Update Helm release open-webui to v12.9.0

Reviewed-on: #139

.envrc

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+export DIRENV_WARN_TIMEOUT=20s
+
+eval "$(devenv direnvrc)"
+
+# `use devenv` supports the same options as the `devenv shell` command.
+#
+# To silence all output, use `--quiet`.
+#
+# Example usage: use devenv --quiet --impure --option services.postgres.enable:bool true
+use devenv

.gitignore

@@ -1,2 +1,12 @@
 secrets.yaml
-talos/generated
+talos/generated
+# Devenv
+.devenv*
+devenv.local.nix
+devenv.local.yaml
+
+# direnv
+.direnv
+
+# pre-commit
+.pre-commit-config.yaml

.vscode/extensions.json

@@ -1,3 +1,7 @@
 {
-  "recommendations": ["arrterian.nix-env-selector", "jnoortheen.nix-ide"]
+  "recommendations": [
+    "jnoortheen.nix-ide",
+    "detachhead.basedpyright",
+    "mkhl.direnv"
+  ]
 }

.vscode/settings.json

@@ -1,12 +1,4 @@
 {
-  "nixEnvSelector.nixFile": "${workspaceFolder}/shell.nix",
-  "terminal.integrated.profiles.linux": {
-    "Nix Shell": {
-      "path": "nix",
-      "args": ["develop"],
-      "icon": "terminal-linux"
-    }
-  },
-  "terminal.integrated.defaultProfile.linux": "Nix Shell",
-  "ansible.python.interpreterPath": "/bin/python"
+  "ansible.python.interpreterPath": "/bin/python",
+  "python.defaultInterpreterPath": "${env:PYTHON_BIN}"
 }

Makefile

@@ -3,10 +3,23 @@ install-router:
 
 gen-talos-config:
 	mkdir -p talos/generated
-	talosctl gen config --with-secrets secrets.yaml --config-patch @talos/patches/controlplane.patch --config-patch @talos/patches/openebs.patch --config-patch @talos/patches/openbao.patch --config-patch @talos/patches/anapistula-delrosalae.patch --output-types controlplane -o talos/generated/anapistula-delrosalae.yaml homelab https://kube-api.homelab.lumpiasty.xyz:6443
+	talosctl gen config \
+		--with-secrets secrets.yaml \
+		--config-patch @talos/patches/controlplane.patch \
+		--config-patch @talos/patches/openebs.patch \
+		--config-patch @talos/patches/openbao.patch \
+		--config-patch @talos/patches/ollama.patch \
+		--config-patch @talos/patches/llama.patch \
+		--config-patch @talos/patches/frigate.patch \
+		--config-patch @talos/patches/anapistula-delrosalae.patch \
+		--output-types controlplane -o talos/generated/anapistula-delrosalae.yaml \
+		homelab https://kube-api.homelab.lumpiasty.xyz:6443
 	talosctl gen config --with-secrets secrets.yaml --config-patch @talos/patches/controlplane.patch --output-types worker -o talos/generated/worker.yaml homelab https://kube-api.homelab.lumpiasty.xyz:6443
 	talosctl gen config --with-secrets secrets.yaml --output-types talosconfig -o talos/generated/talosconfig homelab https://kube-api.homelab.lumpiasty.xyz:6443
 	talosctl config endpoint kube-api.homelab.lumpiasty.xyz
 
 apply-talos-config:
 	talosctl -n anapistula-delrosalae apply-config -f talos/generated/anapistula-delrosalae.yaml
+
+get-kubeconfig:
+	talosctl -n anapistula-delrosalae kubeconfig talos/generated/kubeconfig

README.md

@@ -1,106 +1,236 @@
 # Homelab
 
-## Goals
+This repo contains configuration and documentation for my homelab setup, which is based on Talos OS for Kubernetes cluster and MikroTik router.
 
-Wanting to set up homelab kubernetes cluster.
+## Architecture
 
-### Software
+Physical setup consists of MikroTik router which connects to the internet and serves as a gateway for the cluster and other devices in the home network as shown in the diagram below.
 
-1. Running applications
-   1. NAS, backups, security recorder
-   2. Online presence, website, email, communicators (ts3, matrix?)
-   3. Git server, container registry
-   4. Environment to deploy my own apps
-   5. Some LLM server, apps for my own use
-   6. Public services like Tor, mirrors of linux distros etc.
-   7. [Some frontends](https://libredirect.github.io/)
-   8. [Awesome-Selfhosted](https://github.com/awesome-selfhosted/awesome-selfhosted), [Awesome Sysadmin](https://github.com/awesome-foss/awesome-sysadmin)
-2. Managing them hopefully using GitOps
-   1. FluxCD, Argo etc.
-   2. State of cluster in git, all apps version pinned
-   3. Some bot to inform about updates?
-3. It's a home**lab**
-   1. Should be open to experimenting
-   2. Avoiding vendor lock-in, changing my mind shouldn't block me for too long
-   3. Backups of important data in easy to access format
-   4. Expecting downtime, no critical workloads
-   5. Trying to keep it reasonably up anyways
+```mermaid
+%%{init: {"flowchart": {"ranker": "tight-tree"}}}%%
+flowchart TD
 
-### Infrastructure
+   subgraph internet[Internet]
+      ipv4[IPv4 Internet]
+      ipv6[IPv6 Internet]
+      he_tunnel[Hurricane Electric IPv6 Tunnel Broker]
+      isp[ISP]
+   end
 
-1. Using commodity hardware
-2. Reasonably scalable
-3. Preferably mobile workloads, software should be a bit more flexible than me moving disks and data
-4. Replication is overkill for most data
-5. Preferably dynamically configured network
-   1. BGP with OpenWRT router
-   2. Dynamically allocated host subnets
-   3. Load-balancing (MetalLB?), ECMP on router
-   4. Static IP configurations on nodes
-6. IPv6 native, IPv4 accessible
-   1. IPv6 has whole block routed to us which gives us control over address routing and usage
-   2. Which allows us to expose services directly to the internet without complex router config
-   3. Which allows us to use eg. ExternalDNS to autoconfigure domain names for LB
-   4. But majority of the world still runs IPv4, which should be supported for public services
-   5. Exposing IPv4 service may require additional reconfiguration of router, port forwarding, manual domain setting or controller doing this some day in future
-   6. One public IPv4 address means probably extensive use of rule-based ingress controllers
-   7. IPv6 internet from pods should not be NATed
-   8. IPv4 internet from pods should be NATed by router
-
-### Current implementation idea
-
-1. Cluster server nodes running Talos
-2. OpenWRT router
-   1. VLAN / virtual interface, for cluster
-   2. Configuring using Ansible
-   3. Peering with cluster using BGP
-   4. Load-balancing using ECMP
-3. Cluster networking
-   1. Cilium CNI
-   2. Native routing, no encapsulation or overlay
-   3. Using Cilium's network policies for firewall needs
-   4. IPv6 address pool
-      1. Nodes: 2001:470:61a3:100::/64
-      2. Pods: 2001:470:61a3:200::/64
-      3. Services: 2001:470:61a3:300::/112
-      4. Load balancer: 2001:470:61a3:400::/112
-   5. IPv4 address pool
-      1. Nodes: 192.168.1.32/27
-      2. Pods: 10.42.0.0/16
-      3. Services: 10.43.0.0/16
-      4. Load balancer: 10.44.0.0/16
-4. Storage
-   1. OS is installed on dedicated disk
-   2. Mayastor managing all data disks
-      1. DiskPool for each data disk in cluster, labelled by type SSD or HDD
-      2. Creating StorageClass for each topology need (type, whether to replicate, on which node etc.)
-
-## Working with repo
-
-Repo is preconfigured to use with nix and vscode
-
-Install nix, vscode should pick up settings and launch terminals in `nix develop` with all needed utils.
-
-## Bootstrapping cluster
-
-1. Configure OpenWRT, create dedicated interface for connecting server
-   1. Set up node subnet, routing
-   2. Create static host entry `kube-api.homelab.lumpiasty.xyz` pointing at ipv6 of first node
-2. Connect server
-3. Grab Talos ISO, dd it to usb stick
-4. Boot it and using keyboard set up static ip ipv6 subnet, should become reachable from pc
-5. `talosctl gen config homelab https://kube-api.homelab.lumpiasty.xyz:6443`
-6. Generate secrets `talosctl gen secrets`, **backup, keep `secrets.yml` safe**
-7. Generate config files `make gen-talos-config`
-8. Apply config to first node `talosctl apply-config --insecure -n 2001:470:61a3:100::2 -f controlplane.yml`
-9. Wait for reboot then `talosctl bootstrap --talosconfig=talosconfig -n 2001:470:61a3:100::2`
-10. Set up router and CNI
-
-## Updating Talos config
-
-Update patches and re-generate and apply configs.
+   subgraph home[Home network]
+      router[MikroTik Router]
+      cluster[Talos cluster]
+      lan[LAN]
+      mgmt[Management network]
+      cam[Camera system]
+      router --> lan
+      router --> cluster
+      router --> mgmt
+      router --> cam
+   end
 
+   ipv4 -- "Public IPv4 address" --> isp
+   ipv6 -- "Routed /48 IPv6 prefix" --> he_tunnel -- "6in4 Tunnel" --> isp
+   isp --> router
 ```
-make gen-talos-config
-make apply-talos-config
+
+Devices are separated into VLANs and subnets for isolation and firewalling between devices and services. Whole internal network is configured to eliminate NAT where unnecessary. Pods on the Kubernetes cluster communicate with the router using native IP routing, there is no encapsulation, overlay network nor NAT on the nodes. Router knows where to direct packets destined for the pods because the cluster announces its IP prefixes to the router using BGP. Router also performs NAT for IPv4 traffic from the cluster to and from the internet, while IPv6 traffic is routed directly to the internet without NAT. High level logical routing diagram is shown below.
+
+```mermaid
+flowchart TD
+   isp[ISP] --- gpon
+
+   subgraph device[MikroTik CRS418-8P-8G-2s+]
+      direction TB
+      gpon[SFP GPON ONU]
+      pppoe[PPPoE client]
+
+      he_tunnel[HE Tunnel]
+
+      router[Router]@{ shape: cyl }
+
+      dockers["""
+         Dockers Containers (bridge)
+         2001:470:61a3:500::/64
+         172.17.0.0/16
+      """]@{ shape: cloud }
+      tailscale["Tailscale Container"]
+
+      lan["""
+         LAN (vlan2)
+         2001:470:61a3::/64
+         192.168.0.0/24
+      """]@{ shape: cloud }
+
+      mgmt["""
+         Management network (vlan1)
+         192.168.255.0/24
+      """]@{ shape: cloud }
+
+      cam["""
+         Camera system (vlan3)
+         192.168.3.0/24
+      """]@{ shape: cloud }
+
+      cluster["""
+         Kubernetes cluster (vlan4)
+         2001:470:61a3:100::/64
+         192.168.1.0/24
+      """]@{ shape: cloud }
+
+      gpon --- pppoe -- """
+         139.28.40.212
+         Default IPv4 gateway
+      """ --- router
+
+      pppoe --- he_tunnel -- """
+         2001:470:61a3:: incoming
+         Default IPv6 gateway
+      """ --- router
+
+      router -- """
+         2001:470:61a3:500:ffff:ffff:ffff:ffff
+         172.17.0.1/16
+      """ --- dockers --- tailscale
+
+      router -- """
+         2001:470:61a3:0:ffff:ffff:ffff:ffff
+         192.168.0.1
+      """--- lan
+
+      router -- """
+         192.168.255.10
+      """--- mgmt
+
+      router -- "192.168.3.1" --- cam
+      router -- """
+         2001:470:61a3:100::1
+         192.168.1.1
+      """ --- cluster
+
+   end
+
+   subgraph k8s[K8s cluster]
+      direction TB
+      pod_network["""
+         Pod networks
+         2001:470:61a3:200::/104
+         10.42.0.0/16
+         (Dynamically allocated /120 IPv6 and /24 IPv4 prefixes per node)
+      """]@{ shape: cloud }
+
+      service_network["""
+         Service network
+         2001:470:61a3:300::/112
+         10.43.0.0/16
+         (Advertises vIP addresses via BGP from nodes hosting endpoints)
+      """]@{ shape: cloud }
+
+      load_balancer["""
+         Load balancer network
+         2001:470:61a3:400::/112
+         10.44.0.0/16
+         (Advertises vIP addresses via BGP from nodes hosting endpoints)
+      """]@{ shape: cloud }
+   end
+
+   cluster -- "Routes exported via BGP" ----- k8s
 ```
+
+Currently the k8s cluster consists of single node (hostname anapistula-delrosalae), which is a PC with Ryzen 5 3600, 64GB RAM, RX 580 8GB (for accelerating LLMs), 1TB NVMe SSD, 2TB and 3TB HDDs and serves both as control plane and worker node.
+
+## Software stack
+
+The cluster itself is based on [Talos Linux](https://www.talos.dev/) (which is also a Kubernetes distribution) and uses [Cilium](https://cilium.io/) as CNI, IPAM, kube-proxy replacement, Load Balancer, and BGP control plane. Persistent volumes are managed by [OpenEBS LVM LocalPV](https://openebs.io/docs/user-guides/local-storage-user-guide/local-pv-lvm/lvm-overview). Applications are deployed using GitOps (this repo) and reconciled on cluster using [Flux](https://fluxcd.io/). Git repository is hosted on [Gitea](https://gitea.io/) running on a cluster itself. Secets are kept in [OpenBao](https://openbao.org/) (HashiCorp Vault fork) running on a cluster and synced to cluster objects using [Vault Secrets Operator](https://github.com/hashicorp/vault-secrets-operator). Deployments are kept up to date using self hosted [Renovate](https://www.mend.io/renovate/) bot updating manifests in the Git repository. Incoming HTTP traffic is routed to cluster using [Nginx Ingress Controller](https://kubernetes.github.io/ingress-nginx/) and certificates are issued by [cert-manager](https://cert-manager.io/) with [Let's Encrypt](https://letsencrypt.org/) ACME issuer with [cert-manager-webhook-ovh](https://github.com/aureq/cert-manager-webhook-ovh) resolving DNS-01 challanges. Cluster also runs [CloudNativePG](https://cloudnative-pg.io/) operator for managing PostgreSQL databases. High level core cluster software architecture is shown on the diagram below.
+
+> Talos Linux is an immutable Linux distribution purpose-built for running Kubernetes. The OS is distributed as an OCI (Docker) image and does not contain any package manager, shell, SSH, or any other tools for managing the system. Instead, all operations are performed using API, which can be accessed using `talosctl` CLI tool.
+
+```mermaid
+flowchart TD
+      router[MikroTik Router]
+      router -- "Routes HTTP traffic" --> nginx
+      cilium -- "Announces routes via BGP" --> router
+   subgraph cluster[K8s cluster]
+      direction TB
+      flux[Flux CD] -- "Reconciles manifests" --> kubeapi[Kube API Server]
+      flux -- "Fetches Git repo" --> gitea[Gitea]
+
+      
+      kubeapi -- "Configs, Services, Pods" --> cilium[Cilium]
+      cilium -- "Routing" --> services[Services] -- "Endpoints" --> pods[Pods]
+      cilium -- "Configures routing, interfaces, IPAM" --> pods[Pods]
+
+
+      kubeapi -- "Ingress rules" --> nginx[NGINX Ingress Controller] -- "Routes HTTP traffic" ---> pods
+
+      kubeapi -- "Certificate requests" --> cert_manager[cert-manager] -- "Provides certificates" --> nginx
+      cert_manager -- "ACME DNS-01 challanges" --> dns_webhook[cert-manager-webhook-ovh] -- "Resolves DNS challanges" --> ovh[OVH DNS]
+      cert_manager -- "Requests DNS-01 challanges" --> acme[Let's Encrypt ACME server] -- "Verifies domain ownership" --> ovh
+
+      kubeapi -- "Assigns pods" --> kubelet[Kubelet] -- "Manages" --> pods
+
+      kubeapi -- "PVs, LvmVols" --> openebs[OpenEBS LVM LocalPV]
+      openebs -- "Mounts volumes" --> pods
+      openebs -- "Manages" --> lv[LVM LVs]
+
+      kubeapi -- "Gets Secret refs" --> vault_operator[Vault Secrets Operator] -- "Syncs secrets" --> kubeapi
+      vault_operator -- "Retrieves secrets" --> vault[OpenBao] -- "Secret storage" --> lv
+      vault -- "Auth method" --> kubeapi
+
+      gitea -- "Stores repositories" --> lv
+
+      gitea --> renovate[Renovate Bot] -- "Updates manifests" --> gitea
+
+
+   end
+```
+
+<!-- TODO: Backups, monitoring, logging, deployment with ansible etc -->
+
+## Applications / Services
+
+| Logo | Name | Address | Description |
+|------|------|---------|-------------|
+| <img src="docs/assets/flux.svg" alt="Flux CD" height="50" width="50"> | Flux CD | | GitOps operator for reconciling cluster state with Git repository |
+| <img src="docs/assets/cilium.svg" alt="Cilium" height="50" width="50"> | Cilium | | CNI, BGP control plane, kube-proxy replacement and Load Balancer for cluster networking |
+| <img src="docs/assets/openebs.svg" alt="OpenEBS" height="50" width="50"> | OpenEBS LVM LocalPV | | Container Storage Interface for managing persistent volumes on local LVM pools |
+| <img src="docs/assets/gitea.svg" alt="Gitea" height="50" width="50"> | Gitea | https://gitea.lumpiasty.xyz/ | Private Git repository hosting and artifact storage (Docker, Helm charts) |
+| <img src="docs/assets/openbao.svg" alt="OpenBao" height="50" width="50"> | OpenBao | https://openbao.lumpiasty.xyz:8200/ | Secret storage (HashiCorp Vault compatible) |
+| <img src="docs/assets/renovate.svg" alt="Renovate" height="50" width="50"> | Renovate | | Bot for keeping dependencies up to date |
+| <img src="docs/assets/cert-manager.svg" alt="cert-manager" height="50" width="50"> | cert-manager | | Automatic TLS certificate management |
+| <img src="docs/assets/nginx.svg" alt="Nginx" height="50" width="50"> | Nginx Ingress Controller | | Ingress controller for routing external traffic to services in the cluster |
+| <img src="docs/assets/cloudnativepg.svg" alt="CloudNativePG" height="50" width="50"> | CloudNativePG | | PostgreSQL operator for managing PostgreSQL instances |
+| <img src="docs/assets/immich.svg" alt="Immich" height="50" width="50"> | Immich | https://immich.lumpiasty.xyz/ | Self-hosted photo and video backup and streaming service |
+| <img src="docs/assets/teamspeak.svg" alt="iSpeak3" height="50" width="50"> | iSpeak3.pl | [ts3server://ispeak3.pl](ts3server://ispeak3.pl) | Public TeamSpeak 3 voice communication server |
+| <img src="docs/assets/llama-cpp.svg" alt="LLaMA.cpp" height="50" width="50"> | LLaMA.cpp | https://llama.lumpiasty.xyz/ | LLM inference server running local models with GPU acceleration |
+| <img src="docs/assets/open-webui.png" alt="Open WebUI" height="50" width="50"> | Open WebUI | https://openwebui.lumpiasty.xyz/ | Web UI for chatting with LLMs running on the cluster |
+| <img src="docs/assets/frigate.svg" alt="Frigate" height="50" width="50"> | Frigate | https://frigate.lumpiasty.xyz/ | NVR for camera system with AI object detection and classification |
+
+
+## Development
+
+This repo leverages [devenv](https://devenv.sh/) for easy setup of a development environment. Install devenv, clone this repo and run `devenv shell` to make the tools and enviornment variables available in your shell. Alternatively, you can use direnv to automate enabling enviornment after entering directory in your shell. You can also install [direnv extension](https://marketplace.visualstudio.com/items?itemName=mkhl.direnv) in VSCode to automatically set up environment after opening workspace so all the fancy intellisense and extensions detect stuff correctly.
+
+### App deployment
+
+This repo is being watched by Flux running on cluster. To change config/add new app, simply commit to this repo and wait a while for cluster to reconcile changes. You can speed up this process by "notifying" Flux using `flux reconcile source git flux-system`.
+
+Flux watches 3 kustomizations in this repo:
+
+- flux-system - [cluster/flux-system](cluster/flux-system) directory, contains flux manifests
+- infra - [infra](infra) directory, contains cluster infrastructure manifests like storage classes, network policies, monitoring etc.
+- apps - [apps](apps) directory, contains manifests for applications deployed on cluster
+
+### Talos config changes
+
+Talos config in this repo is stored as yaml patches under [talos/patches](talos/patches) directory. Those patches can then be compiled into full Talos config files using `make gen-talos-config` command. Full config can then be applied to cluster using `make apply-talos-config` command, which applies config to all nodes in cluster.
+
+To compile config, you need to have secrets file, which contains certificates and keys for cluster. Those secrets are then incorporated into final config files. That is also why we can not store full config in repo.
+
+### Kube API access
+
+To generate kubeconfig for accessing cluster API, run `make get-kubeconfig` command, which will generate kubeconfig under `talos/generated/kubeconfig` path. Devenv automatically sets `KUBECONFIG` enviornment variable to point to this file, so you can start using `kubectl` right away.
+
+Like above, you need secrets file to generate kubeconfig.
+
+<!-- TODO: Add instructions for setting up Router -->

apps/frigate/config-pvc.yaml

@@ -0,0 +1,49 @@
+apiVersion: local.openebs.io/v1alpha1
+kind: LVMVolume
+metadata:
+  labels:
+    kubernetes.io/nodename: anapistula-delrosalae
+  name: frigate-config
+  namespace: openebs
+spec:
+  capacity: 5Gi
+  ownerNodeID: anapistula-delrosalae
+  shared: "yes"
+  thinProvision: "no"
+  vgPattern: ^openebs-hdd$
+  volGroup: openebs-hdd
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: frigate-config
+spec:
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: openebs-lvmpv
+  volumeMode: Filesystem
+  csi:
+    driver: local.csi.openebs.io
+    volumeHandle: frigate-config
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    namespace: frigate
+    name: frigate-config
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: frigate-config
+  namespace: frigate
+spec:
+  storageClassName: openebs-lvmpv
+  accessModes:
+    - ReadWriteOnce
+  resources:
+   requests:
+     storage: 5Gi
+  volumeName: frigate-config

apps/frigate/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - secret.yaml
+  - config-pvc.yaml
+  - media-pvc.yaml
+  - release.yaml
+  - webrtc-svc.yaml

apps/frigate/media-pvc.yaml

@@ -0,0 +1,49 @@
+apiVersion: local.openebs.io/v1alpha1
+kind: LVMVolume
+metadata:
+  labels:
+    kubernetes.io/nodename: anapistula-delrosalae
+  name: frigate-media
+  namespace: openebs
+spec:
+  capacity: 500Gi
+  ownerNodeID: anapistula-delrosalae
+  shared: "yes"
+  thinProvision: "no"
+  vgPattern: ^openebs-hdd$
+  volGroup: openebs-hdd
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: frigate-media
+spec:
+  capacity:
+    storage: 500Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: openebs-lvmpv
+  volumeMode: Filesystem
+  csi:
+    driver: local.csi.openebs.io
+    volumeHandle: frigate-media
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    namespace: frigate
+    name: frigate-media
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: frigate-media
+  namespace: frigate
+spec:
+  storageClassName: openebs-lvmpv
+  accessModes:
+    - ReadWriteOnce
+  resources:
+   requests:
+     storage: 500Gi
+  volumeName: frigate-media

apps/frigate/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: frigate

apps/frigate/release.yaml

@@ -0,0 +1,181 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: blakeblackshear
+  namespace: frigate
+spec:
+  interval: 24h
+  url: https://blakeblackshear.github.io/blakeshome-charts/
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: frigate
+  namespace: frigate
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: frigate
+      version: 7.8.0
+      sourceRef:
+        kind: HelmRepository
+        name: blakeblackshear
+        namespace: frigate
+      interval: 12h
+  values:
+    config: |
+      mqtt:
+        enabled: False
+
+      tls:
+        enabled: False
+
+      auth:
+        enabled: True
+        cookie_secure: True
+
+      record:
+        expire_interval: 1440 # 24h
+        sync_recordings: True
+        enabled: True
+        retain:
+          days: 90
+          mode: motion
+
+      objects:
+        track:
+          - person
+          - bicycle
+          - car
+          - motorcycle
+          - cat
+          - dog
+          - horse
+          - sheep
+          - cow
+          - bear
+
+      review:
+        alerts:
+          labels:
+            - person
+            - bicycle
+            - car
+            - motorcycle
+            - cat
+            - dog
+            - horse
+            - sheep
+            - cow
+            - bear
+
+      cameras:
+        dom:
+          enabled: True
+          ffmpeg:
+            inputs:
+              - path: rtsp://127.0.0.1:8554/dom
+                roles:
+                  - audio
+                  - detect
+                  - record
+            output_args:
+              record: preset-record-generic-audio-copy
+          motion:
+            mask:
+              # Sasiad
+              - 0.436,0,0.421,0.072,0.424,0.124,0.304,0.242,0.295,0.194,0.035,0.497,0.035,0.6,0,0.664,0,0
+        garaz:
+          enabled: True
+          ffmpeg:
+            inputs:
+              - path: rtsp://127.0.0.1:8554/garaz
+                roles:
+                  - audio
+                  - detect
+                  - record
+            output_args:
+              record: preset-record-generic-audio-copy
+          motion:
+            mask:
+              # Sasiad
+              - 0.662,0.212,0.569,0.2,0.566,0.149,0.549,0.119,0.532,0.169,0.495,0.14,0.491,0,0.881,0,1,0.154,1,0.221,0.986,0.296,0.94,0.28,0.944,0.178,0.664,0.126
+              # Drzewo
+              - 0.087,0.032,0,0.174,0,0.508,0.139,0.226,0.12,0.108
+          objects:
+            filters:
+              person:
+                # Uparty false positive
+                mask: 0.739,0.725,0.856,0.76,0.862,0.659,0.746,0.614
+
+      # ffmpeg:
+      #   hwaccel_args: preset-vaapi
+
+      detectors:
+        ov_0:
+          type: openvino
+          device: CPU
+      model:
+        width: 300
+        height: 300
+        input_tensor: nhwc
+        input_pixel_format: bgr
+        path: /openvino-model/ssdlite_mobilenet_v2.xml
+        labelmap_path: /openvino-model/coco_91cl_bkgr.txt
+
+      go2rtc:
+        streams:
+          dom:
+            - rtsp://{FRIGATE_RTSP_DOM_USER}:{FRIGATE_RTSP_DOM_PASSWORD_URLENCODED}@192.168.3.10:554/Streaming/Channels/101
+          garaz:
+            - rtsp://{FRIGATE_RTSP_GARAZ_USER}:{FRIGATE_RTSP_GARAZ_PASSWORD_URLENCODED}@192.168.3.11:554/Streaming/Channels/101
+        webrtc:
+          candidates:
+            - frigate-rtc.lumpiasty.xyz:8555
+    persistence:
+      media:
+        enabled: true
+        size: 500Gi
+        storageClass: mayastor-single-hdd
+        skipuninstall: true
+      config:
+        enabled: true
+        size: 5Gi
+        storageClass: mayastor-single-hdd
+        skipuninstall: true
+    envFromSecrets:
+      - frigate-camera-rtsp
+
+    ingress:
+      enabled: true
+      ingressClassName: nginx-ingress
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt
+      hosts:
+        - host: frigate.lumpiasty.xyz
+          paths:
+            - path: /
+              portName: http-auth
+      tls:
+        - hosts:
+            - frigate.lumpiasty.xyz
+          secretName: frigate-ingress
+
+    nodeSelector:
+      kubernetes.io/hostname: anapistula-delrosalae
+
+    # GPU access
+    # extraVolumes:
+    #   - name: dri
+    #     hostPath:
+    #       path: /dev/dri/renderD128
+    #       type: CharDevice
+
+    # extraVolumeMounts:
+    #   - name: dri
+    #     mountPath: /dev/dri/renderD128
+
+    # securityContext:
+    #   # Not ideal
+    #   privileged: true

apps/frigate/secret.yaml

@@ -0,0 +1,43 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: camera
+  namespace: frigate
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: camera
+  namespace: frigate
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: frigate-camera
+    serviceAccount: camera
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: frigate-camera-rtsp
+  namespace: frigate
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: cameras
+
+  destination:
+    create: true
+    name: frigate-camera-rtsp
+    type: Opaque
+    transformation:
+      excludeRaw: true
+      templates:
+        FRIGATE_RTSP_DOM_PASSWORD_URLENCODED:
+          text: '{{ urlquery (get .Secrets "FRIGATE_RTSP_DOM_PASSWORD") }}'
+        FRIGATE_RTSP_GARAZ_PASSWORD_URLENCODED:
+          text: '{{ urlquery (get .Secrets "FRIGATE_RTSP_GARAZ_PASSWORD") }}'
+
+  vaultAuthRef: camera

apps/frigate/webrtc-svc.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: go2rtc
+  namespace: frigate
+spec:
+  type: LoadBalancer
+  selector:
+    app.kubernetes.io/instance: frigate
+    app.kubernetes.io/name: frigate
+  ipFamilyPolicy: RequireDualStack
+  ports:
+    - name: webrtc-tcp
+      protocol: TCP
+      port: 8555
+      targetPort: webrtc-tcp
+    - name: webrtc-udp
+      protocol: UDP
+      port: 8555
+      targetPort: webrtc-udp

apps/gitea/backups.yaml

@@ -0,0 +1,33 @@
+apiVersion: k8up.io/v1
+kind: Schedule
+metadata:
+  name: gitea-backup
+  namespace: gitea
+spec:
+  backend:
+    # Manually adding secrets for now
+    repoPasswordSecretRef:
+      name: gitea-backup-restic
+      key: password
+    s3:
+      endpoint: https://s3.eu-central-003.backblazeb2.com
+      bucket: lumpiasty-backups
+      accessKeyIDSecretRef:
+        name: gitea-backup-backblaze
+        key: aws_access_key_id
+      secretAccessKeySecretRef:
+        name: gitea-backup-backblaze
+        key: aws_secret_access_key
+  backup:
+    schedule: "@daily-random"
+    failedJobsHistoryLimit: 2
+    successfulJobsHistoryLimit: 2
+  check:
+    schedule: "@daily-random"
+  prune:
+    schedule: "@daily-random"
+    retention:
+      keepLast: 14
+      keepDaily: 14
+      keepWeekly: 50
+      keepYearly: 10

apps/gitea/gitea-shared-volume.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: local.openebs.io/v1alpha1
+kind: LVMVolume
+metadata:
+  labels:
+    kubernetes.io/nodename: anapistula-delrosalae
+  name: gitea-shared-storage-lvmhdd
+  namespace: openebs
+spec:
+  capacity: 10Gi
+  ownerNodeID: anapistula-delrosalae
+  shared: "yes"
+  thinProvision: "no"
+  vgPattern: ^openebs-hdd$
+  volGroup: openebs-hdd
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: gitea-shared-storage-lvmhdd
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: hdd-lvmpv
+  volumeMode: Filesystem
+  csi:
+    driver: local.csi.openebs.io
+    fsType: btrfs
+    volumeHandle: gitea-shared-storage-lvmhdd
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: gitea-shared-storage-lvmhdd
+  namespace: gitea
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: hdd-lvmpv
+  volumeName: gitea-shared-storage-lvmhdd

apps/gitea/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - postgres-volume.yaml
+  - postgres-cluster.yaml
+  - gitea-shared-volume.yaml
+  - valkey-volume.yaml
+  - release.yaml
+  - secret.yaml
+  - backups.yaml

apps/gitea/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitea

apps/gitea/postgres-cluster.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: gitea-postgresql-cluster-lvmhdd
+  namespace: gitea
+spec:
+  instances: 1
+
+  imageName: ghcr.io/cloudnative-pg/postgresql:17.4
+
+  storage:
+    pvcTemplate:
+      storageClassName: hdd-lvmpv
+      resources:
+        requests:
+          storage: 20Gi
+      volumeName: gitea-postgresql-cluster-lvmhdd-1
+
+  # Just to avoid bootstrapping the instance agian
+  # I migrated data manually using pv_migrate because this feature is broken
+  # when source and target volumes are in different storage classes
+  # CNPG just sets dataSource to the PVC and expects the underlying storage
+  # to handle the migration, but it doesn't work here
+  bootstrap:
+    recovery:
+      backup:
+        name: backup-migration

apps/gitea/postgres-volume.yaml

@@ -0,0 +1,33 @@
+apiVersion: local.openebs.io/v1alpha1
+kind: LVMVolume
+metadata:
+  labels:
+    kubernetes.io/nodename: anapistula-delrosalae
+  name: gitea-postgresql-cluster-lvmhdd-1
+  namespace: openebs
+spec:
+  capacity: 20Gi
+  ownerNodeID: anapistula-delrosalae
+  shared: "yes"
+  thinProvision: "no"
+  vgPattern: ^openebs-hdd$
+  volGroup: openebs-hdd
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: gitea-postgresql-cluster-lvmhdd-1
+spec:
+  capacity:
+    storage: 20Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: hdd-lvmpv
+  volumeMode: Filesystem
+  csi:
+    driver: local.csi.openebs.io
+    fsType: btrfs
+    volumeHandle: gitea-postgresql-cluster-lvmhdd-1
+---
+# PVCs are dynamically created by the Postgres operator

apps/gitea/release.yaml

@@ -1,9 +1,3 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: gitea
----
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
@@ -23,7 +17,7 @@ spec:
   chart:
     spec:
       chart: gitea
-      version: 10.6.0
+      version: 12.5.0
       sourceRef:
         kind: HelmRepository
         name: gitea-charts
@@ -34,7 +28,7 @@ spec:
       enabled: false
 
     postgresql:
-      enabled: true
+      enabled: false
       primary:
         persistence:
           enabled: true
@@ -43,30 +37,38 @@ spec:
           requests:
             cpu: 0
 
-    redis-cluster:
+    valkey-cluster:
       enabled: false
 
-    redis:
+    valkey:
       enabled: true
-      master:
+      primary:
         persistence:
           enabled: true
-          storageClass: mayastor-single-hdd
+          existingClaim: gitea-valkey-primary-lvmhdd-0
         resources:
           requests:
             cpu: 0
 
     persistence:
       enabled: true
-      storageClass: mayastor-single-hdd
-
-    image:
-      tag: 1.23.3
+      # We'll create PV and PVC manually
+      create: false
+      claimName: gitea-shared-storage-lvmhdd
 
     gitea:
+      additionalConfigFromEnvs:
+        - name: GITEA__DATABASE__PASSWD
+          valueFrom:
+            secretKeyRef:
+              name: gitea-postgresql-cluster-lvmhdd-app
+              key: password
       config:
         database:
           DB_TYPE: postgres
+          HOST: gitea-postgresql-cluster-lvmhdd-rw:5432
+          NAME: app
+          USER: app
         indexer:
           ISSUE_INDEXER_TYPE: bleve
           REPO_INDEXER_ENABLED: true
@@ -79,8 +81,8 @@ spec:
       ssh:
         annotations:
           lbipam.cilium.io/sharing-key: gitea
-          lbipam.cilium.io/sharing-cross-namespace: nginx-ingress-controller
-          lbipam.cilium.io/ips: 10.44.0.0,2001:470:61a3:400::1
+          lbipam.cilium.io/sharing-cross-namespace: nginx-ingress
+          lbipam.cilium.io/ips: 10.44.0.6,2001:470:61a3:400::6
         type: LoadBalancer
         port: 22
         # Requirement for sharing ip with other service
@@ -89,7 +91,7 @@ spec:
 
     ingress:
       enabled: true
-      className: nginx
+      className: nginx-ingress
       annotations:
         cert-manager.io/cluster-issuer: letsencrypt
         acme.cert-manager.io/http01-edit-in-place: "true"
@@ -111,37 +113,3 @@ spec:
       resources:
         requests:
           cpu: 0
----
-apiVersion: k8up.io/v1
-kind: Schedule
-metadata:
-  name: gitea-backup
-  namespace: gitea
-spec:
-  backend:
-    # Manually adding secrets for now
-    repoPasswordSecretRef:
-      name: restic-repo
-      key: password
-    s3:
-      endpoint: https://s3.eu-central-003.backblazeb2.com
-      bucket: lumpiasty-backups
-      accessKeyIDSecretRef:
-        name: backblaze
-        key: keyid
-      secretAccessKeySecretRef:
-        name: backblaze
-        key: secret
-  backup:
-    schedule: "@daily-random"
-    failedJobsHistoryLimit: 2
-    successfulJobsHistoryLimit: 2
-  check:
-    schedule: "@daily-random"
-  prune:
-    schedule: "@daily-random"
-    retention:
-      keepLast: 14
-      keepDaily: 14
-      keepWeekly: 50
-      keepYearly: 10

apps/gitea/secret.yaml

@@ -0,0 +1,58 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: backup
+  namespace: gitea
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: backup
+  namespace: gitea
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: backup
+    serviceAccount: backup
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-backup-restic
+  namespace: gitea
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: restic
+
+  destination:
+    create: true
+    name: gitea-backup-restic
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: backup
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-backup-backblaze
+  namespace: gitea
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: backblaze
+
+  destination:
+    create: true
+    name: gitea-backup-backblaze
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: backup

apps/gitea/valkey-volume.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: local.openebs.io/v1alpha1
+kind: LVMVolume
+metadata:
+  labels:
+    kubernetes.io/nodename: anapistula-delrosalae
+  name: gitea-valkey-primary-lvmhdd-0
+  namespace: openebs
+spec:
+  capacity: 1Gi
+  ownerNodeID: anapistula-delrosalae
+  shared: "yes"
+  thinProvision: "no"
+  vgPattern: ^openebs-hdd$
+  volGroup: openebs-hdd
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: gitea-valkey-primary-lvmhdd-0
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: hdd-lvmpv
+  volumeMode: Filesystem
+  csi:
+    driver: local.csi.openebs.io
+    fsType: btrfs
+    volumeHandle: gitea-valkey-primary-lvmhdd-0
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: gitea-valkey-primary-lvmhdd-0
+  namespace: gitea
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: hdd-lvmpv
+  volumeName: gitea-valkey-primary-lvmhdd-0

apps/immich/immich-library.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: local.openebs.io/v1alpha1
+kind: LVMVolume
+metadata:
+  labels:
+    kubernetes.io/nodename: anapistula-delrosalae
+  name: immich-library-lvmhdd
+  namespace: openebs
+spec:
+  capacity: 150Gi
+  ownerNodeID: anapistula-delrosalae
+  shared: "yes"
+  thinProvision: "no"
+  vgPattern: ^openebs-hdd$
+  volGroup: openebs-hdd
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: immich-library-lvmhdd
+spec:
+  capacity:
+    storage: 150Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: hdd-lvmpv
+  volumeMode: Filesystem
+  csi:
+    driver: local.csi.openebs.io
+    fsType: btrfs
+    volumeHandle: immich-library-lvmhdd
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: library-lvmhdd
+  namespace: immich
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 150Gi
+  storageClassName: hdd-lvmpv
+  volumeName: immich-library-lvmhdd

apps/immich/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - valkey-volume.yaml
+  - redis.yaml
+  - postgres-password.yaml
+  - postgres-volume.yaml
+  - postgres-cluster.yaml
+  - immich-library.yaml
+  - release.yaml

apps/immich/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: immich

apps/immich/postgres-cluster.yaml

@@ -0,0 +1,42 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: immich-db-lvmhdd
+  namespace: immich
+spec:
+  # TODO: Configure renovate to handle imageName
+  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:14-0.4.3
+
+  instances: 1
+
+  storage:
+    pvcTemplate:
+      storageClassName: hdd-lvmpv
+      resources:
+        requests:
+          storage: 10Gi
+      volumeName: immich-db-lvmhdd-1
+
+  # Just to avoid bootstrapping the instance again
+  # I migrated data manually using pv_migrate because this feature is broken
+  # when source and target volumes are in different storage classes
+  # CNPG just sets dataSource to the PVC and expects the underlying storage
+  # to handle the migration, but it doesn't work here
+  bootstrap:
+    recovery:
+      backup:
+        name: backup-migration
+
+  # We need to create custom role because default one does not allow to set up
+  # vectorchord extension
+  managed:
+    roles:
+      - name: immich
+        createdb: true
+        login: true
+        superuser: true
+        # We need to manually create secret
+        # https://github.com/cloudnative-pg/cloudnative-pg/issues/3788
+        passwordSecret:
+          name: immich-db-immich

apps/immich/postgres-password.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: immich-password
+  namespace: immich
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: immich
+  namespace: immich
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: immich
+    serviceAccount: immich-password
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: immich-db
+  namespace: immich
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: immich-db
+
+  destination:
+    create: true
+    name: immich-db-immich
+    type: kubernetes.io/basic-auth
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: immich

apps/immich/postgres-volume.yaml

@@ -0,0 +1,33 @@
+apiVersion: local.openebs.io/v1alpha1
+kind: LVMVolume
+metadata:
+  labels:
+    kubernetes.io/nodename: anapistula-delrosalae
+  name: immich-db-lvmhdd-1
+  namespace: openebs
+spec:
+  capacity: 10Gi
+  ownerNodeID: anapistula-delrosalae
+  shared: "yes"
+  thinProvision: "no"
+  vgPattern: ^openebs-hdd$
+  volGroup: openebs-hdd
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: immich-db-lvmhdd-1
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: hdd-lvmpv
+  volumeMode: Filesystem
+  csi:
+    driver: local.csi.openebs.io
+    fsType: btrfs
+    volumeHandle: immich-db-lvmhdd-1
+---
+# PVCs are dynamically created by the Postgres operator

apps/immich/redis.yaml

@@ -0,0 +1,36 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: valkey
+  namespace: immich
+spec:
+  interval: 24h
+  url: https://valkey.io/valkey-helm/
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: valkey
+  namespace: immich
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: valkey
+      version: 0.9.3
+      sourceRef:
+        kind: HelmRepository
+        name: valkey
+  values:
+    dataStorage:
+      enabled: true
+      persistentVolumeClaimName: immich-valkey
+
+    auth:
+      enabled: true
+      usersExistingSecret: redis
+      aclUsers:
+        default:
+          passwordKey: redis-password
+          permissions: "~* &* +@all"

apps/immich/release.yaml

@@ -0,0 +1,69 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: secustor
+  namespace: immich
+spec:
+  interval: 24h
+  url: https://secustor.dev/helm-charts
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: immich
+  namespace: immich
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: immich
+      version: 1.1.1
+      sourceRef:
+        kind: HelmRepository
+        name: secustor
+  values:
+    common:
+      config:
+        vecotrExtension: vectorchord
+      postgres:
+        host: immich-db-lvmhdd-rw
+        existingSecret:
+          enabled: true
+          secretName: immich-db-immich
+          usernameKey: username
+          passwordKey: password
+      redis:
+        host: valkey
+        existingSecret:
+          enabled: true
+          secretName: redis
+          passwordKey: redis-password
+
+    server:
+      volumeMounts:
+        - mountPath: /usr/src/app/upload
+          name: uploads
+      volumes:
+        - name: uploads
+          persistentVolumeClaim:
+            claimName: library-lvmhdd
+
+    machineLearning:
+      enabled: true
+
+    ingress:
+      enabled: true
+      className: nginx-ingress
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt
+        nginx.ingress.kubernetes.io/proxy-body-size: "0"
+      hosts:
+        - host: immich.lumpiasty.xyz
+          paths:
+            - path: /
+              pathType: Prefix
+      tls:
+        - hosts:
+            - immich.lumpiasty.xyz
+          secretName: immich-ingress

apps/immich/valkey-volume.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: local.openebs.io/v1alpha1
+kind: LVMVolume
+metadata:
+  labels:
+    kubernetes.io/nodename: anapistula-delrosalae
+  name: immich-valkey
+  namespace: openebs
+spec:
+  capacity: 1Gi
+  ownerNodeID: anapistula-delrosalae
+  shared: "yes"
+  thinProvision: "no"
+  vgPattern: ^openebs-hdd$
+  volGroup: openebs-hdd
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: immich-valkey
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: hdd-lvmpv
+  volumeMode: Filesystem
+  csi:
+    driver: local.csi.openebs.io
+    fsType: btrfs
+    volumeHandle: immich-valkey
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: immich-valkey
+  namespace: immich
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: hdd-lvmpv
+  volumeName: immich-valkey

apps/ispeak3/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - pvc.yaml
+  - statefulset.yaml
+  - service.yaml

apps/ispeak3/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ispeak3

apps/ispeak3/pvc.yaml

@@ -0,0 +1,49 @@
+apiVersion: local.openebs.io/v1alpha1
+kind: LVMVolume
+metadata:
+  labels:
+    kubernetes.io/nodename: anapistula-delrosalae
+  name: ispeak3-ts3-data
+  namespace: openebs
+spec:
+  capacity: 1Gi
+  ownerNodeID: anapistula-delrosalae
+  shared: "yes"
+  thinProvision: "no"
+  vgPattern: ^openebs-hdd$
+  volGroup: openebs-hdd
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: ispeak3-ts3-data
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Delete
+  storageClassName: openebs-lvmpv
+  volumeMode: Filesystem
+  csi:
+    driver: local.csi.openebs.io
+    volumeHandle: ispeak3-ts3-data
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    namespace: ispeak3
+    name: ispeak3-ts3-data
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: ispeak3-ts3-data
+  namespace: ispeak3
+spec:
+  storageClassName: openebs-lvmpv
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  volumeName: ispeak3-ts3-data

apps/ispeak3/service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: teamspeak3
+  namespace: ispeak3
+spec:
+  selector:
+    app: teamspeak3
+  ports:
+  - name: voice
+    protocol: UDP
+    port: 9987
+    targetPort: 9987
+  - name: filetransfer
+    protocol: TCP
+    port: 30033
+    targetPort: 30033
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  ipFamilyPolicy: PreferDualStack

apps/ispeak3/statefulset.yaml

@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: teamspeak3-server
+  namespace: ispeak3
+spec:
+  serviceName: "teamspeak3"
+  replicas: 1
+  selector:
+    matchLabels:
+      app: teamspeak3
+  template:
+    metadata:
+      labels:
+        app: teamspeak3
+    spec:
+      containers:
+      - name: teamspeak3
+        image: teamspeak:3.13.7
+        ports:
+        - containerPort: 9987
+          name: voice
+          protocol: UDP
+        - containerPort: 10011
+          name: query
+        - containerPort: 30033
+          name: filetransfer
+        volumeMounts:
+        - name: ts3-data
+          mountPath: /var/ts3server/
+      volumes:
+      - name: ts3-data
+        persistentVolumeClaim:
+          claimName: ispeak3-ts3-data

apps/kustomization.yaml

@@ -1,5 +1,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - gitea.yaml
-  - renovate.yaml
+  - gitea
+  - renovate
+  - librechat
+  - frigate
+  - llama
+  - immich
+  - nas
+  - searxng
+  - ispeak3
+  - openwebui

apps/librechat/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - release.yaml

apps/librechat/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: librechat

apps/librechat/release.yaml

@@ -0,0 +1,120 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: dynomite567-charts
+  namespace: librechat
+spec:
+  interval: 24h
+  url: https://dynomite567.github.io/helm-charts/
+---
+# apiVersion: helm.toolkit.fluxcd.io/v2
+# kind: HelmRelease
+# metadata:
+#   name: librechat
+#   namespace: librechat
+# spec:
+#   interval: 30m
+#   chart:
+#     spec:
+#       chart: librechat
+#       version: 1.9.1
+#       sourceRef:
+#         kind: HelmRepository
+#         name: dynomite567-charts
+#   values:
+#     global:
+#       librechat:
+#         existingSecretName: librechat
+#     librechat:
+#       configEnv:
+#         PLUGIN_MODELS: null
+#         ALLOW_REGISTRATION: "false"
+#         TRUST_PROXY: "1"
+#         DOMAIN_CLIENT: https://librechat.lumpiasty.xyz
+#         SEARCH: "true"
+#       existingSecretName: librechat
+#       configYamlContent: |
+#         version: 1.0.3
+
+#         endpoints:
+#           custom:
+#             - name: "Llama.cpp"
+#               apiKey: "llama"
+#               baseURL: "http://llama.llama.svc.cluster.local:11434/v1"
+#               models:
+#                 default: [
+#                   "DeepSeek-R1-0528-Qwen3-8B-GGUF",
+#                   "Qwen3-8B-GGUF",
+#                   "Qwen3-8B-GGUF-no-thinking",
+#                   "gemma3n-e4b",
+#                   "gemma3-12b",
+#                   "gemma3-12b-q2",
+#                   "gemma3-12b-novision",
+#                   "gemma3-4b",
+#                   "gemma3-4b-novision",
+#                   "Qwen3-4B-Thinking-2507",
+#                   "Qwen3-4B-Thinking-2507-long-ctx",
+#                   "Qwen2.5-VL-7B-Instruct-GGUF",
+#                   "Qwen2.5-VL-32B-Instruct-GGUF-IQ1_S",
+#                   "Qwen2.5-VL-32B-Instruct-GGUF-Q2_K_L",
+#                   "Qwen3-VL-2B-Instruct-GGUF",
+#                   "Qwen3-VL-2B-Instruct-GGUF-unslothish",
+#                   "Qwen3-VL-2B-Thinking-GGUF",
+#                   "Qwen3-VL-4B-Instruct-GGUF",
+#                   "Qwen3-VL-4B-Instruct-GGUF-unslothish",
+#                   "Qwen3-VL-4B-Thinking-GGUF",
+#                   "Qwen3-VL-8B-Instruct-GGUF",
+#                   "Qwen3-VL-8B-Instruct-GGUF-unslothish",
+#                   "Qwen3-VL-8B-Thinking-GGUF",
+#                   "Huihui-Qwen3-VL-8B-Instruct-abliterated-GGUF",
+#                   "Huihui-Qwen3-VL-8B-Thinking-abliterated-GGUF"
+#                 ]
+#               titleConvo: true
+#               titleModel: "gemma3-4b-novision"
+#               summarize: false
+#               summaryModel: "gemma3-4b-novision"
+#               forcePrompt: false
+#               modelDisplayLabel: "Llama.cpp"
+
+#               # ✨ IMPORTANT: let llama-swap/llama-server own all these
+#               dropParams:
+#                 - "temperature"
+#                 - "top_p"
+#                 - "top_k"
+#                 - "presence_penalty"
+#                 - "frequency_penalty"
+#                 - "stop"
+#                 - "max_tokens"
+#       imageVolume:
+#         enabled: true
+#         size: 10G
+#         accessModes: ReadWriteOnce
+#         storageClassName: mayastor-single-hdd
+#     ingress:
+#       enabled: true
+#       className: nginx-ingress
+#       annotations:
+#         cert-manager.io/cluster-issuer: letsencrypt
+#         nginx.ingress.kubernetes.io/proxy-body-size: "0"
+#         nginx.ingress.kubernetes.io/proxy-buffering: "false"
+#         nginx.ingress.kubernetes.io/proxy-read-timeout: 30m
+#       hosts:
+#         - host: librechat.lumpiasty.xyz
+#           paths:
+#             - path: /
+#               pathType: ImplementationSpecific
+#       tls:
+#         - hosts:
+#             - librechat.lumpiasty.xyz
+#           secretName: librechat-ingress
+
+#     mongodb:
+#       persistence:
+#         storageClass: mayastor-single-hdd
+
+#     meilisearch:
+#       persistence:
+#         storageClass: mayastor-single-hdd
+#       auth:
+#         existingMasterKeySecret: librechat

apps/llama/auth-proxy.yaml

@@ -0,0 +1,68 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: llama-proxy
+  namespace: llama
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: llama-proxy
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: llama-proxy
+    spec:
+      containers:
+        - name: caddy
+          image: caddy:2.11.1-alpine
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - mountPath: /etc/caddy
+              name: proxy-config
+          env:
+            - name: API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: llama-api-key
+                  key: API_KEY
+      volumes:
+        - name: proxy-config
+          configMap:
+            name: llama-proxy-config
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: llama
+  name: llama-proxy-config
+data:
+  Caddyfile: |
+    http://llama.lumpiasty.xyz {
+
+      @requireAuth {
+        not header Authorization "Bearer {env.API_KEY}"
+      }
+
+      respond @requireAuth "Unauthorized" 401
+
+      reverse_proxy llama:11434 {
+        flush_interval -1
+      }
+    }
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: llama
+  name: llama-proxy
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: llama-proxy
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+      protocol: TCP

apps/llama/configs/config.yaml

@@ -0,0 +1,232 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/mostlygeek/llama-swap/refs/heads/main/config-schema.json
+healthCheckTimeout: 600
+logToStdout: "both" # proxy and upstream
+
+macros:
+  base_args: "--no-warmup --port ${PORT}"
+  common_args: "--fit-target 1536 --fit-ctx 32768 --no-warmup --port ${PORT}"
+  gemma_sampling: "--prio 2 --temp 1.0 --repeat-penalty 1.0 --min-p 0.00 --top-k 64 --top-p 0.95"
+  qwen35_sampling: "--temp 0.6 --top-p 0.95 --top-k 20 --min-p 0.00"
+  qwen35_35b_args: "--temp 1.0 --min-p 0.00 --top-p 0.95 --top-k 20"
+  qwen35_35b_heretic_mmproj: "--mmproj-url https://huggingface.co/unsloth/Qwen3.5-35B-A3B-GGUF/resolve/main/mmproj-F16.gguf --mmproj /root/.cache/llama.cpp/unsloth_Qwen3.5-35B-A3B-GGUF_mmproj-F16.gguf"
+  qwen35_4b_heretic_mmproj: "--mmproj-url https://huggingface.co/unsloth/Qwen3.5-4B-GGUF/resolve/main/mmproj-F16.gguf --mmproj /root/.cache/llama.cpp/unsloth_Qwen3.5-4B-GGUF_mmproj-F16.gguf"
+  thinking_on: "--chat-template-kwargs '{\"enable_thinking\": true}'"
+  thinking_off: "--chat-template-kwargs '{\"enable_thinking\": false}'"
+
+peers:
+  openrouter:
+    proxy: https://openrouter.ai/api
+    apiKey: ${env.OPENROUTER_API_KEY}
+    models:
+      - z-ai/glm-5
+
+hooks:
+  on_startup:
+    preload:
+      - "Qwen3.5-0.8B-GGUF-nothink:Q4_K_XL"
+
+groups:
+  always:
+    persistent: true
+    exclusive: false
+    swap: false
+    members:
+      - "Qwen3.5-0.8B-GGUF-nothink:Q4_K_XL"
+
+models:
+  "gemma3-12b":
+    ttl: 600
+    cmd: |
+      /app/llama-server
+        -hf unsloth/gemma-3-12b-it-GGUF:Q4_K_M
+        ${gemma_sampling}
+        ${common_args}
+
+  "gemma3-12b-novision":
+    ttl: 600
+    cmd: |
+      /app/llama-server
+        -hf unsloth/gemma-3-12b-it-GGUF:Q4_K_M
+        ${gemma_sampling}
+        --no-mmproj
+        ${common_args}
+
+  "gemma3-4b":
+    ttl: 600
+    cmd: |
+      /app/llama-server
+        -hf unsloth/gemma-3-4b-it-GGUF:Q4_K_M
+        ${gemma_sampling}
+        ${common_args}
+
+  "gemma3-4b-novision":
+    ttl: 600
+    cmd: |
+      /app/llama-server
+        -hf unsloth/gemma-3-4b-it-GGUF:Q4_K_M
+        ${gemma_sampling}
+        --no-mmproj
+        ${common_args}
+
+  "Qwen3-Coder-Next-GGUF:Q4_K_M":
+    ttl: 600
+    cmd: |
+      /app/llama-server
+        -hf unsloth/Qwen3-Coder-Next-GGUF:Q4_K_M
+        --ctx-size 65536
+        --predict 8192
+        --temp 1.0
+        --min-p 0.01
+        --top-p 0.95
+        --top-k 40
+        --repeat-penalty 1.0
+        ${common_args}
+
+  "Qwen3.5-35B-A3B-GGUF:Q4_K_M":
+    ttl: 600
+    cmd: |
+      /app/llama-server
+        -hf unsloth/Qwen3.5-35B-A3B-GGUF:Q4_K_M
+        ${qwen35_35b_args}
+        ${common_args}
+
+  "Qwen3.5-35B-A3B-GGUF-nothink:Q4_K_M":
+    ttl: 600
+    cmd: |
+      /app/llama-server
+        -hf unsloth/Qwen3.5-35B-A3B-GGUF:Q4_K_M
+        ${qwen35_35b_args}
+        ${common_args}
+        ${thinking_off}
+
+  # The "heretic" version does not provide the mmproj
+  # so providing url to the one from the non-heretic version.
+  "Qwen3.5-35B-A3B-heretic-GGUF:Q4_K_M":
+    ttl: 600
+    cmd: |
+      /app/llama-server
+        -hf mradermacher/Qwen3.5-35B-A3B-heretic-GGUF:Q4_K_M
+        ${qwen35_35b_heretic_mmproj}
+        ${qwen35_35b_args}
+        ${common_args}
+
+  "Qwen3.5-35B-A3B-heretic-GGUF-nothink:Q4_K_M":
+    ttl: 600
+    cmd: |
+      /app/llama-server
+        -hf mradermacher/Qwen3.5-35B-A3B-heretic-GGUF:Q4_K_M
+        ${qwen35_35b_heretic_mmproj}
+        ${qwen35_35b_args}
+        ${common_args}
+        ${thinking_off}
+
+  "Qwen3.5-0.8B-GGUF:Q4_K_XL":
+    ttl: 0
+    cmd: |
+      /app/llama-server
+        -hf unsloth/Qwen3.5-0.8B-GGUF:Q4_K_XL
+        ${qwen35_sampling}
+        ${base_args}
+        ${thinking_on}
+
+  "Qwen3.5-0.8B-GGUF-nothink:Q4_K_XL":
+    ttl: 0
+    cmd: |
+      /app/llama-server
+        -hf unsloth/Qwen3.5-0.8B-GGUF:Q4_K_XL
+        --ctx-size 4096
+        ${qwen35_sampling}
+        ${base_args}
+        ${thinking_off}
+
+  "Qwen3.5-2B-GGUF:Q4_K_M":
+    ttl: 600
+    cmd: |
+      /app/llama-server
+        -hf unsloth/Qwen3.5-2B-GGUF:Q4_K_M
+        ${qwen35_sampling}
+        ${common_args}
+        ${thinking_on}
+
+  "Qwen3.5-2B-GGUF-nothink:Q4_K_M":
+    ttl: 600
+    cmd: |
+      /app/llama-server
+        -hf unsloth/Qwen3.5-2B-GGUF:Q4_K_M
+        ${qwen35_sampling}
+        ${common_args}
+        ${thinking_off}
+
+  "Qwen3.5-4B-GGUF:Q4_K_M":
+    ttl: 600
+    cmd: |
+      /app/llama-server
+        -hf unsloth/Qwen3.5-4B-GGUF:Q4_K_M
+        ${qwen35_sampling}
+        ${common_args}
+        ${thinking_on}
+
+  "Qwen3.5-4B-GGUF-nothink:Q4_K_M":
+    ttl: 600
+    cmd: |
+      /app/llama-server
+        -hf unsloth/Qwen3.5-4B-GGUF:Q4_K_M
+        ${qwen35_sampling}
+        ${common_args}
+        ${thinking_off}
+
+  "Qwen3.5-4B-heretic-GGUF:Q4_K_M":
+    ttl: 600
+    cmd: |
+      /app/llama-server
+        -hf mradermacher/Qwen3.5-4B-heretic-GGUF:Q4_K_M
+        ${qwen35_4b_heretic_mmproj}
+        ${qwen35_sampling}
+        ${common_args}
+        ${thinking_on}
+
+  "Qwen3.5-4B-heretic-GGUF-nothink:Q4_K_M":
+    ttl: 600
+    cmd: |
+      /app/llama-server
+        -hf mradermacher/Qwen3.5-4B-heretic-GGUF:Q4_K_M
+        ${qwen35_4b_heretic_mmproj}
+        ${qwen35_sampling}
+        ${common_args}
+        ${thinking_off}
+
+  "Qwen3.5-9B-GGUF:Q4_K_M":
+    ttl: 600
+    cmd: |
+      /app/llama-server
+        -hf unsloth/Qwen3.5-9B-GGUF:Q4_K_M
+        ${qwen35_sampling}
+        ${common_args}
+        ${thinking_on}
+
+  "Qwen3.5-9B-GGUF-nothink:Q4_K_M":
+    ttl: 600
+    cmd: |
+      /app/llama-server
+        -hf unsloth/Qwen3.5-9B-GGUF:Q4_K_M
+        ${qwen35_sampling}
+        ${common_args}
+        ${thinking_off}
+
+  "Qwen3.5-9B-GGUF:Q3_K_M":
+    ttl: 600
+    cmd: |
+      /app/llama-server
+        -hf unsloth/Qwen3.5-9B-GGUF:Q3_K_M
+        ${qwen35_sampling}
+        ${common_args}
+        ${thinking_on}
+
+  "Qwen3.5-9B-GGUF-nothink:Q3_K_M":
+    ttl: 600
+    cmd: |
+      /app/llama-server
+        -hf unsloth/Qwen3.5-9B-GGUF:Q3_K_M
+        ${qwen35_sampling}
+        ${common_args}
+        ${thinking_off}

apps/llama/configs/qwen_nothink_chat_template.jinja

@@ -0,0 +1,101 @@
+{%- if not add_generation_prompt is defined %}
+    {%- set add_generation_prompt = false %}
+{%- endif %}
+{%- set ns = namespace(is_first=false, is_tool=false, is_output_first=true, system_prompt='', is_first_sp=true, is_last_user=false) %}
+{%- for message in messages %}
+    {%- if message['role'] == 'system' %}
+        {%- if ns.is_first_sp %}
+            {%- set ns.system_prompt = ns.system_prompt + message['content'] %}
+            {%- set ns.is_first_sp = false %}
+        {%- else %}
+            {%- set ns.system_prompt = ns.system_prompt + '\n\n' + message['content'] %}
+        {%- endif %}
+    {%- endif %}
+{%- endfor %}
+
+{#- Adapted from https://github.com/sgl-project/sglang/blob/main/examples/chat_template/tool_chat_template_deepseekr1.jinja #}
+{%- if tools is defined and tools is not none %}
+    {%- set tool_ns = namespace(text='You are a helpful assistant with tool calling capabilities. ' + 'When a tool call is needed, you MUST use the following format to issue the call:\n' + '<｜tool▁calls▁begin｜><｜tool▁call▁begin｜>function<｜tool▁sep｜>FUNCTION_NAME\n' + '```json\n{"param1": "value1", "param2": "value2"}\n```<｜tool▁call▁end｜><｜tool▁calls▁end｜>\n\n' + 'Make sure the JSON is valid.' + '## Tools\n\n### Function\n\nYou have the following functions available:\n\n') %}
+    {%- for tool in tools %}
+        {%- set tool_ns.text = tool_ns.text + '\n```json\n' + (tool | tojson) + '\n```\n' %}
+    {%- endfor %}
+    {%- if ns.system_prompt|length != 0 %}
+        {%- set ns.system_prompt = ns.system_prompt + '\n\n' + tool_ns.text %}
+    {%- else %}
+        {%- set ns.system_prompt = tool_ns.text %}
+    {%- endif %}
+{%- endif %}
+{{- bos_token }}
+{{- '/no_think' + ns.system_prompt }}
+{%- set last_index = (messages|length - 1) %}
+{%- for message in messages %}
+    {%- set content = message['content'] %}
+    {%- if message['role'] == 'user' %}
+        {%- set ns.is_tool = false -%}
+        {%- set ns.is_first = false -%}
+        {%- set ns.is_last_user = true -%}
+        {%- if loop.index0 == last_index %}
+            {{- '<｜User｜>' + content }}
+        {%- else %}
+            {{- '<｜User｜>' + content + '<｜Assistant｜>'}}
+        {%- endif %}
+    {%- endif %}
+    {%- if message['role'] == 'assistant' %}
+        {%- if '</think>' in content %}
+            {%- set content = (content.split('</think>')|last) %}
+        {%- endif %}
+    {%- endif %}
+    {%- if message['role'] == 'assistant' and message['tool_calls'] is defined and message['tool_calls'] is not none %}
+        {%- set ns.is_last_user = false -%}
+        {%- if ns.is_tool %}
+            {{- '<｜tool▁outputs▁end｜>'}}
+        {%- endif %}
+        {%- set ns.is_first = false %}
+        {%- set ns.is_tool = false -%}
+        {%- set ns.is_output_first = true %}
+        {%- for tool in message['tool_calls'] %}
+            {%- set arguments = tool['function']['arguments'] %}
+            {%- if arguments is not string %}
+                {%- set arguments = arguments|tojson %}
+            {%- endif %}
+            {%- if not ns.is_first %}
+                {%- if content is none %}
+                    {{- '<｜tool▁calls▁begin｜><｜tool▁call▁begin｜>' + tool['type'] + '<｜tool▁sep｜>' + tool['function']['name'] + '\n' + '```json' + '\n' + arguments + '\n' + '```' + '<｜tool▁call▁end｜>'}}
+                }
+                {%- else %}
+                    {{- content + '<｜tool▁calls▁begin｜><｜tool▁call▁begin｜>' + tool['type'] + '<｜tool▁sep｜>' + tool['function']['name'] + '\n' + '```json' + '\n' + arguments + '\n' + '```' + '<｜tool▁call▁end｜>'}}
+                {%- endif %}
+                {%- set ns.is_first = true -%}
+            {%- else %}
+                {{- '\n' + '<｜tool▁call▁begin｜>' + tool['type'] + '<｜tool▁sep｜>' + tool['function']['name'] + '\n' + '```json' + '\n' + arguments + '\n' + '```' + '<｜tool▁call▁end｜>'}}
+            {%- endif %}
+        {%- endfor %}
+        {{- '<｜tool▁calls▁end｜><｜end▁of▁sentence｜>'}}
+    {%- endif %}
+    {%- if message['role'] == 'assistant' and (message['tool_calls'] is not defined or message['tool_calls'] is none) %}
+        {%- set ns.is_last_user = false -%}
+        {%- if ns.is_tool %}
+            {{- '<｜tool▁outputs▁end｜>' + content + '<｜end▁of▁sentence｜>'}}
+            {%- set ns.is_tool = false -%}
+        {%- else %}
+            {{- content + '<｜end▁of▁sentence｜>'}}
+        {%- endif %}
+    {%- endif %}
+    {%- if message['role'] == 'tool' %}
+        {%- set ns.is_last_user = false -%}
+        {%- set ns.is_tool = true -%}
+        {%- if ns.is_output_first %}
+            {{- '<｜tool▁outputs▁begin｜><｜tool▁output▁begin｜>' + content + '<｜tool▁output▁end｜>'}}
+            {%- set ns.is_output_first = false %}
+        {%- else %}
+            {{- '\n<｜tool▁output▁begin｜>' + content + '<｜tool▁output▁end｜>'}}
+        {%- endif %}
+    {%- endif %}
+{%- endfor -%}
+{%- if ns.is_tool %}
+    {{- '<｜tool▁outputs▁end｜>'}}
+{%- endif %}
+{#- if add_generation_prompt and not ns.is_last_user and not ns.is_tool #}
+{%- if add_generation_prompt and not ns.is_tool %}
+    {{- '<｜Assistant｜>'}}
+{%- endif %}

apps/llama/deployment.yaml

@@ -0,0 +1,79 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: llama-swap
+  namespace: llama
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: llama-swap
+  template:
+    metadata:
+      labels:
+        app: llama-swap
+    spec:
+      containers:
+        - name: llama-swap
+          # TODO: make renovate update the image tag
+          image: ghcr.io/mostlygeek/llama-swap:v197-vulkan-b8202
+          imagePullPolicy: IfNotPresent
+          command:
+            - /app/llama-swap
+          args:
+            - --config=/config/config.yaml
+            - --watch-config
+          ports:
+            - containerPort: 8080
+              name: http
+              protocol: TCP
+          env:
+            - name: OPENROUTER_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: llama-openrouter
+                  key: OPENROUTER_API_KEY
+          volumeMounts:
+            - name: models
+              mountPath: /root/.cache
+            - mountPath: /dev/kfd
+              name: kfd
+            - mountPath: /dev/dri
+              name: dri
+            - mountPath: /config
+              name: config
+          securityContext:
+            privileged: true
+      volumes:
+        - name: models
+          persistentVolumeClaim:
+            claimName: llama-models-lvmssd
+        - name: kfd
+          hostPath:
+            path: /dev/kfd
+            type: CharDevice
+        - name: dri
+          hostPath:
+            path: /dev/dri
+            type: Directory
+        - name: config
+          configMap:
+            name: llama-swap
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: llama
+  namespace: llama
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 11434
+      targetPort: 8080
+      protocol: TCP
+  selector:
+    app: llama-swap

apps/llama/ingress.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: llama
+  name: llama
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    acme.cert-manager.io/http01-edit-in-place: "true"
+    nginx.ingress.kubernetes.io/proxy-buffering: "false"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: 30m
+spec:
+  ingressClassName: nginx-ingress
+  rules:
+    - host: llama.lumpiasty.xyz
+      http:
+        paths:
+          - backend:
+              service:
+                name: llama-proxy
+                port:
+                  number: 80
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - llama.lumpiasty.xyz
+      secretName: llama-ingress

apps/llama/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - secret.yaml
+  - auth-proxy.yaml
+  - ingress.yaml
+  - pvc-ssd.yaml
+  - deployment.yaml
+configMapGenerator:
+  - name: llama-swap
+    namespace: llama
+    files:
+      - config.yaml=configs/config.yaml
+      - qwen_nothink_chat_template.jinja=configs/qwen_nothink_chat_template.jinja

apps/llama/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: llama

apps/llama/pvc-ssd.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: local.openebs.io/v1alpha1
+kind: LVMVolume
+metadata:
+  labels:
+    kubernetes.io/nodename: anapistula-delrosalae
+  name: llama-models-lvmssd
+  namespace: openebs
+spec:
+  capacity: 200Gi
+  ownerNodeID: anapistula-delrosalae
+  shared: "yes"
+  thinProvision: "no"
+  vgPattern: ^openebs-ssd$
+  volGroup: openebs-ssd
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: llama-models-lvmssd
+spec:
+  capacity:
+    storage: 200Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: ssd-lvmpv
+  volumeMode: Filesystem
+  csi:
+    driver: local.csi.openebs.io
+    fsType: btrfs
+    volumeHandle: llama-models-lvmssd
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: llama-models-lvmssd
+  namespace: llama
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 200Gi
+  storageClassName: ssd-lvmpv
+  volumeName: llama-models-lvmssd

apps/llama/secret.yaml

@@ -0,0 +1,61 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: llama-proxy
+  namespace: llama
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: llama
+  namespace: llama
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: llama-proxy
+    serviceAccount: llama-proxy
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: llama-api-key
+  namespace: llama
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: ollama
+
+  destination:
+    create: true
+    name: llama-api-key
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: llama
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: llama-openrouter
+  namespace: llama
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: openrouter
+
+  destination:
+    create: true
+    name: llama-openrouter
+    type: Opaque
+    transformation:
+      excludeRaw: true
+      templates:
+        OPENROUTER_API_KEY:
+          text: '{{ get .Secrets "API_KEY" }}'
+
+  vaultAuthRef: llama

apps/nas/configmap.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nas-sftp-config
+  namespace: nas
+data:
+  sftp.json: |
+    {
+      "Global": {
+        "Chroot": {
+          "Directory": "%h",
+          "StartPath": "data"
+        },
+        "Directories": [
+          "data"
+        ]
+      },
+      "Users": [
+        {
+          "Username": "nas",
+          "UID": 1000,
+          "GID": 1000,
+          "PublicKeys": [
+            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCresbDFZijI+rZMgd3LdciPjpb4x4S5B7y0U+EoYPaz6hILT72fyz3QdcgKJJv8JUJI6g0811/yFRuOzCXgWaA922c/S/t6HMUrorh7mPVQMTN2dc/SVBvMa7S2M9NYBj6z1X2LRHs+g1JTMCtL202PIjes/E9qu0as0Vx6n/6HHNmtmA9LrpiAmurbeKXDmrYe2yWg/FA6cX5d86SJb21Dj8WqdCd3Hz0Pi6FzMKXhpWvs5Hfei1htsjsRzCxkpSTjlgFEFVfmHIXPfB06Sa6aCnkxAFnE7N+xNa9RIWeZmOXdA74LsfSKQ9eAXSrsC/IRxo2ce8cBzXJy+Itxw24fUqGYXBiCgx8i3ZA9IdwI1u71xYo9lyNjav5VykzKnAHRAYnDm9UsCf8k04reBevcLdtxL11vPCtind3xn76Nhy2b45dcp/MdYFANGsCcXJOMb6Aisb03HPGhs/aU3tCAQbTVe195mL9FWhGqIK2wBmF1SKW+4ssX2bIU6YaCYc= cardno:23_671_999"
+          ]
+        }
+      ]
+    }

apps/nas/deployment.yaml

@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nas-sftp
+  namespace: nas
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nas-sftp
+  template:
+    metadata:
+      labels:
+        app: nas-sftp
+    spec:
+      initContainers:
+        - name: prepare-home
+          image: alpine:3.23.3
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+            - |
+              set -euo pipefail
+              mkdir -p /volume/sftp-root
+              chown root:root /volume/sftp-root
+              chmod 755 /volume/sftp-root
+              mkdir -p /volume/sftp-root/data
+              chown 1000:1000 /volume/sftp-root/data
+              chmod 750 /volume/sftp-root/data
+              mkdir -p /volume/host-keys
+              chown root:root /volume/host-keys
+              chmod 700 /volume/host-keys
+          volumeMounts:
+            - name: home
+              mountPath: /volume
+      containers:
+        - name: sftp
+          image: docker.io/emberstack/sftp:build-5.1.72
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 22
+              name: sftp
+              protocol: TCP
+          volumeMounts:
+            - name: config
+              mountPath: /app/config/sftp.json
+              subPath: sftp.json
+              readOnly: true
+            - name: home
+              mountPath: /home/nas
+              subPath: sftp-root
+            - name: home
+              mountPath: /etc/ssh/keys
+              subPath: host-keys
+          resources:
+            requests:
+              cpu: 50m
+              memory: 128Mi
+            limits:
+              memory: 512Mi
+      volumes:
+        - name: home
+          persistentVolumeClaim:
+            claimName: nas-data-lvm-hdd
+        - name: config
+          configMap:
+            name: nas-sftp-config

apps/nas/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - configmap.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - service.yaml

apps/nas/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nas

apps/nas/pvc.yaml

@@ -0,0 +1,49 @@
+apiVersion: local.openebs.io/v1alpha1
+kind: LVMVolume
+metadata:
+  labels:
+    kubernetes.io/nodename: anapistula-delrosalae
+  name: nas-data-lvm-hdd
+  namespace: openebs
+spec:
+  capacity: 4Gi
+  ownerNodeID: anapistula-delrosalae
+  shared: "yes"
+  thinProvision: "no"
+  vgPattern: ^openebs-hdd$
+  volGroup: openebs-hdd
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: nas-data-lvm-hdd
+spec:
+  capacity:
+    storage: 4Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Delete
+  storageClassName: openebs-lvmpv
+  volumeMode: Filesystem
+  csi:
+    driver: local.csi.openebs.io
+    volumeHandle: nas-data-lvm-hdd
+  claimRef:
+    apiVersion: v1
+    kind: PersistentVolumeClaim
+    namespace: nas
+    name: nas-data-lvm-hdd
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: nas-data-lvm-hdd
+  namespace: nas
+spec:
+  storageClassName: openebs-lvmpv
+  accessModes:
+    - ReadWriteOnce
+  resources:
+   requests:
+     storage: 4Gi
+  volumeName: nas-data-lvm-hdd

apps/nas/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nas-sftp
+  namespace: nas
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Cluster
+  ports:
+    - name: sftp
+      port: 22
+      targetPort: 22
+      protocol: TCP
+  selector:
+    app: nas-sftp

apps/openwebui/ingress.yaml

@@ -0,0 +1,44 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: openwebui
+  name: openwebui-web
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/component: open-webui
+    app.kubernetes.io/instance: openwebui
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8080
+      protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: openwebui
+  name: openwebui
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    nginx.ingress.kubernetes.io/proxy-buffering: "false"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: 30m
+spec:
+  ingressClassName: nginx-ingress
+  rules:
+    - host: openwebui.lumpiasty.xyz
+      http:
+        paths:
+          - backend:
+              service:
+                name: openwebui-web
+                port:
+                  number: 80
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - openwebui.lumpiasty.xyz
+      secretName: openwebui-ingress

apps/openwebui/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - pvc.yaml
+  - pvc-pipelines.yaml
+  - release.yaml
+  - ingress.yaml

apps/openwebui/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openwebui

apps/openwebui/pvc-pipelines.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: local.openebs.io/v1alpha1
+kind: LVMVolume
+metadata:
+  labels:
+    kubernetes.io/nodename: anapistula-delrosalae
+  name: openwebui-pipelines-lvmhdd
+  namespace: openebs
+spec:
+  capacity: 1Gi
+  ownerNodeID: anapistula-delrosalae
+  shared: "yes"
+  thinProvision: "no"
+  vgPattern: ^openebs-hdd$
+  volGroup: openebs-hdd
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: openwebui-pipelines-lvmhdd
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: hdd-lvmpv
+  volumeMode: Filesystem
+  csi:
+    driver: local.csi.openebs.io
+    fsType: btrfs
+    volumeHandle: openwebui-pipelines-lvmhdd
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: openwebui-pipelines-lvmhdd
+  namespace: openwebui
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: hdd-lvmpv
+  volumeName: openwebui-pipelines-lvmhdd

apps/openwebui/pvc.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: local.openebs.io/v1alpha1
+kind: LVMVolume
+metadata:
+  labels:
+    kubernetes.io/nodename: anapistula-delrosalae
+  name: openwebui-lvmhdd
+  namespace: openebs
+spec:
+  capacity: 10Gi
+  ownerNodeID: anapistula-delrosalae
+  shared: "yes"
+  thinProvision: "no"
+  vgPattern: ^openebs-hdd$
+  volGroup: openebs-hdd
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: openwebui-lvmhdd
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: hdd-lvmpv
+  volumeMode: Filesystem
+  csi:
+    driver: local.csi.openebs.io
+    fsType: btrfs
+    volumeHandle: openwebui-lvmhdd
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: openwebui-lvmhdd
+  namespace: openwebui
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: hdd-lvmpv
+  volumeName: openwebui-lvmhdd

apps/openwebui/release.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: open-webui
+  namespace: openwebui
+spec:
+  interval: 24h
+  url: https://open-webui.github.io/helm-charts
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: openwebui
+  namespace: openwebui
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: open-webui
+      version: 12.9.0
+      sourceRef:
+        kind: HelmRepository
+        name: open-webui
+  values:
+    # Disable built in ingress, service is broken in chart
+    # They have hard coded wrong target port
+    # Reimplementing that in ingress.yaml
+    ingress:
+      enabled: false
+
+    persistence:
+      enabled: true
+      existingClaim: openwebui-lvmhdd
+
+    enableOpenaiApi: true
+    openaiBaseApiUrl: "http://llama.llama.svc.cluster.local:11434/v1"
+
+    ollama:
+      enabled: false
+
+    pipelines:
+      enabled: true
+      persistence:
+        enabled: true
+        existingClaim: openwebui-pipelines-lvmhdd

apps/renovate/configmap.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: renovate
+  name: renovate-config
+data:
+  RENOVATE_AUTODISCOVER: "true"
+  RENOVATE_ENDPOINT: https://gitea.lumpiasty.xyz/api/v1
+  RENOVATE_PLATFORM: gitea
+  RENOVATE_GIT_AUTHOR: Renovate Bot <renovate@lumpiasty.xyz>

apps/renovate/cronjob.yaml

@@ -1,16 +1,11 @@
 ---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: renovate
----
 apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: renovate
   namespace: renovate
 spec:
-  schedule: "@hourly"
+  schedule: "@daily"
   concurrencyPolicy: Forbid
   jobTemplate:
     spec:
@@ -20,8 +15,10 @@ spec:
             - name: renovate
               # Update this to the latest available and then enable Renovate on
               # the manifest
-              image: renovate/renovate:39.215.2-full
+              image: renovate/renovate:43.46.6-full
               envFrom:
                 - secretRef:
-                    name: renovate-env
+                    name: renovate-gitea-token
+                - configMapRef:
+                    name: renovate-config
           restartPolicy: Never

apps/renovate/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - configmap.yaml
+  - secret.yaml
+  - cronjob.yaml

apps/renovate/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: renovate

apps/renovate/secret.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: renovate
+  namespace: renovate
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: renovate
+  namespace: renovate
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: renovate
+    serviceAccount: renovate
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: renovate-gitea-token
+  namespace: renovate
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: renovate
+
+  destination:
+    create: true
+    name: renovate-gitea-token
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: renovate

apps/searxng/configs/settings.yml

@@ -0,0 +1 @@
+use_default_settings: true

apps/searxng/deployment.yaml

@@ -0,0 +1,42 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: searxng
+  namespace: searxng
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: searxng
+  template:
+    metadata:
+      labels:
+        app: searxng
+    spec:
+      containers:
+        - name: searxng
+          image: searxng/searxng:2025.8.12-6b1516d
+          ports:
+            - containerPort: 8080
+          env:
+            - name: SEARXNG_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: searxng-secret
+                  key: SEARXNG_SECRET
+                  optional: false
+          volumeMounts:
+            - name: config-volume
+              mountPath: /etc/searxng/settings.yml
+              subPath: settings.yml
+              readOnly: true
+            - name: searxng-persistent-data
+              mountPath: /var/cache/searxng
+      volumes:
+        - name: config-volume
+          configMap:
+            name: searxng-config
+        - name: searxng-persistent-data
+          persistentVolumeClaim:
+            claimName: searxng-persistent-data-lvmhdd

apps/searxng/ingress.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: searxng
+  name: searxng
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  ingressClassName: nginx-ingress
+  rules:
+    - host: searxng.lumpiasty.xyz
+      http:
+        paths:
+          - backend:
+              service:
+                name: searxng
+                port:
+                  number: 8080
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - searxng.lumpiasty.xyz
+      secretName: searxng-ingress

apps/searxng/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+configMapGenerator:
+  - name: searxng-config
+    namespace: searxng
+    files:
+      - settings.yml=configs/settings.yml

apps/searxng/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: searxng

apps/searxng/pvc.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: local.openebs.io/v1alpha1
+kind: LVMVolume
+metadata:
+  labels:
+    kubernetes.io/nodename: anapistula-delrosalae
+  name: searxng-persistent-data-lvmhdd
+  namespace: openebs
+spec:
+  capacity: 1Gi
+  ownerNodeID: anapistula-delrosalae
+  shared: "yes"
+  thinProvision: "no"
+  vgPattern: ^openebs-hdd$
+  volGroup: openebs-hdd
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: searxng-persistent-data-lvmhdd
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: hdd-lvmpv
+  volumeMode: Filesystem
+  csi:
+    driver: local.csi.openebs.io
+    fsType: btrfs
+    volumeHandle: searxng-persistent-data-lvmhdd
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: searxng-persistent-data-lvmhdd
+  namespace: searxng
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: hdd-lvmpv
+  volumeName: searxng-persistent-data-lvmhdd

apps/searxng/service.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: searxng
+  namespace: searxng
+spec:
+  selector:
+    app: searxng
+  ports:
+    - protocol: TCP
+      port: 8080
+      targetPort: 8080
+  type: ClusterIP

devenv.lock

@@ -1,17 +1,34 @@
 {
   "nodes": {
-    "flake-compat": {
+    "devenv": {
       "locked": {
-        "lastModified": 1733328505,
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
-        "revCount": 69,
-        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz"
+        "dir": "src/modules",
+        "lastModified": 1769881431,
+        "owner": "cachix",
+        "repo": "devenv",
+        "rev": "72d5e66e2dd5112766ef4c9565872b51094b542d",
+        "type": "github"
       },
       "original": {
-        "type": "tarball",
-        "url": "https://flakehub.com/f/edolstra/flake-compat/1.1.0.tar.gz"
+        "dir": "src/modules",
+        "owner": "cachix",
+        "repo": "devenv",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1767039857,
+        "owner": "NixOS",
+        "repo": "flake-compat",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "flake-compat",
+        "type": "github"
       }
     },
     "flake-utils": {
@@ -19,11 +36,10 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "lastModified": 1731533236,
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -32,6 +48,47 @@
         "type": "github"
       }
     },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769069492,
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "a1ef738813b15cf8ec759bdff5761b027e3e1d23",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "git-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1762808025,
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "cb5e3fdca1de58ccbc3ef53de65bd372b48f567c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
     "krew2nix": {
       "inputs": {
         "flake-utils": "flake-utils",
@@ -42,11 +99,10 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1738540903,
-        "narHash": "sha256-/C5RTu3yCpVFHIL7u3hL9ZRGrXmIrLg3iB4+z9A3E8A=",
+        "lastModified": 1769904483,
         "owner": "a1994sc",
         "repo": "krew2nix",
-        "rev": "5bc50d65d6496ad30f897a9fe5532f440fb143ef",
+        "rev": "17d6ad3375899bd3f7d4d298481536155f3ec13c",
         "type": "github"
       },
       "original": {
@@ -57,11 +113,10 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1742069588,
-        "narHash": "sha256-C7jVfohcGzdZRF6DO+ybyG/sqpo1h6bZi9T56sxLy+k=",
+        "lastModified": 1769461804,
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5",
+        "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
         "type": "github"
       },
       "original": {
@@ -73,15 +128,18 @@
     },
     "root": {
       "inputs": {
-        "flake-compat": "flake-compat",
+        "devenv": "devenv",
+        "git-hooks": "git-hooks",
         "krew2nix": "krew2nix",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "pre-commit-hooks": [
+          "git-hooks"
+        ]
       }
     },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
         "owner": "nix-systems",
         "repo": "default",
         "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
@@ -96,7 +154,6 @@
     "systems_2": {
       "locked": {
         "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
         "owner": "nix-systems",
         "repo": "default",
         "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
@@ -116,11 +173,10 @@
         ]
       },
       "locked": {
-        "lastModified": 1715940852,
-        "narHash": "sha256-wJqHMg/K6X3JGAE9YLM0LsuKrKb4XiBeVaoeMNlReZg=",
+        "lastModified": 1769691507,
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "2fba33a182602b9d49f0b2440513e5ee091d838b",
+        "rev": "28b19c5844cc6e2257801d43f2772a4b4c050a1b",
         "type": "github"
       },
       "original": {

devenv.nix

@@ -0,0 +1,62 @@
+{ pkgs, lib, config, inputs, ... }:
+
+let
+  # Python with hvac package
+  python = pkgs.python313.withPackages (python-pkgs: with python-pkgs; [
+    hvac
+  ]);
+in
+{
+  # Overlays - apply krew2nix to get kubectl with krew support
+  overlays = [
+    inputs.krew2nix.overlay
+  ];
+
+  # Environment variables
+  env = {
+    GREET = "devenv";
+    TALOSCONFIG = "${config.devenv.root}/talos/generated/talosconfig";
+    EDITOR = "vim";
+    RESTIC_REPOSITORY = "s3:https://s3.eu-central-003.backblazeb2.com/lumpiasty-backups";
+    VAULT_ADDR = "https://openbao.lumpiasty.xyz:8200";
+    PATH = "${config.devenv.root}/utils:${pkgs.coreutils}/bin";
+    PYTHON_BIN = "${python}/bin/python";
+    KUBECONFIG = "${config.devenv.root}/talos/generated/kubeconfig";
+  };
+
+  # Packages
+  packages = with pkgs; [
+    python
+    vim gnumake
+    talosctl cilium-cli
+    kubectx k9s kubernetes-helm
+    (kubectl.withKrewPlugins (plugins: with plugins; [
+      mayastor
+      openebs
+      browse-pvc
+    ]))
+    ansible
+    fluxcd
+    restic
+    openbao
+    pv-migrate
+    mermaid-cli
+  ];
+
+  # Scripts
+  scripts.hello.exec = ''
+    echo hello from $GREET
+  '';
+
+  # Shell hooks
+  enterShell = ''
+    source ${pkgs.bash-completion}/share/bash-completion/bash_completion
+    echo "Environment ready!"
+  '';
+
+  # Tests
+  enterTest = ''
+    echo "Running tests"
+    git --version | grep --color=auto "${pkgs.git.version}"
+  '';
+}

devenv.yaml

@@ -0,0 +1,20 @@
+# yaml-language-server: $schema=https://devenv.sh/devenv.schema.json
+inputs:
+  nixpkgs:
+    url: github:NixOS/nixpkgs/nixos-unstable
+  krew2nix:
+    url: github:a1994sc/krew2nix
+    inputs:
+      nixpkgs:
+        follows: nixpkgs
+
+# If you're using non-OSS software, you can set allowUnfree to true.
+# allowUnfree: true
+
+# If you're willing to use a package that's vulnerable
+# permittedInsecurePackages:
+#  - "openssl-1.1.1w"
+
+# If you have more than one devenv you can merge them
+#imports:
+# - ./backend

docs/assets/cert-manager.svg

@@ -0,0 +1,211 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   id="svg3881"
+   width="735"
+   height="735"
+   version="1.1"
+   sodipodi:docname="logo.svg"
+   inkscape:version="1.1.2 (b8e25be8, 2022-02-05)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <sodipodi:namedview
+     id="namedview119"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     showgrid="false"
+     width="735px"
+     height="735.18701px"
+     inkscape:zoom="0.83052846"
+     inkscape:cx="86.089765"
+     inkscape:cy="279.94224"
+     inkscape:window-width="1440"
+     inkscape:window-height="815"
+     inkscape:window-x="0"
+     inkscape:window-y="25"
+     inkscape:window-maximized="0"
+     inkscape:current-layer="svg3881" />
+  <defs
+     id="defs3834">
+    <style
+       id="style3812">.cls-7{fill:#fff}</style>
+    <filter
+       id="luminosity-noclip"
+       x="598.71002"
+       y="183.45"
+       width="593.97998"
+       height="570.21997"
+       filterUnits="userSpaceOnUse"
+       color-interpolation-filters="sRGB">
+      <feFlood
+         flood-color="#fff"
+         result="bg"
+         id="feFlood3814" />
+      <feBlend
+         in="SourceGraphic"
+         in2="bg"
+         id="feBlend3816"
+         mode="normal" />
+    </filter>
+    <mask
+       id="mask"
+       x="598.71"
+       y="183.45"
+       width="593.98"
+       height="570.22"
+       maskUnits="userSpaceOnUse">
+      <g
+         id="g3823"
+         filter="url(#luminosity-noclip)">
+        <path
+           d="m 895.7,183.45 c -157.46,0 -285.11,127.65 -285.11,285.11 0,157.46 127.65,285.11 285.11,285.11 157.46,0 285.11,-127.67 285.11,-285.11 0,-157.44 -127.65,-285.11 -285.11,-285.11 z m -0.07,545.42 C 751.82,728.87 635.42,612.41 635.39,468.6 635.36,324.79 752.1,208 896,208.26 c 143.9,0.26 260.14,116.74 260,260.5 -0.14,143.76 -116.58,260.15 -260.37,260.11 z"
+           id="path3819" />
+        <path
+           d="m 875.36,590.92 c -8.93,-1.41 -13.67,-3.12 -23.71,-7.61 C 824,570.94 802.87,551.16 789,524.5 l -1.22,0.27 a 9.26,9.26 0 0 1 -2,0.22 9.37,9.37 0 0 1 -7.53,-3.83 9.26,9.26 0 0 1 -1.37,-8.35 l 2.27,-7.19 7.85,-25.13 a 9,9 0 0 1 15.27,-3.39 l 23.26,25.35 a 9.07,9.07 0 0 1 -1.47,13.55 61.2,61.2 0 0 0 14.52,14.56 88.71,88.71 0 0 0 16.26,5.65 181.32,181.32 0 0 0 24.73,4.4 V 440.2 h -21.52 a 18.49,18.49 0 0 1 -11,3.64 18.23,18.23 0 0 1 -13.57,-6.08 18.48,18.48 0 0 1 -0.11,-24.5 18.19,18.19 0 0 1 13.63,-6.26 18.53,18.53 0 0 1 11,3.6 h 21.58 v -3.33 C 866.23,401.5 857.8,390.93 855.14,376.59 851.3,356 864.4,335.5 885,329.92 a 41.23,41.23 0 0 1 10.74,-1.44 41.8,41.8 0 0 1 28.72,11.66 39.94,39.94 0 0 1 12.4,29 c 0,16.35 -7.65,29 -22.12,36.74 v 4.68 h 18.63 a 18.88,18.88 0 0 1 11,-3.6 18.09,18.09 0 0 1 13.56,6.13 18.49,18.49 0 0 1 -0.18,24.79 18,18 0 0 1 -13.36,5.88 18.81,18.81 0 0 1 -11,-3.54 h -0.6 c -5.05,0.3 -10.2,0.34 -15.19,0.39 h -2.94 v 100.98 a 147,147 0 0 0 18.3,-2.35 81.13,81.13 0 0 0 20,-6.37 59.65,59.65 0 0 0 14.84,-13.31 9,9 0 0 1 -0.82,-13.79 l 24.71,-23.65 a 9.1,9.1 0 0 1 6.34,-2.56 9.19,9.19 0 0 1 9,7 c 2.56,10.49 5.1,20.87 7.67,31.41 a 10.12,10.12 0 0 1 -9.81,12.53 10.2,10.2 0 0 1 -2.58,-0.33 c -12.36,22.51 -30.55,39.73 -52.75,49.88 l -4.09,1.95 c -11.35,5.24 -17.89,8.25 -29.89,9.57 l -19.9,19.52 z m 20,-233.29 c -6.26,0 -11.39,5.17 -11.69,11.76 a 11.56,11.56 0 0 0 3,8.41 11.77,11.77 0 0 0 8.26,3.81 h 1.08 c 6.23,0 11.21,-5 11.56,-11.6 0.35,-6.6 -4.55,-11.86 -11.41,-12.39 -0.16,0.02 -0.48,0.01 -0.76,0.01 z"
+           id="path3821" />
+      </g>
+    </mask>
+    <filter
+       id="luminosity-noclip-2"
+       x="583.53998"
+       y="-8590.9902"
+       width="624.32001"
+       height="32766"
+       filterUnits="userSpaceOnUse"
+       color-interpolation-filters="sRGB">
+      <feFlood
+         flood-color="#fff"
+         result="bg"
+         id="feFlood3826" />
+      <feBlend
+         in="SourceGraphic"
+         in2="bg"
+         id="feBlend3828"
+         mode="normal" />
+    </filter>
+  </defs>
+  <g
+     id="g226"
+     transform="translate(0,12.99976)">
+    <g
+       id="Background_wavy_outline"
+       data-name="Background wavy outline"
+       transform="translate(-528.23,-113.97)">
+      <path
+         d="m 1263.21,468.56 c 0,38.68 -23.69,73.14 -35,108 -11.74,36.17 -13.24,77.89 -35.15,108 -22.13,30.41 -61.49,44.63 -91.9,66.76 -30.11,21.91 -55.68,55.08 -91.84,66.83 -34.9,11.33 -74.93,-0.11 -113.6,-0.11 -38.67,0 -78.7,11.44 -113.59,0.11 -36.17,-11.75 -61.74,-44.92 -91.85,-66.83 -30.41,-22.13 -69.77,-36.35 -91.9,-66.76 -21.91,-30.1 -23.41,-71.82 -35.15,-108 -11.33,-34.9 -35,-69.36 -35,-108 0,-38.64 23.69,-73.14 35,-108 11.74,-36.17 13.24,-77.89 35.15,-108 22.13,-30.4 61.49,-44.63 91.9,-66.75 30.11,-21.91 55.68,-55.09 91.85,-66.83 34.89,-11.33 74.92,0.1 113.59,0.1 38.67,0 78.7,-11.43 113.59,-0.1 36.17,11.74 61.74,44.92 91.85,66.83 30.41,22.12 69.77,36.35 91.9,66.75 21.91,30.11 23.41,71.83 35.15,108 11.31,34.86 35,69.33 35,108 z"
+         id="path3838"
+         fill="#326ce5" />
+    </g>
+    <g
+       id="Waves"
+       transform="translate(-528.23,-113.97)">
+      <g
+         mask="url(#mask)"
+         id="g3847"
+         fill="none"
+         stroke="#ffffff"
+         stroke-miterlimit="10">
+        <path
+           d="m 598.71,427.68 c 42.43,0 42.43,20 84.85,20 42.42,0 42.43,-20 84.86,-20 42.43,0 42.42,20 84.85,20 42.43,0 42.42,-20 84.85,-20 42.43,0 42.43,20 84.85,20 42.42,0 42.43,-20 84.86,-20 42.43,0 42.43,20 84.86,20"
+           id="path3841"
+           stroke-width="3" />
+        <path
+           d="m 598.71,467.68 c 42.43,0 42.43,20 84.85,20 42.42,0 42.43,-20 84.86,-20 42.43,0 42.42,20 84.85,20 42.43,0 42.42,-20 84.85,-20 42.43,0 42.43,20 84.85,20 42.42,0 42.43,-20 84.86,-20 42.43,0 42.43,20 84.86,20"
+           id="path3843"
+           stroke-width="5" />
+        <path
+           d="m 598.71,515.68 c 42.43,0 42.43,20 84.85,20 42.42,0 42.43,-20 84.86,-20 42.43,0 42.42,20 84.85,20 42.43,0 42.42,-20 84.85,-20 42.43,0 42.43,20 84.85,20 42.42,0 42.43,-20 84.86,-20 42.43,0 42.43,20 84.86,20"
+           id="path3845"
+           stroke-width="7" />
+      </g>
+    </g>
+    <g
+       id="Text"
+       transform="translate(-528.23,-113.97)">
+      <g
+         id="g3878">
+        <g
+           id="Text_and_detail"
+           data-name="Text and detail">
+          <path
+             id="Circle"
+             class="cls-7"
+             d="m 895.7,156.4 c -172.4,0 -312.16,139.76 -312.16,312.16 0,172.4 139.76,312.16 312.16,312.16 172.4,0 312.16,-139.72 312.16,-312.16 0,-172.44 -139.76,-312.16 -312.16,-312.16 z m -0.08,597.16 c -157.44,0 -284.89,-127.51 -284.92,-284.95 0,-157.61 127.78,-285.3 285.33,-285 157.55,0.3 284.81,127.8 284.67,285.22 -0.14,157.42 -127.64,284.78 -285.08,284.73 z"
+             fill="#fff" />
+          <g
+             id="LETTERS">
+            <path
+               class="cls-7"
+               d="m 751.7,610 c -1,-3.45 -5.75,-6.88 -9.44,-6.42 -5.24,0.67 -10.46,1.54 -16.76,2.48 2.32,-6.15 4.28,-11.4 6.28,-16.65 1.73,-4.56 -2,-6.77 -4.34,-9.21 -2.34,-2.44 -4.17,0.64 -5.76,1.9 -8.47,6.71 -16.68,13.75 -25.23,20.35 -4.06,3.13 -1,4.95 0.64,7.2 1.64,2.25 3.31,4.78 6.66,1.83 3.86,-3.39 7.94,-6.54 12,-9.83 0.15,0.38 0.29,0.56 0.25,0.68 -0.8,2.32 -1.67,4.62 -2.45,6.95 -1.63,4.92 1.52,8.51 6.69,7.7 2.15,-0.34 4.34,-1 6.9,0.1 -4.16,3.41 -7.77,6.61 -11.63,9.46 -3.17,2.34 -1.65,4.25 0.26,6 1.91,1.75 2.71,6.31 6.8,3 q 13.79,-11.12 27.49,-22.31 c 0.94,-0.77 2.15,-1.49 1.64,-3.23 z"
+               id="path3851"
+               fill="#fff" />
+            <path
+               class="cls-7"
+               d="m 918.85,273.61 c 6.54,2.7 9.13,1.46 10.48,-5.3 0.3,-1.47 0.57,-2.93 0.93,-4.38 0.29,-1.18 0,-3.17 1.81,-2.92 1.81,0.25 4.13,-0.12 4.79,2.58 0.66,2.7 1.48,5.09 2.22,7.63 2.08,7 3.51,8.09 10.64,8.46 2.68,0.14 3.28,-0.77 2.57,-3.16 -1.12,-3.81 -2.09,-7.67 -3.28,-11.46 -0.55,-1.73 -1,-2.75 1.37,-3.74 5.78,-2.44 7.34,-7.68 7.75,-13.07 0,-6.66 -4,-11.53 -11.48,-13.53 -6.08,-1.62 -12.32,-2.63 -18.48,-4 -2.3,-0.5 -3.45,0.43 -3.88,2.63 -2.36,12 -4.76,24.08 -7.09,36.14 -0.31,1.63 -0.54,3.22 1.65,4.12 z m 17.54,-31 c 5.05,-0.51 9.92,2.41 9.87,5.4 -0.05,2.99 -1.8,4.44 -5.19,4.53 -2.09,-1.76 -6.94,1.1 -7.65,-3.37 -0.3,-1.89 -1,-6.11 2.97,-6.52 z"
+               id="path3853"
+               fill="#fff" />
+            <path
+               class="cls-7"
+               d="m 853,664.82 c -2.84,-0.93 -5.74,-2.1 -6.74,2.62 -1.09,5.19 -2.75,10.25 -4.47,16.5 -2.63,-7.82 -5.07,-14.52 -7.1,-21.34 -1.33,-4.46 -5.15,-4.42 -8.37,-5 -3.55,-0.58 -2.91,3 -3.47,5 -3,10.36 -5.58,20.86 -8.8,31.16 -1.58,5.08 2.17,4.62 4.67,5.49 2.66,0.91 5.47,2 6.48,-2.4 1.21,-5.27 2.82,-10.45 4.45,-16.34 0.67,1.54 1.13,2.42 1.44,3.34 2,6 4.09,11.93 6,17.94 1.37,4.44 5.37,4.17 8.56,4.61 3.19,0.44 2.53,-3 3.06,-4.81 3,-10.38 5.53,-20.89 8.8,-31.17 1.49,-4.98 -1.96,-4.76 -4.51,-5.6 z"
+               id="path3855"
+               fill="#fff" />
+            <path
+               class="cls-7"
+               d="m 1093.86,601.57 c -3.28,-0.47 -6.51,-1.44 -9.8,-1.75 -2.71,-0.25 -3.39,-1.19 -3.48,-4 -0.22,-7 -6.55,-12.74 -13.44,-12.82 -4.73,-0.13 -8.35,2.24 -11.25,5.56 -3.61,4.13 -6.71,8.7 -10.33,12.82 -2.46,2.81 -2.15,4.55 0.78,6.76 8.76,6.62 17.45,13.35 25.94,20.3 3,2.4 4.51,2.15 6.72,-0.86 4,-5.45 4.16,-5.32 -1.23,-9.5 -1.18,-0.92 -2.42,-1.78 -3.5,-2.81 -0.83,-0.79 -2.89,-1.11 -1.73,-2.91 0.94,-1.45 1.75,-3.35 4.16,-2.86 2.41,0.49 5,0.56 7.33,1.41 5.37,2 8.71,-0.09 11.63,-4.54 1.93,-2.89 2.03,-4.26 -1.8,-4.8 z m -30,5.43 c -0.75,0.06 -6.13,-4.56 -6.08,-5.23 0.13,-1.76 6.28,-7.65 8,-7.65 2.31,0.46 4,1.61 4.19,4.15 0.11,1.55 -4.97,8.63 -6.11,8.73 z"
+               id="path3857"
+               fill="#fff" />
+            <path
+               class="cls-7"
+               d="m 845.26,274.6 c 0.35,2 1,3.6 3.49,3.21 9,-1.56 18.06,-2.91 27,-4.77 4.72,-1 1.47,-4.56 1.52,-7 0.05,-2.61 -1.37,-3.4 -3.93,-2.9 -4.89,0.95 -9.85,1.6 -14.74,2.57 -2.54,0.5 -3.21,-0.66 -3.45,-2.83 -0.21,-1.93 -0.49,-3.43 2.3,-3.74 4.13,-0.44 8.17,-1.61 12.3,-2.05 4.47,-0.48 3.65,-3.29 3.17,-6.13 -0.48,-2.84 -1.08,-5.17 -5,-4.09 -3.67,1 -7.56,1.16 -11.26,2.09 -2.6,0.66 -3.87,0.5 -4.41,-2.54 -0.59,-3.28 1.23,-3.55 3.55,-3.9 4.11,-0.61 8.2,-1.4 12.31,-2 2.63,-0.4 4.65,-1.13 3.59,-4.44 -0.85,-2.66 0.36,-6.86 -5.13,-5.72 -7.81,1.63 -15.68,3 -23.58,4 -3.78,0.48 -4.3,2.17 -3.74,5.31 2.03,11.67 4.02,23.33 6.01,34.93 z"
+               id="path3859"
+               fill="#fff" />
+            <path
+               class="cls-7"
+               d="m 978.68,669.54 a 88.5,88.5 0 0 1 -8.92,3.07 c -2.51,0.8 -4.32,1.82 -2.82,5 1.19,2.46 0.87,6.55 5.62,4.65 0.87,-0.35 1.8,-1.17 2.65,-0.11 0.85,1.06 0.29,2.32 -0.13,3.32 -1.22,2.87 -3.78,4.1 -6.65,4.6 -2.87,0.5 -5.24,-0.87 -6.67,-3.37 a 32.79,32.79 0 0 1 -4,-11.2 c -0.93,-5.83 4.62,-10.93 9.91,-8.38 4.36,2.1 7.64,0.42 11.34,-0.66 2.53,-0.74 2.54,-2.25 1.08,-4.09 -3.38,-4.26 -8,-5.61 -13.24,-5.83 a 22.68,22.68 0 0 0 -15,5.6 c -5,4.48 -7,10.16 -5,16.65 2.53,8.49 4,18 14.56,20.8 8.1,2.13 15.24,-0.38 21,-6.12 6.23,-6.24 4.72,-13.51 2,-20.92 -1.19,-3.16 -2.35,-4.5 -5.73,-3.01 z"
+               id="path3861"
+               fill="#fff" />
+            <path
+               class="cls-7"
+               d="m 1040.7,650.65 c -3.66,2.86 -7.64,5.31 -11.31,8.17 -2,1.56 -3,1.07 -4.29,-0.81 -1.29,-1.88 -1.69,-3 0.46,-4.41 3.33,-2.19 6.52,-4.59 9.76,-6.91 1.06,-0.76 2.34,-1.38 2.22,-3.22 a 13.54,13.54 0 0 0 -4.19,-5.8 c -1.86,-1.31 -3.3,0.69 -4.75,1.69 -3,2.08 -6.14,4 -8.94,6.34 -2.33,1.94 -3,0.17 -4.15,-1.21 -1.38,-1.61 -1.4,-2.61 0.53,-3.87 3.75,-2.45 7.22,-5.33 11,-7.71 3.1,-1.94 2.44,-3.82 0.62,-6.06 -1.61,-2 -2.59,-5 -6.15,-2.3 -6.52,4.86 -13.22,9.49 -19.89,14.17 -2.1,1.47 -2.19,2.93 -0.72,5 6.9,9.57 13.71,19.2 20.54,28.83 1.24,1.74 2.45,2.43 4.5,0.94 q 10.26,-7.5 20.69,-14.75 c 3.27,-2.27 1.29,-4.16 -0.11,-6.21 -1.4,-2.05 -2.73,-4.31 -5.82,-1.88 z"
+               id="path3863"
+               fill="#fff" />
+            <path
+               class="cls-7"
+               d="m 782.4,634.42 c -1.4,-1 -2.88,-0.53 -4.14,0.45 q -15.18,11.8 -30.33,23.64 c -1.33,1 -2.32,2.47 -0.4,3.54 3.54,2 6.78,7 11.49,1.72 a 1.59,1.59 0 0 1 2.18,-0.47 c 3.76,2.46 7.55,4.87 11.3,7.33 1,0.68 0.67,1.74 0.55,2.72 -0.53,4.29 2.44,9.12 6.71,9.35 4.46,0.23 2.36,-4.48 3.76,-6.69 a 3,3 0 0 0 0.34,-0.94 c 2.6,-10.65 5.2,-21.31 8,-32.85 -1.12,-4.32 -6.07,-5.22 -9.46,-7.8 z m -6.4,26.72 c -7.81,-4.59 -7.81,-4.59 -1.47,-9.65 1.28,-1 2.6,-2 4.48,-3.44 A 56.33,56.33 0 0 1 776,661.14 Z"
+               id="path3865"
+               fill="#fff" />
+            <path
+               class="cls-7"
+               d="m 769.49,297.35 c 5,6.94 12.68,9 20.82,6 8.46,-3.06 15,-11.32 14.66,-18.87 a 20.55,20.55 0 0 0 -1.24,-5.29 2.11,2.11 0 0 0 -2.13,-1.73 c -2.9,0 -8.23,5.19 -8.27,8.3 -0.05,4.19 -2.73,6.29 -6.08,7.63 -3.17,1.26 -6,0 -7.87,-2.63 a 73.14,73.14 0 0 1 -5.94,-9.75 c -1.4,-2.87 -1.14,-6 1.47,-8.23 2.61,-2.23 5.84,-3.74 9.55,-1.71 2.6,1.43 9.61,-1 11.1,-3.53 1,-1.62 -0.28,-2.53 -1.09,-3.43 a 13.88,13.88 0 0 0 -10.8,-4.68 c -13.38,0.05 -23.81,10.35 -22.4,21.61 0.8,6.34 4.73,11.34 8.22,16.31 z"
+               id="path3867"
+               fill="#fff" />
+            <path
+               class="cls-7"
+               d="m 911.56,677.13 c -3.39,-8.82 -5.72,-10 -14.79,-8 a 3.88,3.88 0 0 0 -3.27,2.63 Q 887.8,690 882.14,708.3 c -0.33,1.07 -0.81,2.33 0.47,3.17 2.73,1.8 9.9,-0.72 11.13,-3.89 0.51,-1.32 0.52,-2.93 2.71,-2.89 4,0.08 8,0 12,-0.19 1.42,-0.06 2.3,0.48 2.55,1.76 0.77,4 3.17,5.18 6.48,4.32 6.77,-0.17 6.8,-0.19 4.58,-6 q -5.24,-13.76 -10.5,-27.45 z M 901,695.2 c -3,0 -3.44,-0.84 -2.54,-3.39 1.09,-3.12 2,-6.3 3.27,-10.36 1.33,3.4 2.31,5.85 3.24,8.31 2.08,5.57 2.03,5.38 -3.97,5.44 z"
+               id="path3869"
+               fill="#fff" />
+            <path
+               class="cls-7"
+               d="m 999.44,302.68 c 2.34,1.28 4.57,4.69 7.27,0.18 3.57,-6 7.44,-11.79 11.16,-17.68 4.48,-7.08 4.6,-7.29 11.8,-2.76 3.83,2.42 4.84,-0.19 6.45,-2.52 1.72,-2.5 2.4,-4.41 -1,-6.41 q -12,-7.15 -23.55,-14.92 c -3.27,-2.18 -4.89,-1.6 -7,1.64 -2.34,3.57 -1.86,5.47 1.76,7.39 2.1,1.11 4.45,2.13 5.9,4.21 -0.74,1.19 -1.34,2.19 -2,3.17 -4.53,7.16 -8.93,14.4 -13.62,21.45 -2.52,3.88 0.39,4.91 2.83,6.25 z"
+               id="path3871"
+               fill="#fff" />
+          </g>
+          <g
+             id="New_Anchor"
+             data-name="New Anchor">
+            <path
+               class="cls-7"
+               d="m 1008.89,520.42 c -2.57,-10.54 -5.11,-20.92 -7.68,-31.42 a 3.2,3.2 0 0 0 -5.33,-1.56 l -24.72,23.66 a 3.06,3.06 0 0 0 1.26,5.14 c 0.92,0.26 1.82,0.51 2.74,0.7 2,0.43 1.8,1.1 0.87,2.51 a 65.59,65.59 0 0 1 -20,19.58 l -0.2,0.12 a 86.78,86.78 0 0 1 -21.7,7 159.35,159.35 0 0 1 -23.53,2.72 1.84,1.84 0 0 1 -1.9,-1.87 V 436.62 a 1.08,1.08 0 0 1 1.08,-1.08 c 1,0 2.22,0.2 5.15,0.17 5.76,-0.06 11.76,-0.06 17.54,-0.4 1.88,-0.11 2.93,-0.05 4.13,0.85 a 12.35,12.35 0 0 0 16.71,-1.29 12.52,12.52 0 0 0 0.11,-16.76 12.3,12.3 0 0 0 -16.66,-1.58 4.07,4.07 0 0 1 -2.53,1.08 q -12.08,-0.06 -24.14,0 a 1.9,1.9 0 0 1 -1.39,-0.37 v -12.62 a 1.8,1.8 0 0 1 0.42,-1.18 6.42,6.42 0 0 1 2,-1.41 c 13,-6.6 19.74,-17.44 19.75,-31.87 0,-22.83 -22.27,-39.44 -44.29,-33.46 -17.46,4.74 -28.8,22.08 -25.51,39.77 2.42,13 10.07,22.1 22.51,26.92 a 6.59,6.59 0 0 1 1.33,0.66 1.8,1.8 0 0 1 0.71,1.47 v 10.32 a 1.78,1.78 0 0 1 -1.8,1.78 c -8.65,-0.1 -17.31,-0.06 -26,0 a 5.53,5.53 0 0 1 -3.31,-1.12 12.24,12.24 0 0 0 -16.62,1.7 12.37,12.37 0 0 0 16.73,18.07 5.08,5.08 0 0 1 3.3,-1.08 c 8.39,0 16.79,0.12 25.18,0 a 3.19,3.19 0 0 1 2.17,0.46 1,1 0 0 1 0.31,0.76 v 109.81 a 1.85,1.85 0 0 1 -2,1.84 192.44,192.44 0 0 1 -30.22,-5 92.79,92.79 0 0 1 -17.68,-6.21 1.56,1.56 0 0 1 -0.28,-0.16 66.87,66.87 0 0 1 -19.54,-21.38 1.38,1.38 0 0 1 1,-2.16 l 2.65,-0.54 a 3.08,3.08 0 0 0 1.6,-5.08 l -23.26,-25.35 a 3,3 0 0 0 -5.13,1.14 c -3.44,10.89 -6.79,21.53 -10.19,32.32 a 3.35,3.35 0 0 0 3.94,4.28 l 1.8,-0.41 a 5.12,5.12 0 0 1 5.69,2.64 c 13.38,26 33.5,44.81 60.12,56.7 10.4,4.65 14.52,6 23.5,7.37 a 1.78,1.78 0 0 1 1,0.51 l 13.67,13.55 a 4.91,4.91 0 0 0 6.85,0 l 13.28,-13 a 1.88,1.88 0 0 1 1.12,-0.52 c 13.3,-1.25 19.23,-4.54 33.54,-11.09 22.15,-10.13 39.74,-27.76 51.06,-49.32 1,-1.92 1.88,-2.15 3.58,-1.58 0.65,0.22 1.31,0.43 2,0.63 a 4.12,4.12 0 0 0 5.21,-4.98 z M 894.79,388.59 A 17.72,17.72 0 0 1 877.71,370.1 c 0.48,-10.46 9.18,-18.18 19,-17.43 10.34,0.8 17.46,9.11 16.94,18.69 -0.56,10.42 -9.1,17.96 -18.86,17.23 z"
+               id="path3874"
+               fill="#fff" />
+          </g>
+        </g>
+      </g>
+    </g>
+  </g>
+</svg>

docs/assets/cilium.svg

@@ -0,0 +1,16 @@
+<svg width="35" height="35" viewBox="0 0 35 35" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path fill-rule="evenodd" clip-rule="evenodd" d="M29.3361 18.8075H24.2368L21.6571 23.3262L24.2368 27.7838H29.3361L31.9157 23.3262L29.3361 18.8075Z" fill="#8061A9"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M29.3361 6.83905H24.2368L21.6571 11.3577L24.2368 15.8153H29.3361L31.9157 11.3577L29.3361 6.83905Z" fill="#F17323"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M19.0774 1.13983H13.9781L11.3984 5.65852L13.9781 10.1161H19.0774L21.6571 5.65852L19.0774 1.13983Z" fill="#F8C517"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M8.81889 6.83905H3.71959L1.13989 11.3577L3.71959 15.8153H8.81889L11.3985 11.3577L8.81889 6.83905Z" fill="#CADD72"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M19.0774 12.8233H13.9781L11.3984 17.342L13.9781 21.7996H19.0774L21.6571 17.342L19.0774 12.8233Z" fill="#E82629"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M8.81889 18.8075H3.71959L1.13989 23.3262L3.71959 27.7838H8.81889L11.3985 23.3262L8.81889 18.8075Z" fill="#98C93E"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M19.0774 24.5067H13.9781L11.3984 29.0254L13.9781 33.483H19.0774L21.6571 29.0254L19.0774 24.5067Z" fill="#628AC6"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M18.8181 21.0633H14.2377L11.9205 17.1247L14.2377 13.1321H18.8181L21.1352 17.1247L18.8181 21.0633ZM19.6441 11.6834H13.3933L10.2587 17.116L13.3933 22.512H19.6441L22.797 17.116L19.6441 11.6834Z" fill="#363736"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M13.3932 23.3669L10.2587 28.7995L13.3932 34.1954H19.6441L22.797 28.7995L19.6441 23.3669H13.3932ZM11.9204 28.8082L14.2376 24.8156H18.818L21.1352 28.8082L18.818 32.7468H14.2376L11.9204 28.8082Z" fill="#363736"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M13.3932 0L10.2587 5.43263L13.3932 10.8285H19.6441L22.797 5.43263L19.6441 0H13.3932ZM11.9204 5.4412L14.2376 1.4487H18.818L21.1352 5.4412L18.818 9.37985H14.2376L11.9204 5.4412Z" fill="#363736"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M23.6518 17.6676L20.5172 23.1002L23.6518 28.4961H29.9026L33.0555 23.1002L29.9026 17.6676H23.6518ZM22.1791 23.1088L24.4962 19.1162H29.0766L31.3937 23.1088L29.0766 27.0475H24.4962L22.1791 23.1088Z" fill="#363736"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M23.6518 5.69922L20.5172 11.1319L23.6518 16.5278H29.9026L33.0555 11.1319L29.9026 5.69922H23.6518ZM22.1791 11.1405L24.4962 7.14791H29.0766L31.3937 11.1405L29.0766 15.0791H24.4962L22.1791 11.1405Z" fill="#363736"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M3.13453 17.6676L0 23.1002L3.13453 28.4961H9.38542L12.5383 23.1002L9.38542 17.6676H3.13453ZM1.66179 23.1088L3.97892 19.1162H8.55933L10.8765 23.1088L8.55933 27.0475H3.97892L1.66179 23.1088Z" fill="#363736"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M3.13453 5.69922L0 11.1319L3.13453 16.5278H9.38542L12.5383 11.1319L9.38542 5.69922H3.13453ZM1.66179 11.1405L3.97892 7.14791H8.55933L10.8765 11.1405L8.55933 15.0791H3.97892L1.66179 11.1405Z" fill="#363736"/>
+</svg>

docs/assets/cloudnativepg.svg

@@ -0,0 +1,22 @@
+<svg width="415" height="435" viewBox="0 0 415 435" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M378.818 394.575C374.687 384.53 371.638 374.017 368.542 363.583C365.018 351.693 362.1 339.626 358.615 327.73C357.587 324.226 355.842 320.82 353.833 317.75C351.837 314.694 349.762 315.162 348.708 318.607C345.869 327.855 343.452 337.241 340.29 346.371C334.572 362.845 326.78 378.173 316.115 392.191C310.793 399.186 304.838 405.668 298.679 411.925C295.597 415.054 292.461 418.13 289.313 421.2C286.559 423.888 283.674 426.707 285.617 430.784C287.126 433.946 290.479 434.249 293.588 434.236C294.036 434.236 294.477 434.223 294.912 434.216C310.819 433.953 326.727 434.387 342.628 434.572C353.734 434.697 364.846 435.151 375.946 434.901C380.629 434.796 385.767 434.947 389.581 431.107C393.862 426.792 394.554 423.505 391.471 418.242C386.939 410.529 382.203 402.809 378.818 394.575Z" fill="url(#paint0_radial_248_90)"/>
+<path d="M409.948 262.887C407.879 262.38 405.857 261.826 403.894 261.188C383.527 254.68 369.45 241.453 353.964 226.559C351.599 224.274 350.829 221.672 350.994 218.405C351.87 203.189 350.038 188.157 347.357 173.231C343.583 152.409 337.345 132.279 328.848 112.867C326.938 108.513 324.388 104.659 323.058 100.042C322.926 99.5347 322.821 98.9551 323.163 98.5533C323.532 98.1054 324.276 98.2107 324.836 98.4215C329.777 100.437 337.635 122.774 343.985 117.063C345.342 115.844 345.842 113.98 346.192 112.202C351.58 85.5899 344.782 44.5856 321.016 28.1246C310.101 20.556 298.126 13.1983 285.031 10.2539C278.338 8.76522 271.06 8.84424 264.901 11.8743C261.844 13.363 259.084 15.563 255.765 16.3601C249.843 17.8224 243.947 14.5025 238.105 12.724C231.017 10.5964 223.284 10.7018 216.275 13.0665C210.643 14.9504 205.018 18.2967 199.175 17.2098C191.073 15.6948 185.23 6.34776 176.839 3.48239C166.774 0.0307768 155.595 0.0307897 145.287 2.34284C115.704 8.98259 87.9265 29.7516 67.2366 51.1265C44.531 74.5764 35.5002 105.595 55.5775 133.906C62.7508 144.024 73.2901 151.908 85.3181 155.017C87.6565 155.63 90.1266 156.104 92.0632 157.54C99.7108 163.225 83.5659 178.441 80.1143 183.381C72.6775 194.085 65.7479 205.184 60.5969 217.186C51.0391 239.417 46.8695 261.774 43.5232 285.573C37.7332 326.735 29.9802 369.044 10.7263 406.221C7.61722 412.196 3.74404 418.144 1.30024 424.415C0.713994 425.903 0.529556 427.655 1.30024 429.039C1.75475 429.836 2.49251 430.448 3.28954 430.87C7.59089 433.261 14.1252 432.727 18.8811 432.754C33.2211 432.806 47.5611 432.859 61.9274 432.885C69.2325 432.912 76.5309 432.938 83.836 432.938C89.0924 432.938 96.8256 434.269 101.601 431.739C104.684 430.119 106.383 426.667 107.233 423.268C108.478 418.275 109.275 413.151 110.606 408.158C114.696 392.889 120.513 378.358 127.976 364.393C139.819 342.215 152.196 317.151 130.209 296.909C124.419 291.6 117.753 287.378 111.541 282.595C110.349 281.667 109.176 279.783 110.428 278.933C110.909 278.59 111.567 278.67 112.18 278.801C136.163 283.821 158.335 309.583 156.847 334.251C156.05 347.129 150.872 358.682 146.94 370.631C142.955 382.771 138.285 394.773 137.165 407.677C136.71 412.775 136.183 417.926 136.131 423.051C136.052 429.691 138.548 433.116 146.09 433.142C173.683 433.195 201.276 433.623 228.87 433.887C235.878 433.966 250.278 436.278 253.09 427.221C254.124 423.874 252.8 420.291 251.075 417.261C249.349 414.231 247.142 411.392 246.213 408.019C244.514 401.992 247.168 395.642 249.988 390.043C253.255 383.562 257.319 377.482 260.56 371C264.361 364.15 268.82 357.773 272.245 350.686C275.855 343.275 278.78 335.549 281.197 327.69C284.464 317.144 286.829 306.335 288.687 295.473C289.082 293.121 289.339 290.75 289.622 288.379C289.767 287.187 289.912 285.994 290.083 284.809C290.274 283.478 290.57 281.897 292.296 282.022C302.592 282.747 287.139 341.675 285.788 345.271C282.626 353.716 278.832 361.923 274.366 369.782C268.761 379.636 258.459 388.581 260.981 401.037C261.884 405.444 262.944 411.767 266.93 414.554C272.397 418.407 279.438 412.005 283.318 408.527C289.424 403.026 294.338 396.472 299.489 390.096C313.671 372.568 324.586 352.622 332.523 331.564C341.152 308.568 345.006 285.698 348.029 261.477C348.214 260.094 348.51 258.526 349.676 257.789C351.007 256.939 352.732 257.578 354.162 258.217C371.69 265.97 390.628 272.241 409.691 270.403C412.029 270.166 414.947 269.184 415 266.846C415.046 264.534 412.207 263.414 409.948 262.887ZM316.708 250.912C316.523 251.577 316.016 252.157 315.43 252.532C314.317 253.224 312.828 253.408 311.55 253.54C303.053 254.416 294.687 251.814 287.04 248.363C285.821 247.829 284.596 247.276 283.377 246.663C271.718 240.873 260.883 232.613 251.931 223.161C244.336 215.137 238.335 205.632 234.218 195.383C233.342 193.203 232.308 190.871 231.801 188.559C231.373 186.596 231.643 184.284 233.158 182.927C234.113 182.077 235.417 181.761 236.662 181.491C240.832 180.667 245.265 180.213 249.487 180.588C251.213 180.694 253.018 181.148 254.243 182.341C255.33 183.375 255.863 184.837 256.344 186.273C258.413 192.485 260.145 198.887 263.089 204.783C266.067 210.757 269.993 216.363 274.083 221.619C275.572 223.529 277.113 225.387 278.707 227.225C286.592 236.282 296.953 244.384 309.06 246.689C309.541 246.795 310.015 246.874 310.523 246.953C312.196 247.19 313.948 247.355 315.384 248.283C316.076 248.738 316.688 249.449 316.767 250.273C316.761 250.484 316.761 250.694 316.708 250.912Z" fill="url(#paint1_radial_248_90)"/>
+<defs>
+<radialGradient id="paint0_radial_248_90" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(-404.314 -402.661) scale(1393.49)">
+<stop stop-color="#732DD9"/>
+<stop offset="0.1185" stop-color="#6A2BCB"/>
+<stop offset="0.3434" stop-color="#5125A5"/>
+<stop offset="0.6486" stop-color="#291C69"/>
+<stop offset="0.8139" stop-color="#121646"/>
+<stop offset="1" stop-color="#121646"/>
+</radialGradient>
+<radialGradient id="paint1_radial_248_90" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(-404.315 -402.661) scale(1393.49)">
+<stop stop-color="#732DD9"/>
+<stop offset="0.1185" stop-color="#6A2BCB"/>
+<stop offset="0.3434" stop-color="#5125A5"/>
+<stop offset="0.6486" stop-color="#291C69"/>
+<stop offset="0.8139" stop-color="#121646"/>
+<stop offset="1" stop-color="#121646"/>
+</radialGradient>
+</defs>
+</svg>

docs/assets/flux.svg

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg width="64px" height="64px" viewBox="0 0 64 64" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <!-- Generator: Sketch 56.3 (81716) - https://sketch.com -->
+    <title>flux-icon</title>
+    <desc>Created with Sketch.</desc>
+    <g id="flux-icon" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
+        <g id="Group" transform="translate(11.000000, 2.000000)">
+            <path d="M0.803134615,15.7791346 C-0.246288462,15.0966346 -0.246288462,13.5602885 0.803134615,12.8783654 L20.1819808,0.279519231 C20.7554423,-0.0931730769 21.4944808,-0.0931730769 22.0679423,0.279519231 L41.4473654,12.8783654 C42.4967885,13.5602885 42.4967885,15.0966346 41.4473654,15.7791346 L22.0679423,28.3779808 C21.4944808,28.7506731 20.7554423,28.7506731 20.1819808,28.3779808 L0.803134615,15.7791346 Z" id="Fill-1" fill="#326CE5"></path>
+            <path d="M24.1851346,18.0023077 L25.5293654,18.0023077 C26.3145577,18.0023077 26.8055192,17.1525 26.4126346,16.4728846 L22.0084038,8.84423077 C21.6160962,8.16461538 20.63475,8.16461538 20.2418654,8.84423077 L15.8376346,16.4728846 C15.4453269,17.1525 15.9357115,18.0023077 16.7209038,18.0023077 L18.0657115,18.0023077 C18.6287885,18.0023077 19.0851346,18.4592308 19.0851346,19.0223077 L19.0851346,27.7298077 L19.9874423,28.3165385 C20.6791731,28.7665385 21.5710962,28.7665385 22.2628269,28.3165385 L23.1651346,27.7298077 L23.1651346,19.0223077 C23.1651346,18.4592308 23.6214808,18.0023077 24.1851346,18.0023077" id="Fill-3" fill="#C1D2F7"></path>
+            <path d="M27.8390769,34.8375577 L23.1648462,31.7989038 L23.1648462,33.2389038 C24.6902308,33.8919808 26.2588846,34.4008269 27.8390769,34.8375577" id="Fill-5" fill="#326CE5"></path>
+            <path d="M23.1650769,35.8280192 L23.1650769,37.8495577 C24.7095,38.3209038 26.2723846,38.7080192 27.8191154,39.0893654 C32.8706538,40.3349423 37.6418077,41.5107115 41.4783462,45.3478269 C41.6733462,45.54225 41.8562308,45.7407115 42.0373846,45.93975 C42.4308462,45.1880192 42.2335385,44.1957115 41.4466154,43.6845577 L33.8560385,38.7489808 C32.0133462,38.1409038 30.1360385,37.6759038 28.2806538,37.2189808 C26.5308462,36.7874423 24.8196923,36.3570577 23.1650769,35.8280192" id="Fill-7" fill="#326CE5"></path>
+            <path d="M19.08525,34.1699423 C18.4304423,33.8318654 17.7854423,33.4689808 17.1629423,33.0489808 L15.4269808,34.1774423 C16.5975577,35.0382115 17.8235192,35.7362885 19.08525,36.3212885 L19.08525,34.1699423 Z" id="Fill-9" fill="#326CE5"></path>
+            <path d="M24.8941731,40.6051154 C24.3137885,40.4620385 23.7374423,40.3195385 23.1651346,40.1735769 L23.1651346,42.1605 C23.5885962,42.2666538 24.0114808,42.3722308 24.4326346,42.4760769 C29.4841731,43.7210769 34.2553269,44.8968462 38.0924423,48.7339615 C38.0987885,48.7408846 38.1045577,48.7472308 38.1114808,48.7541538 L39.75225,47.6868462 C39.6524423,47.5824231 39.5584038,47.4751154 39.4545577,47.3718462 C35.2384038,43.1551154 29.9791731,41.8587692 24.8941731,40.6051154" id="Fill-11" fill="#326CE5"></path>
+            <path d="M19.08525,38.9907115 C16.8900577,38.2389808 14.8096731,37.2714808 12.9115962,35.8124423 L11.2119808,36.9178269 C13.6287115,38.9110962 16.3194808,40.1203269 19.08525,41.0168654 L19.08525,38.9907115 Z" id="Fill-13" fill="#326CE5"></path>
+            <path d="M19.08525,43.3809808 C15.3069808,42.3909808 11.7537115,41.18175 8.71794231,38.5388654 L7.04717308,39.6252115 C10.6125577,42.9102115 14.8540962,44.2832885 19.08525,45.3707885 L19.08525,43.3809808 Z" id="Fill-15" fill="#326CE5"></path>
+            <path d="M23.1650769,46.3935 C27.1175769,47.4140769 30.8341154,48.6342692 33.9823846,51.4381154 L35.6439231,50.3581154 C31.9654615,46.9000385 27.5514231,45.5194615 23.1650769,44.4048462 L23.1650769,46.3935 Z" id="Fill-17" fill="#326CE5"></path>
+            <path d="M4.57875,41.2299231 L2.92990385,42.3018462 C2.98759615,42.3612692 3.04009615,42.423 3.09951923,42.4818462 C7.31625,46.6985769 12.5743269,47.9949231 17.6599038,49.2485769 C22.0641346,50.3337692 26.2543269,51.3687692 29.7989423,54.1581923 L31.4893269,53.0591538 C27.4958654,49.6968462 22.7385577,48.5158846 18.1214423,47.3781923 C13.1206731,46.1453077 8.39567308,44.9758846 4.57875,41.2299231" id="Fill-19" fill="#326CE5"></path>
+            <path d="M1.07555769,44.5060962 C0.883442308,44.3139808 0.702865385,44.1184038 0.524019231,43.9216731 C-0.227711538,44.6745577 -0.139442308,45.9726346 0.80325,46.5853269 L6.50959615,50.2955192 C9.03536538,51.3409038 11.6765192,51.9945577 14.2738269,52.6349423 C18.3284423,53.6341731 22.2019038,54.5924423 25.5578654,56.9157115 L27.2834423,55.7930192 C23.4676731,52.9245577 19.0403654,51.8255192 14.7347885,50.7639808 C9.68382692,49.5189808 4.91267308,48.3432115 1.07555769,44.5060962" id="Fill-21" fill="#326CE5"></path>
+            <path d="M19.6441154,58.8342692 C20.0243077,59.0188846 20.3998846,59.2133077 20.7691154,59.4221538 C21.2093077,59.5150385 21.6771923,59.4383077 22.0683462,59.1838846 L23.0260385,58.5613846 C19.9493077,56.5035 16.5287308,55.461 13.1196923,54.5927308 L19.6441154,58.8342692 Z" id="Fill-23" fill="#326CE5"></path>
+        </g>
+    </g>
+</svg>

docs/assets/frigate.svg

@@ -0,0 +1,3 @@
+<svg width="512" height="512" viewBox="0 0 512 512" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M130 446.5C131.6 459.3 145 468 137 470C129 472 94 406.5 86 378.5C78 350.5 73.5 319 75.5 301C77.4999 283 181 255 181 247.5C181 240 147.5 247 146 241C144.5 235 171.3 238.6 178.5 229C189.75 214 204 216.5 213 208.5C222 200.5 233 170 235 157C237 144 215 129 209 119C203 109 222 102 268 83C314 64 460 22 462 27C464 32 414 53 379 66C344 79 287 104 287 111C287 118 290 123.5 288 139.5C286 155.5 285.76 162.971 282 173.5C279.5 180.5 277 197 282 212C286 224 299 233 305 235C310 235.333 323.8 235.8 339 235C358 234 385 236 385 241C385 246 344 243 344 250C344 257 386 249 385 256C384 263 350 260 332 260C317.6 260 296.333 259.333 287 256L285 263C281.667 263 274.7 265 267.5 265C258.5 265 258 268 241.5 268C225 268 230 267 215 266C200 265 144 308 134 322C124 336 130 370 130 385.5C130 399.428 128 430.5 130 446.5Z" fill="black"/>
+</svg>

docs/assets/gitea.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" viewBox="0 0 640 640" width="32" height="32"><path d="m395.9 484.2-126.9-61c-12.5-6-17.9-21.2-11.8-33.8l61-126.9c6-12.5 21.2-17.9 33.8-11.8 17.2 8.3 27.1 13 27.1 13l-.1-109.2 16.7-.1.1 117.1s57.4 24.2 83.1 40.1c3.7 2.3 10.2 6.8 12.9 14.4 2.1 6.1 2 13.1-1 19.3l-61 126.9c-6.2 12.7-21.4 18.1-33.9 12" style="fill:#fff"/><path d="M622.7 149.8c-4.1-4.1-9.6-4-9.6-4s-117.2 6.6-177.9 8c-13.3.3-26.5.6-39.6.7v117.2c-5.5-2.6-11.1-5.3-16.6-7.9 0-36.4-.1-109.2-.1-109.2-29 .4-89.2-2.2-89.2-2.2s-141.4-7.1-156.8-8.5c-9.8-.6-22.5-2.1-39 1.5-8.7 1.8-33.5 7.4-53.8 26.9C-4.9 212.4 6.6 276.2 8 285.8c1.7 11.7 6.9 44.2 31.7 72.5 45.8 56.1 144.4 54.8 144.4 54.8s12.1 28.9 30.6 55.5c25 33.1 50.7 58.9 75.7 62 63 0 188.9-.1 188.9-.1s12 .1 28.3-10.3c14-8.5 26.5-23.4 26.5-23.4S547 483 565 451.5c5.5-9.7 10.1-19.1 14.1-28 0 0 55.2-117.1 55.2-231.1-1.1-34.5-9.6-40.6-11.6-42.6M125.6 353.9c-25.9-8.5-36.9-18.7-36.9-18.7S69.6 321.8 60 295.4c-16.5-44.2-1.4-71.2-1.4-71.2s8.4-22.5 38.5-30c13.8-3.7 31-3.1 31-3.1s7.1 59.4 15.7 94.2c7.2 29.2 24.8 77.7 24.8 77.7s-26.1-3.1-43-9.1m300.3 107.6s-6.1 14.5-19.6 15.4c-5.8.4-10.3-1.2-10.3-1.2s-.3-.1-5.3-2.1l-112.9-55s-10.9-5.7-12.8-15.6c-2.2-8.1 2.7-18.1 2.7-18.1L322 273s4.8-9.7 12.2-13c.6-.3 2.3-1 4.5-1.5 8.1-2.1 18 2.8 18 2.8L467.4 315s12.6 5.7 15.3 16.2c1.9 7.4-.5 14-1.8 17.2-6.3 15.4-55 113.1-55 113.1" style="fill:#609926"/><path d="M326.8 380.1c-8.2.1-15.4 5.8-17.3 13.8s2 16.3 9.1 20c7.7 4 17.5 1.8 22.7-5.4 5.1-7.1 4.3-16.9-1.8-23.1l24-49.1c1.5.1 3.7.2 6.2-.5 4.1-.9 7.1-3.6 7.1-3.6 4.2 1.8 8.6 3.8 13.2 6.1 4.8 2.4 9.3 4.9 13.4 7.3.9.5 1.8 1.1 2.8 1.9 1.6 1.3 3.4 3.1 4.7 5.5 1.9 5.5-1.9 14.9-1.9 14.9-2.3 7.6-18.4 40.6-18.4 40.6-8.1-.2-15.3 5-17.7 12.5-2.6 8.1 1.1 17.3 8.9 21.3s17.4 1.7 22.5-5.3c5-6.8 4.6-16.3-1.1-22.6 1.9-3.7 3.7-7.4 5.6-11.3 5-10.4 13.5-30.4 13.5-30.4.9-1.7 5.7-10.3 2.7-21.3-2.5-11.4-12.6-16.7-12.6-16.7-12.2-7.9-29.2-15.2-29.2-15.2s0-4.1-1.1-7.1c-1.1-3.1-2.8-5.1-3.9-6.3 4.7-9.7 9.4-19.3 14.1-29-4.1-2-8.1-4-12.2-6.1-4.8 9.8-9.7 19.7-14.5 29.5-6.7-.1-12.9 3.5-16.1 9.4-3.4 6.3-2.7 14.1 1.9 19.8z" style="fill:#609926"/></svg>

docs/assets/immich.svg

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 28.3.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Flower" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 792 792" style="enable-background:new 0 0 792 792;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#FA2921;}
+	.st1{fill:#ED79B5;}
+	.st2{fill:#FFB400;}
+	.st3{fill:#1E83F7;}
+	.st4{fill:#18C249;}
+</style>
+<g id="Flower_00000077325900055813483940000000694823054982625702_">
+	<path class="st0" d="M375.48,267.63c38.64,34.21,69.78,70.87,89.82,105.42c34.42-61.56,57.42-134.71,57.71-181.3
+		c0-0.33,0-0.63,0-0.91c0-68.94-68.77-95.77-128.01-95.77s-128.01,26.83-128.01,95.77c0,0.94,0,2.2,0,3.72
+		C300.01,209.24,339.15,235.47,375.48,267.63z"/>
+	<path class="st1" d="M164.7,455.63c24.15-26.87,61.2-55.99,103.01-80.61c44.48-26.18,88.97-44.47,128.02-52.84
+		c-47.91-51.76-110.37-96.24-154.6-110.91c-0.31-0.1-0.6-0.19-0.86-0.28c-65.57-21.3-112.34,35.81-130.64,92.15
+		c-18.3,56.34-14.04,130.04,51.53,151.34C162.05,454.77,163.25,455.16,164.7,455.63z"/>
+	<path class="st2" d="M681.07,302.19c-18.3-56.34-65.07-113.45-130.64-92.15c-0.9,0.29-2.1,0.68-3.54,1.15
+		c-3.75,35.93-16.6,81.27-35.96,125.76c-20.59,47.32-45.84,88.27-72.51,118c69.18,13.72,145.86,12.98,190.26-1.14
+		c0.31-0.1,0.6-0.2,0.86-0.28C695.11,432.22,699.37,358.52,681.07,302.19z"/>
+	<path class="st3" d="M336.54,510.71c-11.15-50.39-14.8-98.36-10.7-138.08c-64.03,29.57-125.63,75.23-153.26,112.76
+		c-0.19,0.26-0.37,0.51-0.53,0.73c-40.52,55.78-0.66,117.91,47.27,152.72c47.92,34.82,119.33,53.54,159.86-2.24
+		c0.56-0.76,1.3-1.78,2.19-3.01C363.28,602.32,347.02,558.08,336.54,510.71z"/>
+	<path class="st4" d="M617.57,482.52c-35.33,7.54-82.42,9.33-130.72,4.66c-51.37-4.96-98.11-16.32-134.63-32.5
+		c8.33,70.03,32.73,142.73,59.88,180.6c0.19,0.26,0.37,0.51,0.53,0.73c40.52,55.78,111.93,37.06,159.86,2.24
+		c47.92-34.82,87.79-96.95,47.27-152.72C619.2,484.77,618.46,483.75,617.57,482.52z"/>
+</g>
+</svg>

docs/assets/llama-cpp.svg

@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   id="Layer_1"
+   version="1.1"
+   viewBox="0 0 250 250"
+   sodipodi:docname="llama-icon.svg"
+   width="250"
+   height="250"
+   inkscape:version="1.4.2 (ebf0e940d0, 2025-05-08)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <sodipodi:namedview
+     id="namedview7"
+     pagecolor="#505050"
+     bordercolor="#ffffff"
+     borderopacity="1"
+     inkscape:showpageshadow="0"
+     inkscape:pageopacity="0"
+     inkscape:pagecheckerboard="1"
+     inkscape:deskcolor="#505050"
+     inkscape:zoom="2.48"
+     inkscape:cx="146.57258"
+     inkscape:cy="189.91936"
+     inkscape:window-width="3440"
+     inkscape:window-height="1440"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="g7" />
+  <!-- Generator: Adobe Illustrator 29.3.1, SVG Export Plug-In . SVG Version: 2.1.0 Build 151)  -->
+  <defs
+     id="defs1">
+    <style
+       id="style1">
+      .st0 {
+        fill: #ff8236;
+      }
+
+      .st1 {
+        fill: #fff;
+      }
+
+      .st2 {
+        fill: #1b1f20;
+      }
+    </style>
+  </defs>
+  <rect
+     class="st2"
+     width="250"
+     height="250"
+     rx="8.6857386"
+     ry="8.7008333"
+     id="rect1"
+     x="0"
+     y="0"
+     style="stroke-width:0.266071" />
+  <g
+     id="g7">
+    <g
+       id="g6"
+       transform="translate(-995.51066,-129.70875)">
+      <path
+         class="st0"
+         d="m 1163.3,226.8 -13.5,24 c -17.8,-13.7 -44.2,-15.7 -62,-1 -28.7,23.7 -26.7,78.5 18,78.8 12.5,0 23.1,-5.9 34.5,-9.8 l 6,23.9 c -10.1,4.7 -20.4,9.5 -31.5,11 -101.2,13.8 -95.4,-132.3 -3.9,-139.9 19.2,-1.6 36.1,3.4 52.5,13 z"
+         id="path4" />
+      <path
+         class="st0"
+         d="m 1093.4,203.8 c -15.4,4.6 -29.7,13.1 -40.5,25 -2,-24.2 3.4,-73.1 30.3,-82.7 4,-1.4 17.7,-4.9 17.3,2.2 -0.4,7.1 -9.9,19.3 -12.2,25.9 -4,11.6 -0.3,19.6 5.2,29.7 z"
+         id="path5" />
+      <polygon
+         class="st0"
+         points="1131.4,307.8 1116.4,307.8 1116.4,290.8 1099.4,290.8 1099.4,276.8 1114.9,276.8 1116.4,275.3 1116.4,258.8 1131.4,258.8 1131.4,276.8 1147.4,276.8 1147.4,290.8 1131.4,290.8 "
+         id="polygon5" />
+      <polygon
+         class="st0"
+         points="1186.4,290.8 1186.4,307.8 1171.4,307.8 1171.4,290.8 1155.4,290.8 1155.4,276.8 1171.4,276.8 1171.4,258.8 1186.4,258.8 1186.4,275.3 1187.9,276.8 1203.4,276.8 1203.4,290.8 "
+         id="polygon6" />
+      <path
+         class="st0"
+         d="m 1142.3,156.9 c 2,3 -9.3,15.9 -11.1,19.2 -5.2,9.8 -1.7,15.4 2.2,24.7 -11.3,-1.7 -21.8,-0.3 -33,1 2.5,-21.5 14.6,-52.8 41.9,-44.9 z"
+         id="path6" />
+    </g>
+  </g>
+</svg>

docs/assets/nginx.svg

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Uploaded to: SVG Repo, www.svgrepo.com, Generator: SVG Repo Mixer Tools -->
+<svg width="800px" height="800px" viewBox="0 0 32 32" xmlns="http://www.w3.org/2000/svg"><title>file_type_nginx</title><path d="M15.948,2h.065a10.418,10.418,0,0,1,.972.528Q22.414,5.65,27.843,8.774a.792.792,0,0,1,.414.788c-.008,4.389,0,8.777-.005,13.164a.813.813,0,0,1-.356.507q-5.773,3.324-11.547,6.644a.587.587,0,0,1-.657.037Q9.912,26.6,4.143,23.274a.7.7,0,0,1-.4-.666q0-6.582,0-13.163a.693.693,0,0,1,.387-.67Q9.552,5.657,14.974,2.535c.322-.184.638-.379.974-.535" style="fill:#019639"/><path d="M8.767,10.538q0,5.429,0,10.859a1.509,1.509,0,0,0,.427,1.087,1.647,1.647,0,0,0,2.06.206,1.564,1.564,0,0,0,.685-1.293c0-2.62-.005-5.24,0-7.86q3.583,4.29,7.181,8.568a2.833,2.833,0,0,0,2.6.782,1.561,1.561,0,0,0,1.251-1.371q.008-5.541,0-11.081a1.582,1.582,0,0,0-3.152,0c0,2.662-.016,5.321,0,7.982-2.346-2.766-4.663-5.556-7-8.332A2.817,2.817,0,0,0,10.17,9.033,1.579,1.579,0,0,0,8.767,10.538Z" style="fill:#fff"/></svg>

docs/assets/renovate.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 256 256" width="24" height="24"  style="opacity:1;"><circle cx="128" cy="128" r="128" fill="#497C9B"/><path fill="#E8FEFF" d="m178.208 70.861l14.61 14.609c4.87 4.869 4.87 11.826 0 16.695l-38.957 39.653a3.477 3.477 0 0 0-.233 4.606l7.984 9.05l1.105-1.104c4.174-4.174 11.131-4.174 15.305 0l32.695 32c4.174 4.87 4.174 11.826 0 16l-5.565 5.565c-2.087 2.087-4.869 2.782-7.652 2.782s-5.565-.695-7.652-2.782l-32.696-32.696c-3.667-3.667-4.112-9.482-1.335-13.67l-8.217-9.317c-4.599-4.615-4.599-12.08 0-16.695L186.556 96.6c1.392-1.391 1.392-4.174 0-4.869l-13.913-14.609a3.477 3.477 0 0 0-4.869 0l-6.26-6.261c4.614-4.599 12.08-4.599 16.694 0m-7.261 86.992l-.577-.005c-.696 0-2.087 0-2.783 1.391l-5.565 4.87c-1.392 2.087-1.392 4.87 0 6.261l32.695 32.695a4.173 4.173 0 0 0 6.261 0l4.87-5.565c2.087-1.39 2.087-4.174 0-6.26l-32-32c-1.185-1.186-1.866-1.361-2.901-1.387"/><path fill="#77B3B2" d="m156.566 72.446l8.999 8.945c2.783 2.783 2.783 7.653 0 11.131l-70.261 70.261c-2.782 2.782-7.652 2.782-10.434 0l-9.695-9.641c-2.783-2.783-2.783-7.652 0-10.435l70.26-70.261c3.479-3.478 8.349-3.478 11.13 0m-49.283-18.901l12.521-12.522l12.522 12.522l-12.522 12.522zm-62.609 61.913l12.522-12.522l12.521 12.522l-12.521 12.522zm24.348-25.043l12.521-12.522l12.522 12.522l-12.522 12.521z"/><path fill="#73A9AE" d="m94.064 90.415l12.522-12.522l12.522 12.522l-12.522 12.521zm-24.348 25.043l12.522-12.522l12.522 12.522l-12.522 12.522z"/><path fill="#F0F9FE" d="m81.542 102.936l12.522-12.521l12.522 12.521l-12.522 12.522zm37.566-37.565l12.521-12.522l12.522 12.522l-12.522 12.522zM57.195 127.98l12.521-12.522l12.522 12.522l-12.522 12.522z"/><path fill="#77B3B2" d="m94.064 65.371l12.522-12.522l12.522 12.522l-12.522 12.522zM56.499 77.893l12.522-11.826l12.521 11.826l-12.521 12.522zm38.261-36.87l12.522-12.522l12.521 12.522l-12.521 12.522zM19.629 90.415l12.522-12.522l12.522 12.522l-12.522 12.521zm37.566-36.87l12.521-12.522l12.522 12.522l-12.522 12.522z"/></svg>

docs/assets/teamspeak.svg

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Generator: Adobe Illustrator 22.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg width="127" height="124" viewBox="0 0 124.0234375 122" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="Layer_1" x="0px" y="0px" style="enable-background:new 0 0 500 122;" xml:space="preserve">
+<style xmlns="http://www.w3.org/2000/svg" type="text/css">
+	.st0{fill:#1C80BE;}
+</style>
+<g xmlns="http://www.w3.org/2000/svg">
+	<g>
+		<path class="st0" d="M186.4,50.6c-1.2,0-2.1,1-2.1,2.1v22.6c0,5.3,1.6,6.6,6.8,6.6c1,0,2.1,0.8,2.1,2.1v3.5c0,1-0.8,2.1-1.9,2.1    c-1.4,0.2-2.7,0.2-4.1,0.2c-4.3,0-7.4-1-9.5-3.5c-1.6-2.1-2.1-4.3-2.1-10.3v-23c0-1.2-1-2.1-2.1-2.1h-2.5c-1.2,0-2.1-1-2.1-2.1    v-3.5c0-1.2,1-2.1,2.1-2.1h2.5c1.2,0,2.1-1,2.1-2.1v-8.8c0-1,1-2.1,2.1-2.1h4.3c1.2,0,2.1,1,2.1,2.1v8.4c0,1.2,1,2.1,2.1,2.1h3.7    c1,0,2.1,1,2.1,2.1v3.5c0,1.2-1,2.1-2.1,2.1L186.4,50.6L186.4,50.6z"/>
+		<path class="st0" d="M208,67.6c-1.2,0-2.1,1-2.1,2.1v2.1c0,8.2,1.4,10.7,6,10.7c2.7,0,4.5-1.4,5.3-4.1c0.2-0.6,0.4-1.2,0.4-2.9    c0-1.2,1-2.1,2.1-2.1h3.9c1.6,0,2.7,1,2.7,2.3c0,4.9-0.6,6.8-2.1,8.8c-2.3,3.9-6.6,6-12.3,6c-11.7,0-14.6-7.2-14.6-17.5V59    c0-7.4,0.8-10.5,3.7-13.4c2.5-2.5,6.2-3.7,10.5-3.7c4.7,0,8.4,1.4,10.9,4.3c2.7,3.1,3.5,6.4,3.5,13.8v5.6c0,1.2-1,2.1-2.1,2.1H208    z M217.2,57.3c0-5.6-1.6-7.8-5.8-7.8s-5.8,2.3-5.8,7.8v2.5h11.5C217.2,59.8,217.2,57.3,217.2,57.3z"/>
+		<path class="st0" d="M251.6,86.6c-0.4,0-1,0-1.2,0.4c-2.7,2.3-4.7,3.1-7.4,3.1c-6,0-9.5-4.7-9.5-12.3c0-6,2.3-9.7,8-13.2    c2.1-1.2,4.1-2.3,10.5-5.1c0.8-0.4,1.2-1,1.2-2.1v-1c0-4.7-1.2-6.6-4.5-6.6c-2.9,0-4.3,1.4-4.9,4.7c0,1-1,1.9-2.1,1.9h-4.9    c-1.2,0-2.3-1.2-2.1-2.5c1.4-7.8,6.6-11.9,15.2-11.9c4.3,0,7.4,1,9.5,3.7c2.1,2.5,2.5,4.5,2.5,10.3v20.8c0,5.3,0,7.8,0.6,10.1    c0.2,1.2-0.8,2.5-2.1,2.5h-5.3c-0.6,0-1.2-0.4-1.4-1C253.5,87.2,252.4,86.6,251.6,86.6z M253.2,69.1c0-1.2-1-2.1-2.1-2.1    c-0.4,0-0.8,0-1,0.4c-5.3,3.3-7.4,6.2-7.4,9.9c0,3.1,1.9,5.3,4.3,5.3c2.3,0,4.3-1.2,6-3.7c0.2-0.4,0.4-0.8,0.4-1.2L253.2,69.1    L253.2,69.1z"/>
+		<path class="st0" d="M279.6,45.2c0,1,0.6,1.4,1.4,1.4c0.4,0,0.6-0.2,1-0.4c3.1-2.9,6-4.1,9.3-4.1c3.1,0,5.1,1.2,6.4,3.7    c0.4,0.8,1,1,1.9,1c0.6,0,1-0.2,1.4-0.6c3.1-3.1,6.2-4.3,9.5-4.3c5.3,0,7.6,3.5,7.6,10.9v34.4c0,1-1,2.1-2.1,2.1h-4.3    c-1.2,0-2.1-1-2.1-2.1V55.3c0-4.1-0.8-5.3-3.3-5.3c-2.3,0-7.2,2.9-7.2,5.3v32.1c0,1-1,2.1-2.1,2.1h-4.5c-1,0-2.1-1-2.1-2.1V55.3    c0-4.1-0.8-5.3-3.3-5.3c-2.3,0-4.7,1.4-6.8,4.1c-0.4,0.4-0.4,0.8-0.4,1.4v32.1c0,1-1,2.1-2.1,2.1h-4.5c-1,0-2.1-1-2.1-2.1V45    c0-1,1-2.1,2.1-2.1h5.1c0.8,0,1.4,0.6,1.4,1.4v0.8C280,45.2,279.6,45.2,279.6,45.2z"/>
+		<path class="st0" d="M347.3,55.7c-0.2,0-0.6,0.2-0.8,0.2c-0.8,0-1.6-0.4-2.1-1.2c-1.6-3.5-3.5-4.9-6.4-4.9c-2.7,0-4.5,1.6-4.5,4.1    c0,2.5,1.2,3.9,7.8,7.4c5.3,2.9,7.6,4.3,9.5,6.4c2.1,2.1,3.3,5.3,3.3,8.8c0,8.2-5.8,13.8-14.4,13.8c-7.4,0-12.1-3.5-15.2-11.1    c-0.4-1,0-2.5,1.2-2.9l4.1-1.4c0.2,0,0.4,0,0.6,0c0.8,0,1.6,0.4,2.1,1.2c1.9,4.3,3.9,6.2,7.2,6.2c2.9,0,4.9-2.1,4.9-4.7    c0-2.7-1.4-4.3-6.6-7.2c-6.4-3.5-8.2-4.7-10.3-7c-2.1-2.3-3.3-5.3-3.3-8.8c0-7.6,5.8-13,13.6-13c6.8,0,11.3,2.9,14.2,9.3    c0.4,1,0,2.5-1,2.9L347.3,55.7z"/>
+		<path class="st0" d="M370.1,45.6c0.2,0,0.6,0,0.8-0.2c2.9-2.3,5.3-3.3,8-3.3c9.5,0,9.5,11.7,9.5,18.3v11.3c0,6.6,0,18.3-9.5,18.3    c-2.3,0-4.5-0.8-7-2.5c-0.4-0.2-0.8-0.4-1-0.4c-1,0-2.1,1-2.1,2.1V103c0,1.2-1,2.1-2.1,2.1h-4.5c-1,0-2.1-1-2.1-2.1V45    c0-1.2,1-2.1,2.1-2.1h5.1c0.8,0,1.4,0.6,1.4,1.4C368.7,45,369.3,45.6,370.1,45.6z M368.7,78.9c0,0.6,0.2,1.2,1,1.6    c1.9,1.2,3.5,1.9,5.1,1.9c1.9,0,3.3-1,4.1-2.5c0.8-1.6,0.8-2.9,0.8-7.6V60c0-4.9,0-6.2-0.8-7.6c-0.6-1.4-2.3-2.5-4.1-2.5    c-1.6,0-3.3,0.6-5.1,1.9c-0.6,0.4-1,1-1,1.9V78.9z"/>
+		<path class="st0" d="M406.9,67.6c-1.2,0-2.1,1-2.1,2.1v2.1c0,8.2,1.4,10.7,6,10.7c2.7,0,4.5-1.4,5.3-4.1c0.2-0.6,0.4-1.2,0.4-2.9    c0-1.2,1-2.1,2.1-2.1h3.9c1.6,0,2.7,1,2.7,2.3c0,4.9-0.6,6.8-2.1,8.8c-2.3,3.9-6.6,6-12.3,6c-11.7,0-14.6-7.2-14.6-17.5V59    c0-7.4,0.8-10.5,3.7-13.4c2.5-2.5,6.2-3.7,10.5-3.7c4.7,0,8.4,1.4,10.9,4.3c2.7,3.1,3.5,6.4,3.5,13.8v5.6c0,1.2-1,2.1-2.1,2.1    H406.9z M416.2,57.3c0-5.6-1.6-7.8-5.8-7.8s-5.8,2.3-5.8,7.8v2.5h11.5V57.3z"/>
+		<path class="st0" d="M450.4,86.6c-0.4,0-1,0-1.2,0.4c-2.7,2.3-4.7,3.1-7.4,3.1c-6,0-9.5-4.7-9.5-12.3c0-6,2.3-9.7,8-13.2    c2.1-1.2,4.1-2.3,10.5-5.1c0.8-0.4,1.2-1,1.2-2.1v-1c0-4.7-1.2-6.6-4.5-6.6c-2.9,0-4.3,1.4-4.9,4.7c0,1-1,1.9-2.1,1.9h-4.9    c-1.2,0-2.3-1.2-2.1-2.5c1.4-7.8,6.6-11.9,15.2-11.9c4.3,0,7.4,1,9.5,3.7c2.1,2.5,2.5,4.5,2.5,10.3v20.8c0,5.3,0,7.8,0.6,10.1    c0.2,1.2-0.8,2.5-2.1,2.5h-5.3c-0.6,0-1.2-0.4-1.4-1C452.4,87.2,451.4,86.6,450.4,86.6z M452.2,69.1c0-1.2-1-2.1-2.1-2.1    c-0.4,0-0.8,0-1,0.4c-5.3,3.3-7.4,6.2-7.4,9.9c0,3.1,1.9,5.3,4.3,5.3c2.3,0,4.3-1.2,6-3.7c0.2-0.4,0.4-0.8,0.4-1.2L452.2,69.1    L452.2,69.1z"/>
+		<path class="st0" d="M488.4,44c0.4-0.6,1-1,1.9-1h4.9c1.6,0,2.7,1.9,1.9,3.3l-7,11.1c-0.4,0.6-0.4,1.2-0.2,1.9l9.1,27.8    c0.4,1.4-0.6,2.9-2.1,2.9h-5.3c-1,0-1.9-0.6-2.1-1.4l-4.7-15.8c-0.2-1-1.2-1.4-2.1-1.4c-0.6,0-1.4,0.2-1.9,1l-2.1,3.3    c-0.2,0.4-0.4,0.8-0.4,1v11.1c0,1.2-1,2.1-2.1,2.1h-4.5c-1.2,0-2.1-1-2.1-2.1V29c0-1.2,1-2.1,2.1-2.1h4.5c1,0,2.1,1,2.1,2.1v24.5    c0,1.2,1,2.1,2.1,2.1c0.8,0,1.4-0.4,1.9-1L488.4,44z"/>
+	</g>
+	<path class="st0" d="M1.2,65c0.2-1.9-0.2-4.1,0.2-6.4c0.6-3.7,2.7-6.6,6-8.2c0.8-0.4,1.2-0.8,1.4-1.9c1.4-8,4.7-15.4,9.5-22   c0.6-0.8,1-1.2,0.2-2.3c-0.8-1.2-0.2-2.5,0.6-3.5c6.8-7.6,14.8-13.2,24.3-16.3c22.8-7.2,42.8-2.3,60.1,14.6   c1.6,1.6,3.7,3.1,1.6,5.8c-0.4,0.4,0.2,0.8,0.6,1.2c4.9,6.8,8.2,14.4,9.7,22.6c0.2,0.8,0.8,1.2,1.4,1.6c4.1,2.1,6.2,5.6,6.2,10.3   c0,4.1,0.4,8.2-0.2,12.3c-1,6-7,10.1-12.8,8.8c-1.6-0.4-2.3-1.6-2.3-3.3c0-6.8,0.2-13.6,0-20.4c-0.6-18.3-8.6-32.1-24.5-40.9   C57,2.6,23,18.9,17.3,48.7c-1,5.1-0.8,10.5-0.8,15.6c0,4.9,0,9.7-0.2,14.6c0,1.6-1,2.7-2.9,2.7C5.9,82,1,77.3,1,69.7   C1.2,68.5,1.2,67,1.2,65"/>
+	<path class="st0" d="M53.1,89c2.7-1,4.7-2.9,5.3-6s-2.9-7.4-7.6-11.9c-4.9-4.7-11.3-9.7-14.8-11.5c-5.1-3.1-9.9-0.4-10.9,5.6   c-1.2,6.6,0,12.8,3.5,18.3c2.5,3.9,6,5.6,10.3,6C41.3,89.4,51,89.9,53.1,89"/>
+	<path class="st0" d="M75.1,90.9c3.1,0.4,6,1,9.1,1.2c4.1,0.2,7.2-1,9.5-3.5c2.9-3.1,4.3-7,4.1-11.1c-0.2-4.3-3.7-6.8-8.4-6   c-4.3,0.6-8,2.5-11.9,3.9c-3.5,1.4-6.6,3.1-9.1,5.3c-3.5,3.3-1.6,7.8,3.9,9.5C73,90.5,74,90.7,75.1,90.9"/>
+	<path class="st0" d="M107.8,87.2c-0.6-0.6-1.6-0.2-2.1,0.6c-1.9,6-10.7,26.1-40.7,28.2c-35.4,2.5,18.9,10.1,34.4-1.4   c5.3-4.1,11.3-8.2,11.1-20C110.5,92.3,109.4,88.4,107.8,87.2"/>
+</g>
+</svg>

flake.nix

@@ -1,59 +0,0 @@
-{
-    inputs = {
-        nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-
-        # Only to ease updating flake.lock, flake-compat is used by shell.nix
-        flake-compat.url = https://flakehub.com/f/edolstra/flake-compat/1.1.0.tar.gz;
-
-        # Allows us to install krew plugins
-        krew2nix.url = "github:a1994sc/krew2nix";
-        krew2nix.inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    outputs = { self, nixpkgs, krew2nix, ... }: let 
-        system = "x86_64-linux";
-    in {
-        devShells."${system}".default =
-        let
-            pkgs = import nixpkgs {
-                overlays = [ krew2nix.overlay ];
-                inherit system;
-            };
-        in
-            pkgs.mkShell {
-                packages = with pkgs; [
-                    (python313.withPackages (python-pkgs: with python-pkgs; [
-                        hvac
-                    ]))
-                    vim gnumake
-                    talosctl cilium-cli
-                    kubectx k9s kubernetes-helm
-                    (kubectl.withKrewPlugins (plugins: with plugins; [
-                        mayastor
-                        openebs
-                    ]))
-                    ansible
-                    fluxcd
-                    restic
-                    openbao
-                ];
-                
-                shellHook = ''
-                # Get completions working
-                source ${pkgs.bash-completion}/share/bash-completion/bash_completion
-
-                export TALOSCONFIG=$(pwd)/talos/generated/talosconfig
-                export EDITOR=vim
-
-                export RESTIC_REPOSITORY=s3:https://s3.eu-central-003.backblazeb2.com/lumpiasty-backups
-                # export AWS_ACCESS_KEY_ID=?
-                # export AWS_SECRET_ACCESS_KEY=?
-                # export RESTIC_PASSWORD=?
-                export VAULT_ADDR=https://openbao.lumpiasty.xyz:8200
-
-                # Add scripts from utils subdir
-                export PATH="$PATH:$(pwd)/utils"
-                '';
-            };
-    };
-}

infra/configs/bgp-cluster-config.yaml

@@ -9,7 +9,7 @@ spec:
       peers:
         - name: barracuda
           peerASN: 65000
-          peerAddress: 2001:470:61a3:100:ffff:ffff:ffff:ffff
+          peerAddress: 2001:470:61a3:100::1
           peerConfigRef:
             name: cilium-peer
 ---

infra/configs/lvmpv-hdd-sc.yaml

@@ -0,0 +1,12 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: hdd-lvmpv
+parameters:
+  storage: "lvm"
+  volgroup: "openebs-hdd"
+  fsType: "btrfs"
+  shared: "yes"
+provisioner: local.csi.openebs.io
+allowVolumeExpansion: true
+volumeBindingMode: Immediate

infra/configs/lvmpv-ssd-sc.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: ssd-lvmpv
+parameters:
+  storage: "lvm"
+  volgroup: "openebs-ssd"
+  fsType: "btrfs"
+  shared: "yes"
+provisioner: local.csi.openebs.io
+allowVolumeExpansion: true
+volumeBindingMode: Immediate

infra/configs/mayastor-snapshotclass.yaml

@@ -1,8 +0,0 @@
-kind: VolumeSnapshotClass
-apiVersion: snapshot.storage.k8s.io/v1
-metadata:
-  name: csi-mayastor-snapshotclass
-  annotations:
-    snapshot.storage.kubernetes.io/is-default-class: "true"
-driver: io.openebs.csi-mayastor
-deletionPolicy: Delete

infra/configs/openbao-volume.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: local.openebs.io/v1alpha1
+kind: LVMVolume
+metadata:
+  labels:
+    kubernetes.io/nodename: anapistula-delrosalae
+  name: openbao-volume-lvmhdd
+  namespace: openebs
+spec:
+  capacity: 1Gi
+  ownerNodeID: anapistula-delrosalae
+  shared: "yes"
+  thinProvision: "no"
+  vgPattern: ^openebs-hdd$
+  volGroup: openebs-hdd
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: openbao-volume-lvmhdd
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: hdd-lvmpv
+  volumeMode: Filesystem
+  csi:
+    driver: local.csi.openebs.io
+    fsType: btrfs
+    volumeHandle: openbao-volume-lvmhdd
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: openbao-volume-lvmhdd
+  namespace: openbao
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: hdd-lvmpv
+  volumeName: openbao-volume-lvmhdd

infra/configs/ovh-cert-manager-secret.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ovh-credentials
+  namespace: cert-manager
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: cert-manager
+    serviceAccount: ovh-credentials
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: webhook-ovh-credentials
+  namespace: cert-manager
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: ovh-cert-manager
+
+  destination:
+    create: true
+    name: ovh-credentials
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: cert-manager

infra/configs/single-hdd-sc.yaml

@@ -1,18 +0,0 @@
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-  name: mayastor-single-hdd
-parameters:
-  protocol: nvmf
-  # Single replica
-  repl: "1"
-  # Thin provision volumes
-  thin: "true"
-  # Allow expansion of volumes
-  allowVolumeExpansion: "true"
-  # Generate new filesystem's uuid when cloning
-  cloneFsIdAsVolumeId: "true"
-  # Schedule this sconly on hdd
-  poolAffinityTopologyLabel: |
-    type: hdd
-provisioner: io.openebs.csi-mayastor

infra/controllers/cert-manager-webhook-ovh.yaml

@@ -18,14 +18,13 @@ spec:
   chart:
     spec:
       chart: cert-manager-webhook-ovh
-      version: 0.7.3
+      version: 0.9.2
       sourceRef:
         kind: HelmRepository
         name: cert-manager-webhook-ovh
         namespace: cert-manager
       interval: 12h
   values:
-    configVersion: 0.0.1
     groupName: lumpiasty-homelab
     certManager:
       namespace: cert-manager
@@ -38,6 +37,7 @@ spec:
         acmeServerUrl: https://acme-v02.api.letsencrypt.org/directory
         email: arek.dzski@gmail.com
         ovhEndpointName: ovh-eu
+        ovhAuthenticationMethod: application
         ovhAuthenticationRef:
           applicationKeyRef:
             name: ovh-credentials
@@ -45,6 +45,14 @@ spec:
           applicationSecretRef:
             name: ovh-credentials
             key: applicationSecret
-          consumerKeyRef:
+          applicationConsumerKeyRef:
             name: ovh-credentials
             key: consumerKey
+        # Workaround for chart's bug
+        # nil pointer evaluating interface {}.enabled
+        externalAccountBinding:
+          enabled: false
+          keyID: ""
+          keySecretRef: 
+            name: ""
+            key: ""