@@ -0,0 +1,49 @@
+# garm
+
+This app deploys `garm` with external `garm-provider-k8s`.
+
+- API/UI ingress: `https://garm.lumpiasty.xyz`
+- Internal service DNS: `http://garm.garm.svc.cluster.local:9997`
+
+## Vault secret requirements
+
+`VaultStaticSecret` reads `secret/data/garm` and expects at least:
+
+- `jwt_auth_secret`
+- `database_passphrase` (must be 32 characters)
+
+## Connect garm to Gitea
+
+After Flux reconciles this app, initialize garm and add Gitea endpoint/credentials.
+
+```bash
+# 1) Initialize garm (from your local devenv shell)
+garm-cli init \
+  --name homelab \
+  --url https://garm.lumpiasty.xyz \
+  --username admin \
+  --email admin@lumpiasty.xyz \
+  --password '<STRONG_ADMIN_PASSWORD>' \
+  --metadata-url http://garm.garm.svc.cluster.local:9997/api/v1/metadata \
+  --callback-url http://garm.garm.svc.cluster.local:9997/api/v1/callbacks \
+  --webhook-url http://garm.garm.svc.cluster.local:9997/webhooks
+
+# 2) Add Gitea endpoint
+garm-cli gitea endpoint create \
+  --name local-gitea \
+  --description 'Cluster Gitea' \
+  --base-url http://gitea-http.gitea.svc.cluster.local:80 \
+  --api-base-url http://gitea-http.gitea.svc.cluster.local:80/api/v1
+
+# 3) Add Gitea PAT credentials
+garm-cli gitea credentials add \
+  --name gitea-pat \
+  --description 'PAT for garm' \
+  --endpoint local-gitea \
+  --auth-type pat \
+  --pat-oauth-token '<GITEA_PAT_WITH_write:repository,write:organization>'
+```
+
+Then add repositories/orgs and create pools against provider `kubernetes_external`.
+
+If Gitea refuses webhook installation to cluster-local URLs, set `gitea.config.webhook.ALLOWED_HOST_LIST` in `apps/gitea/release.yaml`.

apps/garm/deployment.yaml

@@ -15,18 +15,6 @@ spec:
     spec:
       serviceAccountName: garm
       initContainers:
-        - name: install-garm-provider-k8s
-          image: alpine:3.23
-          command:
-            - /bin/sh
-            - -ec
-            - |
-              wget -qO /tmp/garm-provider-k8s.tar.gz "https://github.com/mercedes-benz/garm-provider-k8s/releases/download/v0.3.2/garm-provider-k8s_Linux_x86_64.tar.gz"
-              tar -xzf /tmp/garm-provider-k8s.tar.gz -C /opt/garm/providers.d
-              chmod 0755 /opt/garm/providers.d/garm-provider-k8s
-          volumeMounts:
-            - name: provider-dir
-              mountPath: /opt/garm/providers.d
         - name: render-garm-config
           image: alpine:3.23
           env:
@@ -90,7 +78,7 @@ spec:
               mountPath: /etc/garm
       containers:
         - name: garm
-          image: ghcr.io/cloudbase/garm:v0.1.7
+          image: gitea.lumpiasty.xyz/lumpiasty/garm-k8s:r1380
           imagePullPolicy: IfNotPresent
           command:
             - /bin/garm
@@ -104,8 +92,6 @@ spec:
               mountPath: /data
             - name: config-dir
               mountPath: /etc/garm
-            - name: provider-dir
-              mountPath: /opt/garm/providers.d
             - name: provider-config
               mountPath: /etc/garm/provider-config.yaml
               subPath: provider-config.yaml
@@ -115,8 +101,6 @@ spec:
             claimName: garm-lvmhdd
         - name: config-dir
           emptyDir: {}
-        - name: provider-dir
-          emptyDir: {}
         - name: provider-config
           configMap:
             name: garm-provider-k8s-config

apps/garm/image-source.env

@@ -0,0 +1,5 @@
+# renovate: datasource=github-refs depName=cloudbase/garm versioning=git
+GARM_COMMIT=818a9dddccba5f2843f185e6a846770988f31fc5
+GARM_COMMIT_NUMBER=1380
+GARM_IMAGE_REPO=gitea.lumpiasty.xyz/lumpiasty/garm-k8s
+GARM_IMAGE=gitea.lumpiasty.xyz/lumpiasty/garm-k8s:r1380

apps/garm/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: garm
+  name: garm
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  ingressClassName: nginx-ingress
+  rules:
+    - host: garm.lumpiasty.xyz
+      http:
+        paths:
+          - backend:
+              service:
+                name: garm
+                port:
+                  number: 9997
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - garm.lumpiasty.xyz
+      secretName: garm-ingress

apps/garm/kustomization.yaml

@@ -5,6 +5,7 @@ resources:
   - pvc.yaml
   - configmap.yaml
   - service.yaml
+  - ingress.yaml
   - rbac.yaml
   - secret.yaml
   - deployment.yaml

apps/garm/rbac.yaml

@@ -27,3 +27,25 @@ roleRef:
   kind: Role
   name: garm-provider-k8s
   apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: garm-namespace-manager
+rules:
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: garm-namespace-manager
+subjects:
+  - kind: ServiceAccount
+    name: garm
+    namespace: garm
+roleRef:
+  kind: ClusterRole
+  name: garm-namespace-manager
+  apiGroup: rbac.authorization.k8s.io

apps/gitea/release.yaml

@@ -90,6 +90,11 @@ spec:
         # Requirement for sharing ip with other service
         externalTrafficPolicy: Cluster
         ipFamilyPolicy: RequireDualStack
+      http:
+        type: ClusterIP
+        # We need the service to be at port 80 specifically
+        # to work around bug of Actions Runner
+        port: 80
 
     ingress:
       enabled: true
@@ -97,7 +102,7 @@ spec:
       annotations:
         cert-manager.io/cluster-issuer: letsencrypt
         acme.cert-manager.io/http01-edit-in-place: "true"
-        nginx.ingress.kubernetes.io/proxy-body-size: "100m"
+        nginx.ingress.kubernetes.io/proxy-body-size: "1g"
       hosts:
         - host: gitea.lumpiasty.xyz
           paths:

apps/kustomization.yaml

@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - authentik
   - gitea
   - renovate
   - librechat

apps/renovate/configmap.yaml

@@ -9,3 +9,4 @@ data:
   RENOVATE_ENDPOINT: https://gitea.lumpiasty.xyz/api/v1
   RENOVATE_PLATFORM: gitea
   RENOVATE_GIT_AUTHOR: Renovate Bot <renovate@lumpiasty.xyz>
+  RENOVATE_ALLOWED_COMMANDS: '["^node utils/update-garm-cli-hash\\.mjs$", "^node utils/update-garm-image-pin\\.mjs$"]'

devenv.lock

@@ -3,10 +3,11 @@
     "devenv": {
       "locked": {
         "dir": "src/modules",
-        "lastModified": 1769881431,
+        "lastModified": 1773504385,
+        "narHash": "sha256-ANaeR+xVHxjGz36VI4qlZUbdhrlSE0xU7O7AUJKw3zU=",
         "owner": "cachix",
         "repo": "devenv",
-        "rev": "72d5e66e2dd5112766ef4c9565872b51094b542d",
+        "rev": "4bce49e6f60c69e99eeb643efbbf74125cefd329",
         "type": "github"
       },
       "original": {
@@ -16,27 +17,13 @@
         "type": "github"
       }
     },
-    "flake-compat": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1767039857,
-        "owner": "NixOS",
-        "repo": "flake-compat",
-        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
     "flake-utils": {
       "inputs": {
         "systems": "systems"
       },
       "locked": {
         "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
         "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
@@ -48,47 +35,6 @@
         "type": "github"
       }
     },
-    "git-hooks": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "gitignore": "gitignore",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1769069492,
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "rev": "a1ef738813b15cf8ec759bdff5761b027e3e1d23",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "type": "github"
-      }
-    },
-    "gitignore": {
-      "inputs": {
-        "nixpkgs": [
-          "git-hooks",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1762808025,
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "rev": "cb5e3fdca1de58ccbc3ef53de65bd372b48f567c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "type": "github"
-      }
-    },
     "krew2nix": {
       "inputs": {
         "flake-utils": "flake-utils",
@@ -99,10 +45,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1769904483,
+        "lastModified": 1773451905,
+        "narHash": "sha256-S/bukFEwbOYQbnR5UpciwYA42aEt1w5LK73GwARhsaA=",
         "owner": "a1994sc",
         "repo": "krew2nix",
-        "rev": "17d6ad3375899bd3f7d4d298481536155f3ec13c",
+        "rev": "bc779a8cf59ebf76ae60556bfe2d781a0a4cdbd9",
         "type": "github"
       },
       "original": {
@@ -113,10 +60,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1769461804,
+        "lastModified": 1773389992,
+        "narHash": "sha256-wvfdLLWJ2I9oEpDd9PfMA8osfIZicoQ5MT1jIwNs9Tk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
+        "rev": "c06b4ae3d6599a672a6210b7021d699c351eebda",
         "type": "github"
       },
       "original": {
@@ -129,17 +77,14 @@
     "root": {
       "inputs": {
         "devenv": "devenv",
-        "git-hooks": "git-hooks",
         "krew2nix": "krew2nix",
-        "nixpkgs": "nixpkgs",
-        "pre-commit-hooks": [
-          "git-hooks"
-        ]
+        "nixpkgs": "nixpkgs"
       }
     },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
         "owner": "nix-systems",
         "repo": "default",
         "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
@@ -154,6 +99,7 @@
     "systems_2": {
       "locked": {
         "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
         "owner": "nix-systems",
         "repo": "default",
         "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
@@ -173,10 +119,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769691507,
+        "lastModified": 1773297127,
+        "narHash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "28b19c5844cc6e2257801d43f2772a4b4c050a1b",
+        "rev": "71b125cd05fbfd78cab3e070b73544abe24c5016",
         "type": "github"
       },
       "original": {
@@ -188,4 +135,4 @@
   },
   "root": "root",
   "version": 7
-}
+}

devenv.nix

@@ -6,6 +6,8 @@ let
     hvac
     librouteros
   ]);
+
+  garm-cli = pkgs.callPackage ./nix/garm-cli.nix { };
 in
 {
   # Overlays - apply krew2nix to get kubectl with krew support
@@ -41,6 +43,9 @@ in
     openbao
     pv-migrate
     mermaid-cli
+    opencode
+    garm-cli
+    tea
   ];
 
   # Scripts

docker/garm/Dockerfile

@@ -0,0 +1,28 @@
+FROM golang:1.25-alpine AS build
+
+ARG GARM_COMMIT
+ARG GARM_PROVIDER_K8S_VERSION=0.3.2
+
+RUN apk add --no-cache ca-certificates git wget tar build-base util-linux-dev linux-headers
+
+WORKDIR /src
+RUN git clone https://github.com/cloudbase/garm.git . && git checkout "${GARM_COMMIT}"
+
+RUN CGO_ENABLED=1 GOOS=linux GOARCH=amd64 \
+  go build -trimpath \
+  -tags osusergo,netgo,sqlite_omit_load_extension \
+  -ldflags="-linkmode external -extldflags '-static' -s -w" \
+  -o /out/garm ./cmd/garm
+
+RUN mkdir -p /out/providers.d \
+  && wget -qO /tmp/garm-provider-k8s.tar.gz "https://github.com/mercedes-benz/garm-provider-k8s/releases/download/v${GARM_PROVIDER_K8S_VERSION}/garm-provider-k8s_Linux_x86_64.tar.gz" \
+  && tar -xzf /tmp/garm-provider-k8s.tar.gz -C /out/providers.d \
+  && chmod 0755 /out/providers.d/garm-provider-k8s
+
+FROM busybox
+
+COPY --from=build /out/garm /bin/garm
+COPY --from=build /out/providers.d/garm-provider-k8s /opt/garm/providers.d/garm-provider-k8s
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+ENTRYPOINT ["/bin/garm"]

nix/garm-cli.nix

@@ -0,0 +1,45 @@
+{ lib, buildGoModule, fetchFromGitHub, installShellFiles }:
+
+buildGoModule rec {
+  pname = "garm-cli";
+  version = "r1380";
+  garmCommit = "818a9dddccba5f2843f185e6a846770988f31fc5";
+
+  src = fetchFromGitHub {
+    owner = "cloudbase";
+    repo = "garm";
+    rev = garmCommit;
+    hash = "sha256-CTqqabNYUMSrmnQVCWml1/vkDw+OP1uJo1KFhBSZpYY=";
+  };
+
+  subPackages = [ "cmd/garm-cli" ];
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  vendorHash = null;
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X main.version=${version}"
+  ];
+
+  postInstall = ''
+    # We need to set a temporary HOME for the completion scripts as workaround
+    # because garm-cli tries to write config to the home directory
+    # when generating the completion scripts
+    export HOME="$(mktemp -d)"
+
+    installShellCompletion --cmd garm-cli \
+      --bash <($out/bin/garm-cli completion bash) \
+      --fish <($out/bin/garm-cli completion fish) \
+      --zsh <($out/bin/garm-cli completion zsh)
+  '';
+
+  meta = {
+    description = "CLI for GitHub Actions Runner Manager";
+    homepage = "https://github.com/cloudbase/garm";
+    license = lib.licenses.asl20;
+    mainProgram = "garm-cli";
+  };
+}

renovate.json

@@ -10,8 +10,57 @@
       "gotk-components\\.ya?ml$"
     ]
   },
+  "customManagers": [
+    {
+      "customType": "regex",
+      "description": "Track garm-cli pinned main commit",
+      "managerFilePatterns": ["^nix/garm-cli\\.nix$"],
+      "matchStrings": ["garmCommit = \\\"(?<currentValue>[a-f0-9]{40})\\\";"],
+      "depNameTemplate": "cloudbase/garm",
+      "datasourceTemplate": "github-refs",
+      "versioningTemplate": "git"
+    },
+    {
+      "customType": "regex",
+      "description": "Track garm-provider-k8s release in garm image Dockerfile",
+      "managerFilePatterns": ["^docker/garm/Dockerfile$"],
+      "matchStrings": ["ARG GARM_PROVIDER_K8S_VERSION=(?<currentValue>[0-9]+\\.[0-9]+\\.[0-9]+)"],
+      "depNameTemplate": "mercedes-benz/garm-provider-k8s",
+      "datasourceTemplate": "github-releases",
+      "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track pinned garm main commit",
+      "managerFilePatterns": ["^apps/garm/image-source\\.env$"],
+      "matchStrings": ["GARM_COMMIT=(?<currentValue>[a-f0-9]{40})"],
+      "depNameTemplate": "cloudbase/garm",
+      "datasourceTemplate": "github-refs",
+      "versioningTemplate": "git"
+    }
+  ],
   "prHourlyLimit": 9,
   "packageRules": [
+    {
+      "matchManagers": ["custom.regex"],
+      "matchDepNames": ["cloudbase/garm"],
+      "matchFileNames": ["nix/garm-cli.nix"],
+      "postUpgradeTasks": {
+        "commands": ["node utils/update-garm-cli-hash.mjs"],
+        "fileFilters": ["nix/garm-cli.nix"],
+        "executionMode": "update"
+      }
+    },
+    {
+      "matchManagers": ["custom.regex"],
+      "matchDepNames": ["cloudbase/garm"],
+      "matchFileNames": ["apps/garm/image-source.env"],
+      "postUpgradeTasks": {
+        "commands": ["node utils/update-garm-image-pin.mjs"],
+        "fileFilters": ["apps/garm/image-source.env", "apps/garm/deployment.yaml"],
+        "executionMode": "update"
+      }
+    },
     {
       "matchDatasources": ["docker"],
       "matchPackageNames": ["ghcr.io/mostlygeek/llama-swap"],

utils/update-garm-cli-hash.mjs

@@ -0,0 +1,320 @@
+import { createHash } from "node:crypto";
+import { Buffer } from "node:buffer";
+import fs from "node:fs";
+import https from "node:https";
+import zlib from "node:zlib";
+
+const nixFile = "nix/garm-cli.nix";
+
+function die(message) {
+  console.error(message);
+  process.exit(1);
+}
+
+function readText(filePath) {
+  try {
+    return fs.readFileSync(filePath, "utf8");
+  } catch {
+    die(`Missing ${filePath}`);
+  }
+}
+
+function extractVersion(text) {
+  const match = text.match(/^\s*version\s*=\s*"([^"]+)";/m);
+  if (!match) {
+    die(`Unable to extract version from ${nixFile}`);
+  }
+  return match[1];
+}
+
+function extractCommit(text) {
+  const match = text.match(/^\s*garmCommit\s*=\s*"([a-f0-9]{40})";/m);
+  return match ? match[1] : null;
+}
+
+function writeU64LE(hash, value) {
+  const buf = Buffer.alloc(8);
+  buf.writeBigUInt64LE(BigInt(value), 0);
+  hash.update(buf);
+}
+
+function writeNarString(hash, data) {
+  writeU64LE(hash, data.length);
+  hash.update(data);
+  const pad = (8 - (data.length % 8)) % 8;
+  if (pad) {
+    hash.update(Buffer.alloc(pad));
+  }
+}
+
+function writeNarText(hash, text) {
+  writeNarString(hash, Buffer.from(text, "utf8"));
+}
+
+function parseOctal(field) {
+  const clean = field.toString("ascii").replace(/\0.*$/, "").trim();
+  if (!clean) {
+    return 0;
+  }
+  return Number.parseInt(clean, 8);
+}
+
+function parseTarHeader(block) {
+  const name = block.subarray(0, 100).toString("utf8").replace(/\0.*$/, "");
+  const mode = parseOctal(block.subarray(100, 108));
+  const size = parseOctal(block.subarray(124, 136));
+  const typeflagRaw = block[156];
+  const typeflag = typeflagRaw === 0 ? "0" : String.fromCharCode(typeflagRaw);
+  const linkname = block.subarray(157, 257).toString("utf8").replace(/\0.*$/, "");
+  const prefix = block.subarray(345, 500).toString("utf8").replace(/\0.*$/, "");
+  return {
+    name: prefix ? `${prefix}/${name}` : name,
+    mode,
+    size,
+    typeflag,
+    linkname,
+  };
+}
+
+function parsePax(data) {
+  const out = {};
+  let i = 0;
+  while (i < data.length) {
+    let sp = i;
+    while (sp < data.length && data[sp] !== 0x20) sp += 1;
+    if (sp >= data.length) break;
+    const len = Number.parseInt(data.subarray(i, sp).toString("utf8"), 10);
+    if (!Number.isFinite(len) || len <= 0) break;
+    const record = data.subarray(sp + 1, i + len).toString("utf8");
+    const eq = record.indexOf("=");
+    if (eq > 0) {
+      const key = record.slice(0, eq);
+      const value = record.slice(eq + 1).replace(/\n$/, "");
+      out[key] = value;
+    }
+    i += len;
+  }
+  return out;
+}
+
+function parseTarEntries(archiveBuffer) {
+  const gz = zlib.gunzipSync(archiveBuffer);
+  const entries = [];
+  let i = 0;
+  let pendingPax = null;
+  let longName = null;
+  let longLink = null;
+
+  while (i + 512 <= gz.length) {
+    const header = gz.subarray(i, i + 512);
+    i += 512;
+
+    if (header.every((b) => b === 0)) {
+      break;
+    }
+
+    const h = parseTarHeader(header);
+    const data = gz.subarray(i, i + h.size);
+    const dataPad = (512 - (h.size % 512)) % 512;
+    i += h.size + dataPad;
+
+    if (h.typeflag === "x") {
+      pendingPax = parsePax(data);
+      continue;
+    }
+    if (h.typeflag === "g") {
+      continue;
+    }
+    if (h.typeflag === "L") {
+      longName = data.toString("utf8").replace(/\0.*$/, "");
+      continue;
+    }
+    if (h.typeflag === "K") {
+      longLink = data.toString("utf8").replace(/\0.*$/, "");
+      continue;
+    }
+
+    const path = pendingPax?.path ?? longName ?? h.name;
+    const linkpath = pendingPax?.linkpath ?? longLink ?? h.linkname;
+
+    entries.push({
+      path,
+      typeflag: h.typeflag,
+      mode: h.mode,
+      linkname: linkpath,
+      data,
+    });
+
+    pendingPax = null;
+    longName = null;
+    longLink = null;
+  }
+
+  return entries;
+}
+
+function stripTopDir(path) {
+  const cleaned = path.replace(/^\.?\//, "").replace(/\/$/, "");
+  const idx = cleaned.indexOf("/");
+  if (idx === -1) return "";
+  return cleaned.slice(idx + 1);
+}
+
+function ensureDir(root, relPath) {
+  if (!relPath) return root;
+  const parts = relPath.split("/").filter(Boolean);
+  let cur = root;
+  for (const part of parts) {
+    let child = cur.children.get(part);
+    if (!child) {
+      child = { kind: "directory", children: new Map() };
+      cur.children.set(part, child);
+    }
+    if (child.kind !== "directory") {
+      die(`Path conflict while building tree at ${relPath}`);
+    }
+    cur = child;
+  }
+  return cur;
+}
+
+function buildTree(entries) {
+  const root = { kind: "directory", children: new Map() };
+  for (const entry of entries) {
+    const rel = stripTopDir(entry.path);
+    if (!rel) {
+      continue;
+    }
+
+    const parts = rel.split("/").filter(Boolean);
+    const name = parts.pop();
+    const parent = ensureDir(root, parts.join("/"));
+
+    if (entry.typeflag === "5") {
+      const existing = parent.children.get(name);
+      if (!existing) {
+        parent.children.set(name, { kind: "directory", children: new Map() });
+      } else if (existing.kind !== "directory") {
+        die(`Path conflict at ${rel}`);
+      }
+      continue;
+    }
+
+    if (entry.typeflag === "2") {
+      parent.children.set(name, { kind: "symlink", target: entry.linkname });
+      continue;
+    }
+
+    if (entry.typeflag === "0") {
+      parent.children.set(name, {
+        kind: "regular",
+        executable: (entry.mode & 0o111) !== 0,
+        contents: Buffer.from(entry.data),
+      });
+      continue;
+    }
+  }
+  return root;
+}
+
+function compareUtf8(a, b) {
+  return Buffer.from(a, "utf8").compare(Buffer.from(b, "utf8"));
+}
+
+function narDump(hash, node) {
+  if (node.kind === "directory") {
+    writeNarText(hash, "(");
+    writeNarText(hash, "type");
+    writeNarText(hash, "directory");
+    const names = [...node.children.keys()].sort(compareUtf8);
+    for (const name of names) {
+      writeNarText(hash, "entry");
+      writeNarText(hash, "(");
+      writeNarText(hash, "name");
+      writeNarString(hash, Buffer.from(name, "utf8"));
+      writeNarText(hash, "node");
+      narDump(hash, node.children.get(name));
+      writeNarText(hash, ")");
+    }
+    writeNarText(hash, ")");
+    return;
+  }
+
+  if (node.kind === "symlink") {
+    writeNarText(hash, "(");
+    writeNarText(hash, "type");
+    writeNarText(hash, "symlink");
+    writeNarText(hash, "target");
+    writeNarString(hash, Buffer.from(node.target, "utf8"));
+    writeNarText(hash, ")");
+    return;
+  }
+
+  writeNarText(hash, "(");
+  writeNarText(hash, "type");
+  writeNarText(hash, "regular");
+  if (node.executable) {
+    writeNarText(hash, "executable");
+    writeNarText(hash, "");
+  }
+  writeNarText(hash, "contents");
+  writeNarString(hash, node.contents);
+  writeNarText(hash, ")");
+}
+
+function fetchBuffer(url) {
+  return new Promise((resolve, reject) => {
+    https
+      .get(url, (res) => {
+        if (res.statusCode && res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+          const redirectUrl = new URL(res.headers.location, url).toString();
+          res.resume();
+          fetchBuffer(redirectUrl).then(resolve, reject);
+          return;
+        }
+        if (!res.statusCode || res.statusCode < 200 || res.statusCode >= 300) {
+          reject(new Error(`Failed to fetch ${url}: ${res.statusCode ?? "unknown"}`));
+          res.resume();
+          return;
+        }
+        const chunks = [];
+        res.on("data", (chunk) => chunks.push(chunk));
+        res.on("end", () => resolve(Buffer.concat(chunks)));
+      })
+      .on("error", reject);
+  });
+}
+
+function computeSRIFromGitHubTar(ref) {
+  const url = `https://github.com/cloudbase/garm/archive/${ref}.tar.gz`;
+  return fetchBuffer(url).then((archive) => {
+      const entries = parseTarEntries(archive);
+      const root = buildTree(entries);
+      const hash = createHash("sha256");
+      writeNarText(hash, "nix-archive-1");
+      narDump(hash, root);
+      return `sha256-${hash.digest("base64")}`;
+    });
+}
+
+function updateHash(text, sri) {
+  const pattern = /(^\s*hash\s*=\s*")sha256-[^"]+(";)/m;
+  if (!pattern.test(text)) {
+    die(`Unable to update hash in ${nixFile}`);
+  }
+  const next = text.replace(pattern, `$1${sri}$2`);
+  return next;
+}
+
+async function main() {
+  const text = readText(nixFile);
+  const version = extractVersion(text);
+  const commit = extractCommit(text);
+  const ref = commit ?? `v${version}`;
+  const sri = await computeSRIFromGitHubTar(ref);
+  const updated = updateHash(text, sri);
+  fs.writeFileSync(nixFile, updated, "utf8");
+  console.log(`Updated ${nixFile} hash to ${sri}`);
+}
+
+main().catch((err) => die(err.message));

utils/update-garm-image-pin.mjs

@@ -0,0 +1,91 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { execFileSync } from "node:child_process";
+
+const pinFile = "apps/garm/image-source.env";
+const deploymentFile = "apps/garm/deployment.yaml";
+
+function fail(message) {
+  console.error(message);
+  process.exit(1);
+}
+
+function parseEnvFile(content) {
+  const vars = {};
+  for (const line of content.split(/\r?\n/)) {
+    if (!line || line.startsWith("#")) {
+      continue;
+    }
+    const idx = line.indexOf("=");
+    if (idx === -1) {
+      continue;
+    }
+    const key = line.slice(0, idx).trim();
+    const value = line.slice(idx + 1).trim();
+    vars[key] = value;
+  }
+  return vars;
+}
+
+function updateOrAdd(content, key, value) {
+  const pattern = new RegExp(`^${key}=.*$`, "m");
+  if (pattern.test(content)) {
+    return content.replace(pattern, `${key}=${value}`);
+  }
+  return `${content.trimEnd()}\n${key}=${value}\n`;
+}
+
+function gitOut(args, options = {}) {
+  return execFileSync("git", args, {
+    encoding: "utf8",
+    ...options,
+  }).trim();
+}
+
+function gitRun(args, options = {}) {
+  execFileSync("git", args, options);
+}
+
+const pinContent = fs.readFileSync(pinFile, "utf8");
+const vars = parseEnvFile(pinContent);
+const commit = vars.GARM_COMMIT;
+const imageRepo = vars.GARM_IMAGE_REPO || "gitea.lumpiasty.xyz/lumpiasty/garm-k8s";
+
+if (!commit || !/^[0-9a-f]{40}$/.test(commit)) {
+  fail(`Invalid or missing GARM_COMMIT in ${pinFile}`);
+}
+
+const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "garm-main-"));
+let commitNumber;
+try {
+  gitRun(["clone", "--filter=blob:none", "https://github.com/cloudbase/garm.git", tmpDir], {
+    stdio: "ignore",
+  });
+  commitNumber = gitOut(["-C", tmpDir, "rev-list", "--count", commit]);
+} finally {
+  fs.rmSync(tmpDir, { recursive: true, force: true });
+}
+
+if (!/^\d+$/.test(commitNumber)) {
+  fail(`Unable to resolve commit number for ${commit}`);
+}
+
+const image = `${imageRepo}:r${commitNumber}`;
+
+let nextPin = pinContent;
+nextPin = updateOrAdd(nextPin, "GARM_COMMIT_NUMBER", commitNumber);
+nextPin = updateOrAdd(nextPin, "GARM_IMAGE_REPO", imageRepo);
+nextPin = updateOrAdd(nextPin, "GARM_IMAGE", image);
+fs.writeFileSync(pinFile, nextPin, "utf8");
+
+const deployment = fs.readFileSync(deploymentFile, "utf8");
+const imagePattern = /image:\s*(?:ghcr\.io\/cloudbase\/garm:[^\s]+|gitea\.lumpiasty\.xyz\/(?:Lumpiasty|lumpiasty)\/garm(?:-k8s)?:[^\s]+)/;
+if (!imagePattern.test(deployment)) {
+  fail(`Unable to update garm image in ${deploymentFile}`);
+}
+
+const updatedDeployment = deployment.replace(imagePattern, `image: ${image}`);
+
+fs.writeFileSync(deploymentFile, updatedDeployment, "utf8");
+console.log(`Pinned garm image to ${image}`);

vault/kubernetes-roles/authentik.yaml

@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - authentik-secret
+bound_service_account_namespaces:
+  - authentik
+token_policies:
+  - authentik

vault/policy/authentik.hcl

@@ -0,0 +1,3 @@
+path "secret/data/authentik" {
+    capabilities = ["read"]
+}