chore(deps): update helm release cloudnative-pg to v0.28.0

Reviewed-on: #163

.gitea/workflows/garm-image.yml

@@ -1,66 +0,0 @@
-name: Build garm image
-
-on:
-  schedule:
-    - cron: "13 3 * * *"
-  push:
-    branches:
-      - main
-    paths:
-      - .gitea/workflows/garm-image.yml
-      - apps/garm/image-source.env
-      - docker/garm/**
-  workflow_dispatch:
-
-jobs:
-  build-and-push:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Load pin data
-        shell: bash
-        run: |
-          set -euo pipefail
-          source apps/garm/image-source.env
-          echo "GARM_COMMIT=${GARM_COMMIT}" >> "$GITHUB_ENV"
-          echo "GARM_COMMIT_NUMBER=${GARM_COMMIT_NUMBER}" >> "$GITHUB_ENV"
-          echo "GARM_IMAGE=${GARM_IMAGE}" >> "$GITHUB_ENV"
-
-      - name: Verify commit number
-        shell: bash
-        run: |
-          set -euo pipefail
-          tmpdir="$(mktemp -d)"
-          trap 'rm -rf "$tmpdir"' EXIT
-          git clone --filter=blob:none https://github.com/cloudbase/garm.git "$tmpdir"
-          expected="$(git -C "$tmpdir" rev-list --count "$GARM_COMMIT")"
-          if [ "$expected" != "$GARM_COMMIT_NUMBER" ]; then
-            echo "Pin mismatch: expected r${expected}, got r${GARM_COMMIT_NUMBER}" >&2
-            exit 1
-          fi
-
-      - name: Set up Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to gitea registry
-        uses: docker/login-action@v3
-        with:
-          registry: gitea.lumpiasty.xyz
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
-
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: docker/garm/Dockerfile
-          push: true
-          build-args: |
-            GARM_COMMIT=${{ env.GARM_COMMIT }}
-          tags: |
-            ${{ env.GARM_IMAGE }}
-          labels: |
-            org.opencontainers.image.source=https://github.com/cloudbase/garm
-            org.opencontainers.image.revision=${{ env.GARM_COMMIT }}

.gitignore

@@ -10,3 +10,4 @@ devenv.local.yaml
 
 # pre-commit
 .pre-commit-config.yaml
+.opencode

.vscode/extensions.json

@@ -2,6 +2,7 @@
   "recommendations": [
     "jnoortheen.nix-ide",
     "detachhead.basedpyright",
-    "mkhl.direnv"
+    "mkhl.direnv",
+    "mermaidchart.vscode-mermaid-chart"
   ]
 }

apps/authentik/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - postgres-volume.yaml
+  - postgres-cluster.yaml
+  - secret.yaml
+  - release.yaml

apps/authentik/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authentik

apps/authentik/postgres-cluster.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: authentik-postgresql-cluster-lvmhdd
+  namespace: authentik
+spec:
+  instances: 1
+
+  imageName: ghcr.io/cloudnative-pg/postgresql:17.4
+
+  bootstrap:
+    initdb:
+      database: authentik
+      owner: authentik
+
+  storage:
+    pvcTemplate:
+      storageClassName: hdd-lvmpv
+      resources:
+        requests:
+          storage: 10Gi
+      volumeName: authentik-postgresql-cluster-lvmhdd-1

apps/authentik/postgres-volume.yaml

@@ -0,0 +1,33 @@
+apiVersion: local.openebs.io/v1alpha1
+kind: LVMVolume
+metadata:
+  labels:
+    kubernetes.io/nodename: anapistula-delrosalae
+  name: authentik-postgresql-cluster-lvmhdd-1
+  namespace: openebs
+spec:
+  capacity: 10Gi
+  ownerNodeID: anapistula-delrosalae
+  shared: "yes"
+  thinProvision: "no"
+  vgPattern: ^openebs-hdd$
+  volGroup: openebs-hdd
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: authentik-postgresql-cluster-lvmhdd-1
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: hdd-lvmpv
+  volumeMode: Filesystem
+  csi:
+    driver: local.csi.openebs.io
+    fsType: btrfs
+    volumeHandle: authentik-postgresql-cluster-lvmhdd-1
+---
+# PVCs are dynamically created by the Postgres operator

apps/authentik/release.yaml

@@ -0,0 +1,61 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: authentik
+  namespace: authentik
+spec:
+  interval: 24h
+  url: https://charts.goauthentik.io
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: authentik
+  namespace: authentik
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: authentik
+      version: 2026.2.1
+      sourceRef:
+        kind: HelmRepository
+        name: authentik
+        namespace: authentik
+      interval: 12h
+  values:
+    authentik:
+      postgresql:
+        host: authentik-postgresql-cluster-lvmhdd-rw
+        name: authentik
+        user: authentik
+
+    global:
+      env:
+        - name: AUTHENTIK_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: authentik-secret
+              key: secret_key
+        - name: AUTHENTIK_POSTGRESQL__PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: authentik-postgresql-cluster-lvmhdd-app
+              key: password
+
+    postgresql:
+      enabled: false
+
+    server:
+      ingress:
+        enabled: true
+        ingressClassName: nginx-ingress
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt
+        hosts:
+          - authentik.lumpiasty.xyz
+        tls:
+          - secretName: authentik-ingress
+            hosts:
+              - authentik.lumpiasty.xyz

apps/authentik/secret.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: authentik-secret
+  namespace: authentik
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: authentik
+  namespace: authentik
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: authentik
+    serviceAccount: authentik-secret
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: authentik-secret
+  namespace: authentik
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: authentik
+
+  destination:
+    create: true
+    name: authentik-secret
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: authentik

apps/crawl4ai-proxy/deployment.yaml

@@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: crawl4ai-proxy
+  namespace: crawl4ai
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: crawl4ai-proxy
+  template:
+    metadata:
+      labels:
+        app: crawl4ai-proxy
+    spec:
+      containers:
+        - name: crawl4ai-proxy
+          image: gitea.lumpiasty.xyz/lumpiasty/crawl4ai-proxy-fit:latest
+          imagePullPolicy: Always
+          env:
+            - name: LISTEN_PORT
+              value: "8000"
+            - name: CRAWL4AI_ENDPOINT
+              value: http://crawl4ai.crawl4ai.svc.cluster.local:11235/crawl
+          ports:
+            - name: http
+              containerPort: 8000
+          readinessProbe:
+            tcpSocket:
+              port: http
+            initialDelaySeconds: 3
+            periodSeconds: 10
+            timeoutSeconds: 2
+            failureThreshold: 6
+          livenessProbe:
+            tcpSocket:
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 15
+            timeoutSeconds: 2
+            failureThreshold: 6
+          resources:
+            requests:
+              cpu: 25m
+              memory: 32Mi
+            limits:
+              cpu: 200m
+              memory: 128Mi

apps/crawl4ai-proxy/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - deployment.yaml
+  - service.yaml

apps/crawl4ai-proxy/service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: crawl4ai-proxy
+  namespace: crawl4ai
+spec:
+  type: ClusterIP
+  selector:
+    app: crawl4ai-proxy
+  ports:
+    - name: http
+      port: 8000
+      targetPort: 8000
+      protocol: TCP

apps/crawl4ai/deployment.yaml

@@ -0,0 +1,62 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: crawl4ai
+  namespace: crawl4ai
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: crawl4ai
+  template:
+    metadata:
+      labels:
+        app: crawl4ai
+    spec:
+      containers:
+        - name: crawl4ai
+          image: unclecode/crawl4ai:latest
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: CRAWL4AI_API_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: crawl4ai-secret
+                  key: api_token
+                  optional: false
+            - name: MAX_CONCURRENT_TASKS
+              value: "5"
+          ports:
+            - name: http
+              containerPort: 11235
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 3
+            failureThreshold: 6
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 30
+            periodSeconds: 15
+            timeoutSeconds: 3
+            failureThreshold: 6
+          resources:
+            requests:
+              cpu: 500m
+              memory: 1Gi
+            limits:
+              cpu: "2"
+              memory: 4Gi
+          volumeMounts:
+            - name: dshm
+              mountPath: /dev/shm
+      volumes:
+        - name: dshm
+          emptyDir:
+            medium: Memory
+            sizeLimit: 1Gi

apps/crawl4ai/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - secret.yaml
+  - deployment.yaml
+  - service.yaml

apps/crawl4ai/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: crawl4ai

apps/crawl4ai/secret.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: crawl4ai-secret
+  namespace: crawl4ai
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: crawl4ai
+  namespace: crawl4ai
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: crawl4ai
+    serviceAccount: crawl4ai-secret
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: crawl4ai-secret
+  namespace: crawl4ai
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: crawl4ai
+
+  destination:
+    create: true
+    name: crawl4ai-secret
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: crawl4ai

apps/crawl4ai/service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: crawl4ai
+  namespace: crawl4ai
+spec:
+  type: ClusterIP
+  selector:
+    app: crawl4ai
+  ports:
+    - name: http
+      port: 11235
+      targetPort: 11235
+      protocol: TCP

apps/garm/deployment.yaml

@@ -16,7 +16,7 @@ spec:
       serviceAccountName: garm
       initContainers:
         - name: render-garm-config
-          image: alpine:3.21
+          image: alpine:3.23
           env:
             - name: JWT_AUTH_SECRET
               valueFrom:

apps/immich/release.yaml

@@ -18,7 +18,7 @@ spec:
   chart:
     spec:
       chart: immich
-      version: 1.1.1
+      version: 1.2.2
       sourceRef:
         kind: HelmRepository
         name: secustor

apps/kustomization.yaml

@@ -1,6 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - crawl4ai
+  - crawl4ai-proxy
+  - authentik
   - gitea
   - renovate
   - librechat

apps/llama/configs/config.yaml

@@ -4,12 +4,16 @@ logToStdout: "both" # proxy and upstream
 
 macros:
   base_args: "--no-warmup --port ${PORT}"
-  common_args: "--fit-target 1536 --fit-ctx 65536 --no-warmup --port ${PORT}"
+  common_args: "--fit-target 1536 --no-warmup --port ${PORT}"
+  gemma3_ctx_128k: "--ctx-size 131072"
+  qwen35_ctx_128k: "--ctx-size 131072"
+  qwen35_ctx_256k: "--ctx-size 262144"
   gemma_sampling: "--prio 2 --temp 1.0 --repeat-penalty 1.0 --min-p 0.00 --top-k 64 --top-p 0.95"
-  qwen35_sampling: "--temp 0.6 --top-p 0.95 --top-k 20 --min-p 0.00 -ctk q4_0 -ctv q4_0"
+  qwen35_sampling: "--temp 0.6 --top-p 0.95 --top-k 20 --min-p 0.00 -ctk q8_0 -ctv q8_0"
-  qwen35_35b_args: "--temp 1.0 --min-p 0.00 --top-p 0.95 --top-k 20 -ctk q4_0 -ctv q4_0"
+  qwen35_35b_args: "--temp 1.0 --min-p 0.00 --top-p 0.95 --top-k 20 -ctk q8_0 -ctv q8_0"
   qwen35_35b_heretic_mmproj: "--mmproj-url https://huggingface.co/unsloth/Qwen3.5-35B-A3B-GGUF/resolve/main/mmproj-F16.gguf --mmproj /root/.cache/llama.cpp/unsloth_Qwen3.5-35B-A3B-GGUF_mmproj-F16.gguf"
   qwen35_4b_heretic_mmproj: "--mmproj-url https://huggingface.co/unsloth/Qwen3.5-4B-GGUF/resolve/main/mmproj-F16.gguf --mmproj /root/.cache/llama.cpp/unsloth_Qwen3.5-4B-GGUF_mmproj-F16.gguf"
+  glm47_flash_args: "--temp 0.7 --top-p 1.0 --min-p 0.01 --repeat-penalty 1.0"
   thinking_on: "--chat-template-kwargs '{\"enable_thinking\": true}'"
   thinking_off: "--chat-template-kwargs '{\"enable_thinking\": false}'"
 
@@ -38,6 +42,7 @@ models:
     cmd: |
       /app/llama-server
         -hf unsloth/gemma-3-12b-it-GGUF:Q4_K_M
+        ${gemma3_ctx_128k}
         ${gemma_sampling}
         ${common_args}
 
@@ -45,6 +50,7 @@ models:
     cmd: |
       /app/llama-server
         -hf unsloth/gemma-3-12b-it-GGUF:Q4_K_M
+        ${gemma3_ctx_128k}
         ${gemma_sampling}
         --no-mmproj
         ${common_args}
@@ -53,6 +59,7 @@ models:
     cmd: |
       /app/llama-server
         -hf unsloth/gemma-3-4b-it-GGUF:Q4_K_M
+        ${gemma3_ctx_128k}
         ${gemma_sampling}
         ${common_args}
 
@@ -60,6 +67,7 @@ models:
     cmd: |
       /app/llama-server
         -hf unsloth/gemma-3-4b-it-GGUF:Q4_K_M
+        ${gemma3_ctx_128k}
         ${gemma_sampling}
         --no-mmproj
         ${common_args}
@@ -75,13 +83,14 @@ models:
         --top-p 0.95
         --top-k 40
         --repeat-penalty 1.0
-        -ctk q4_0 -ctv q4_0
+        -ctk q8_0 -ctv q8_0
         ${common_args}
 
   "Qwen3.5-35B-A3B-GGUF:Q4_K_M":
     cmd: |
       /app/llama-server
         -hf unsloth/Qwen3.5-35B-A3B-GGUF:Q4_K_M
+        ${qwen35_ctx_256k}
         ${qwen35_35b_args}
         ${common_args}
 
@@ -89,6 +98,7 @@ models:
     cmd: |
       /app/llama-server
         -hf unsloth/Qwen3.5-35B-A3B-GGUF:Q4_K_M
+        ${qwen35_ctx_256k}
         ${qwen35_35b_args}
         ${common_args}
         ${thinking_off}
@@ -100,6 +110,7 @@ models:
       /app/llama-server
         -hf mradermacher/Qwen3.5-35B-A3B-heretic-GGUF:Q4_K_M
         ${qwen35_35b_heretic_mmproj}
+        ${qwen35_ctx_256k}
         ${qwen35_35b_args}
         ${common_args}
 
@@ -108,6 +119,7 @@ models:
       /app/llama-server
         -hf mradermacher/Qwen3.5-35B-A3B-heretic-GGUF:Q4_K_M
         ${qwen35_35b_heretic_mmproj}
+        ${qwen35_ctx_256k}
         ${qwen35_35b_args}
         ${common_args}
         ${thinking_off}
@@ -116,6 +128,7 @@ models:
     cmd: |
       /app/llama-server
         -hf unsloth/Qwen3.5-0.8B-GGUF:Q4_K_XL
+        ${qwen35_ctx_256k}
         ${qwen35_sampling}
         ${base_args}
         ${thinking_on}
@@ -133,6 +146,7 @@ models:
     cmd: |
       /app/llama-server
         -hf unsloth/Qwen3.5-2B-GGUF:Q4_K_M
+        ${qwen35_ctx_256k}
         ${qwen35_sampling}
         ${common_args}
         ${thinking_on}
@@ -141,6 +155,7 @@ models:
     cmd: |
       /app/llama-server
         -hf unsloth/Qwen3.5-2B-GGUF:Q4_K_M
+        ${qwen35_ctx_256k}
         ${qwen35_sampling}
         ${common_args}
         ${thinking_off}
@@ -149,6 +164,7 @@ models:
     cmd: |
       /app/llama-server
         -hf unsloth/Qwen3.5-4B-GGUF:Q4_K_M
+        ${qwen35_ctx_128k}
         ${qwen35_sampling}
         ${common_args}
         ${thinking_on}
@@ -157,6 +173,7 @@ models:
     cmd: |
       /app/llama-server
         -hf unsloth/Qwen3.5-4B-GGUF:Q4_K_M
+        ${qwen35_ctx_128k}
         ${qwen35_sampling}
         ${common_args}
         ${thinking_off}
@@ -166,6 +183,7 @@ models:
       /app/llama-server
         -hf mradermacher/Qwen3.5-4B-heretic-GGUF:Q4_K_M
         ${qwen35_4b_heretic_mmproj}
+        ${qwen35_ctx_128k}
         ${qwen35_sampling}
         ${common_args}
         ${thinking_on}
@@ -175,6 +193,7 @@ models:
       /app/llama-server
         -hf mradermacher/Qwen3.5-4B-heretic-GGUF:Q4_K_M
         ${qwen35_4b_heretic_mmproj}
+        ${qwen35_ctx_128k}
         ${qwen35_sampling}
         ${common_args}
         ${thinking_off}
@@ -183,6 +202,7 @@ models:
     cmd: |
       /app/llama-server
         -hf unsloth/Qwen3.5-9B-GGUF:Q4_K_M
+        ${qwen35_ctx_256k}
         ${qwen35_sampling}
         ${common_args}
         ${thinking_on}
@@ -191,6 +211,7 @@ models:
     cmd: |
       /app/llama-server
         -hf unsloth/Qwen3.5-9B-GGUF:Q4_K_M
+        ${qwen35_ctx_256k}
         ${qwen35_sampling}
         ${common_args}
         ${thinking_off}
@@ -199,6 +220,7 @@ models:
     cmd: |
       /app/llama-server
         -hf unsloth/Qwen3.5-9B-GGUF:Q3_K_M
+        ${qwen35_ctx_256k}
         ${qwen35_sampling}
         ${common_args}
         ${thinking_on}
@@ -207,6 +229,7 @@ models:
     cmd: |
       /app/llama-server
         -hf unsloth/Qwen3.5-9B-GGUF:Q3_K_M
+        ${qwen35_ctx_256k}
         ${qwen35_sampling}
         ${common_args}
         ${thinking_off}
@@ -215,6 +238,7 @@ models:
     cmd: |
       /app/llama-server
         -hf unsloth/Qwen3.5-27B-GGUF:Q3_K_M
+        ${qwen35_ctx_256k}
         ${qwen35_sampling}
         ${common_args}
         ${thinking_on}
@@ -223,6 +247,14 @@ models:
     cmd: |
       /app/llama-server
         -hf unsloth/Qwen3.5-27B-GGUF:Q3_K_M
+        ${qwen35_ctx_256k}
         ${qwen35_sampling}
         ${common_args}
         ${thinking_off}
+
+  "GLM-4.7-Flash-GGUF:Q4_K_M":
+    cmd: |
+      /app/llama-server
+        -hf unsloth/GLM-4.7-Flash-GGUF:Q4_K_M
+        ${glm47_flash_args}
+        ${common_args}

apps/llama/deployment.yaml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
         - name: llama-swap
-          image: ghcr.io/mostlygeek/llama-swap:v197-vulkan-b8248
+          image: ghcr.io/mostlygeek/llama-swap:v199-vulkan-b8576
           imagePullPolicy: IfNotPresent
           command:
             - /app/llama-swap

apps/openwebui/kustomization.yaml

@@ -4,5 +4,6 @@ resources:
   - namespace.yaml
   - pvc.yaml
   - pvc-pipelines.yaml
+  - secret.yaml
   - release.yaml
   - ingress.yaml

apps/openwebui/release.yaml

@@ -18,7 +18,7 @@ spec:
   chart:
     spec:
       chart: open-webui
-      version: 12.10.0
+      version: 12.13.0
       sourceRef:
         kind: HelmRepository
         name: open-webui
@@ -44,3 +44,30 @@ spec:
       persistence:
         enabled: true
         existingClaim: openwebui-pipelines-lvmhdd
+
+    # SSO with Authentik
+    extraEnvVars:
+      - name: WEBUI_URL
+        value: "https://openwebui.lumpiasty.xyz"
+      - name: OAUTH_CLIENT_ID
+        valueFrom:
+          secretKeyRef:
+            name: openwebui-authentik
+            key: client_id
+      - name: OAUTH_CLIENT_SECRET
+        valueFrom:
+          secretKeyRef:
+            name: openwebui-authentik
+            key: client_secret
+      - name: OAUTH_PROVIDER_NAME
+        value: "authentik"
+      - name: OPENID_PROVIDER_URL
+        value: "https://authentik.lumpiasty.xyz/application/o/open-web-ui/.well-known/openid-configuration"
+      - name: OPENID_REDIRECT_URI
+        value: "https://openwebui.lumpiasty.xyz/oauth/oidc/callback"
+      - name: ENABLE_OAUTH_SIGNUP
+        value: "true"
+      - name: ENABLE_LOGIN_FORM
+        value: "false"
+      - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL
+        value: "true"

apps/openwebui/secret.yaml

@@ -0,0 +1,43 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: openwebui-secret
+  namespace: openwebui
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: openwebui
+  namespace: openwebui
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: openwebui
+    serviceAccount: openwebui-secret
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: openwebui-authentik
+  namespace: openwebui
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: authentik/openwebui
+
+  destination:
+    create: true
+    name: openwebui-authentik
+    type: Opaque
+    transformation:
+      excludeRaw: true
+      templates:
+        client_id:
+          text: '{{ get .Secrets "client_id" }}'
+        client_secret:
+          text: '{{ get .Secrets "client_secret" }}'
+
+  vaultAuthRef: openwebui

apps/renovate/configmap.yaml

@@ -9,4 +9,4 @@ data:
   RENOVATE_ENDPOINT: https://gitea.lumpiasty.xyz/api/v1
   RENOVATE_PLATFORM: gitea
   RENOVATE_GIT_AUTHOR: Renovate Bot <renovate@lumpiasty.xyz>
-  RENOVATE_ALLOWED_COMMANDS: '["^node utils/update-garm-cli-hash\\.mjs$"]'
+  RENOVATE_ALLOWED_COMMANDS: '["^node utils/update-garm-cli-hash\\.mjs$", "^node utils/update-garm-image-pin\\.mjs$"]'

apps/renovate/cronjob.yaml

@@ -15,7 +15,7 @@ spec:
             - name: renovate
               # Update this to the latest available and then enable Renovate on
               # the manifest
-              image: renovate/renovate:43.64.6-full
+              image: renovate/renovate:43.95.0-full
               envFrom:
                 - secretRef:
                     name: renovate-gitea-token

devenv.lock

@@ -3,10 +3,11 @@
     "devenv": {
       "locked": {
         "dir": "src/modules",
-        "lastModified": 1769881431,
+        "lastModified": 1773504385,
+        "narHash": "sha256-ANaeR+xVHxjGz36VI4qlZUbdhrlSE0xU7O7AUJKw3zU=",
         "owner": "cachix",
         "repo": "devenv",
-        "rev": "72d5e66e2dd5112766ef4c9565872b51094b542d",
+        "rev": "4bce49e6f60c69e99eeb643efbbf74125cefd329",
         "type": "github"
       },
       "original": {
@@ -16,27 +17,13 @@
         "type": "github"
       }
     },
-    "flake-compat": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1767039857,
-        "owner": "NixOS",
-        "repo": "flake-compat",
-        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
     "flake-utils": {
       "inputs": {
         "systems": "systems"
       },
       "locked": {
         "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
         "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
@@ -48,47 +35,6 @@
         "type": "github"
       }
     },
-    "git-hooks": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "gitignore": "gitignore",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1769069492,
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "rev": "a1ef738813b15cf8ec759bdff5761b027e3e1d23",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "type": "github"
-      }
-    },
-    "gitignore": {
-      "inputs": {
-        "nixpkgs": [
-          "git-hooks",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1762808025,
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "rev": "cb5e3fdca1de58ccbc3ef53de65bd372b48f567c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "type": "github"
-      }
-    },
     "krew2nix": {
       "inputs": {
         "flake-utils": "flake-utils",
@@ -99,10 +45,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1769904483,
+        "lastModified": 1773451905,
+        "narHash": "sha256-S/bukFEwbOYQbnR5UpciwYA42aEt1w5LK73GwARhsaA=",
         "owner": "a1994sc",
         "repo": "krew2nix",
-        "rev": "17d6ad3375899bd3f7d4d298481536155f3ec13c",
+        "rev": "bc779a8cf59ebf76ae60556bfe2d781a0a4cdbd9",
         "type": "github"
       },
       "original": {
@@ -113,10 +60,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1769461804,
+        "lastModified": 1773389992,
+        "narHash": "sha256-wvfdLLWJ2I9oEpDd9PfMA8osfIZicoQ5MT1jIwNs9Tk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
+        "rev": "c06b4ae3d6599a672a6210b7021d699c351eebda",
         "type": "github"
       },
       "original": {
@@ -129,17 +77,14 @@
     "root": {
       "inputs": {
         "devenv": "devenv",
-        "git-hooks": "git-hooks",
         "krew2nix": "krew2nix",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs"
-        "pre-commit-hooks": [
-          "git-hooks"
-        ]
       }
     },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
         "owner": "nix-systems",
         "repo": "default",
         "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
@@ -154,6 +99,7 @@
     "systems_2": {
       "locked": {
         "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
         "owner": "nix-systems",
         "repo": "default",
         "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
@@ -173,10 +119,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769691507,
+        "lastModified": 1773297127,
+        "narHash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "28b19c5844cc6e2257801d43f2772a4b4c050a1b",
+        "rev": "71b125cd05fbfd78cab3e070b73544abe24c5016",
         "type": "github"
       },
       "original": {
@@ -188,4 +135,4 @@
   },
   "root": "root",
   "version": 7
-}
+}

devenv.nix

@@ -43,7 +43,9 @@ in
     openbao
     pv-migrate
     mermaid-cli
+    opencode
     garm-cli
+    tea
   ];
 
   # Scripts

docker/garm/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.25-alpine AS build
+FROM golang:1.26-alpine AS build
 
 ARG GARM_COMMIT
 ARG GARM_PROVIDER_K8S_VERSION=0.3.2

infra/controllers/cert-manager-webhook-ovh.yaml

@@ -18,7 +18,7 @@ spec:
   chart:
     spec:
       chart: cert-manager-webhook-ovh
-      version: 0.9.4
+      version: 0.9.5
       sourceRef:
         kind: HelmRepository
         name: cert-manager-webhook-ovh

infra/controllers/cert-manager.yaml

@@ -23,7 +23,7 @@ spec:
   chart:
     spec:
       chart: cert-manager
-      version: v1.20.0
+      version: v1.20.1
       sourceRef:
         kind: HelmRepository
         name: cert-manager

infra/controllers/cilium.yaml

@@ -23,7 +23,7 @@ spec:
   chart:
     spec:
       chart: cilium
-      version: 1.19.1
+      version: 1.19.2
       sourceRef:
         kind: HelmRepository
         name: cilium

infra/controllers/cloudnative-pg.yaml

@@ -23,7 +23,7 @@ spec:
   chart:
     spec:
       chart: cloudnative-pg
-      version: 0.27.1
+      version: 0.28.0
       sourceRef:
         kind: HelmRepository
         name: cnpg

infra/controllers/k8up.yaml

@@ -23,7 +23,7 @@ spec:
   chart:
     spec:
       chart: k8up
-      version: 4.8.6
+      version: 4.9.0
       sourceRef:
         kind: HelmRepository
         name: k8up-io

infra/controllers/nginx-ingress.yaml

@@ -23,7 +23,7 @@ spec:
   chart:
     spec:
       chart: ingress-nginx
-      version: 4.15.0
+      version: 4.15.1
       sourceRef:
         kind: HelmRepository
         name: ingress-nginx

infra/controllers/openbao.yaml

@@ -23,7 +23,7 @@ spec:
   chart:
     spec:
       chart: openbao
-      version: 0.25.7
+      version: 0.26.2
       sourceRef:
         kind: HelmRepository
         name: openbao

nix/garm-cli.nix

@@ -25,6 +25,11 @@ buildGoModule rec {
   ];
 
   postInstall = ''
+    # We need to set a temporary HOME for the completion scripts as workaround
+    # because garm-cli tries to write config to the home directory
+    # when generating the completion scripts
+    export HOME="$(mktemp -d)"
+
     installShellCompletion --cmd garm-cli \
       --bash <($out/bin/garm-cli completion bash) \
       --fish <($out/bin/garm-cli completion fish) \

vault/kubernetes-roles/authentik.yaml

@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - authentik-secret
+bound_service_account_namespaces:
+  - authentik
+token_policies:
+  - authentik

vault/kubernetes-roles/crawl4ai.yaml

@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - crawl4ai-secret
+bound_service_account_namespaces:
+  - crawl4ai
+token_policies:
+  - crawl4ai

vault/kubernetes-roles/openwebui.yaml

@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - openwebui-secret
+bound_service_account_namespaces:
+  - openwebui
+token_policies:
+  - openwebui

vault/policy/authentik.hcl

@@ -0,0 +1,3 @@
+path "secret/data/authentik" {
+    capabilities = ["read"]
+}

vault/policy/crawl4ai.hcl

@@ -0,0 +1,3 @@
+path "secret/data/crawl4ai" {
+    capabilities = ["read"]
+}

vault/policy/openwebui.hcl

@@ -0,0 +1,3 @@
+path "secret/data/authentik/openwebui" {
+    capabilities = ["read"]
+}