Update renovate/renovate Docker tag to v43.4.3

Merge pull request 'Update redis Docker tag to v24.1.3' (#120 ) from renovate/redis-24.x into fresh-start
Reviewed-on: #120
2026-02-09 00:00:40 +00:00 · 2026-02-06 00:16:26 +00:00 · 2026-02-06 00:16:16 +00:00 · 2026-02-06 00:16:06 +00:00 · 2026-02-06 00:15:58 +00:00 · 2026-02-06 00:15:28 +00:00
116 changed files with 14892 additions and 11822 deletions
--- a/.envrc
+++ b/.envrc
@@ -0,0 +1,12 @@
 #!/usr/bin/env bash
 export DIRENV_WARN_TIMEOUT=20s
 eval "$(devenv direnvrc)"
 # `use devenv` supports the same options as the `devenv shell` command.
 #
 # To silence all output, use `--quiet`.
 #
 # Example usage: use devenv --quiet --impure --option services.postgres.enable:bool true
 use devenv
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,12 @@
 secrets.yaml
-talos/generated
+talos/generated
 # Devenv
 .devenv*
 devenv.local.nix
 devenv.local.yaml
 # direnv
 .direnv
 # pre-commit
 .pre-commit-config.yaml
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -1,3 +1,7 @@
 {
-  "recommendations": ["arrterian.nix-env-selector", "jnoortheen.nix-ide"]
+  "recommendations": [
    "jnoortheen.nix-ide",
    "detachhead.basedpyright",
    "mkhl.direnv"
  ]
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,12 +1,4 @@
 {
-  "nixEnvSelector.nixFile": "${workspaceFolder}/shell.nix",
+  "ansible.python.interpreterPath": "/bin/python",
-  "terminal.integrated.profiles.linux": {
+  "python.defaultInterpreterPath": "${env:PYTHON_BIN}"
    "Nix Shell": {
      "path": "nix",
      "args": ["develop"],
      "icon": "terminal-linux"
    }
  },
  "terminal.integrated.defaultProfile.linux": "Nix Shell",
  "ansible.python.interpreterPath": "/bin/python"
 }
--- a/12
+++ b/12
@@ -3,7 +3,17 @@ install-router:
 gen-talos-config:
 	mkdir -p talos/generated
-	talosctl gen config --with-secrets secrets.yaml --config-patch @talos/patches/controlplane.patch --config-patch @talos/patches/openebs.patch --config-patch @talos/patches/openbao.patch --config-patch @talos/patches/anapistula-delrosalae.patch --output-types controlplane -o talos/generated/anapistula-delrosalae.yaml homelab https://kube-api.homelab.lumpiasty.xyz:6443
+	talosctl gen config \
 		--with-secrets secrets.yaml \
 		--config-patch @talos/patches/controlplane.patch \
 		--config-patch @talos/patches/openebs.patch \
 		--config-patch @talos/patches/openbao.patch \
 		--config-patch @talos/patches/ollama.patch \
 		--config-patch @talos/patches/llama.patch \
 		--config-patch @talos/patches/frigate.patch \
 		--config-patch @talos/patches/anapistula-delrosalae.patch \
 		--output-types controlplane -o talos/generated/anapistula-delrosalae.yaml \
 		homelab https://kube-api.homelab.lumpiasty.xyz:6443
 	talosctl gen config --with-secrets secrets.yaml --config-patch @talos/patches/controlplane.patch --output-types worker -o talos/generated/worker.yaml homelab https://kube-api.homelab.lumpiasty.xyz:6443
 	talosctl gen config --with-secrets secrets.yaml --output-types talosconfig -o talos/generated/talosconfig homelab https://kube-api.homelab.lumpiasty.xyz:6443
 	talosctl config endpoint kube-api.homelab.lumpiasty.xyz
--- a/apps/frigate/config-pvc.yaml
+++ b/apps/frigate/config-pvc.yaml
@@ -0,0 +1,49 @@
 apiVersion: local.openebs.io/v1alpha1
 kind: LVMVolume
 metadata:
  labels:
    kubernetes.io/nodename: anapistula-delrosalae
  name: frigate-config
  namespace: openebs
 spec:
  capacity: 5Gi
  ownerNodeID: anapistula-delrosalae
  shared: "yes"
  thinProvision: "no"
  vgPattern: ^openebs-hdd$
  volGroup: openebs-hdd
 ---
 kind: PersistentVolume
 apiVersion: v1
 metadata:
  name: frigate-config
 spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: openebs-lvmpv
  volumeMode: Filesystem
  csi:
    driver: local.csi.openebs.io
    volumeHandle: frigate-config
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    namespace: frigate
    name: frigate-config
 ---
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: frigate-config
  namespace: frigate
 spec:
  storageClassName: openebs-lvmpv
  accessModes:
    - ReadWriteOnce
  resources:
   requests:
     storage: 5Gi
  volumeName: frigate-config
--- a/apps/frigate/kustomization.yaml
+++ b/apps/frigate/kustomization.yaml
@@ -0,0 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - secret.yaml
  - config-pvc.yaml
  - media-pvc.yaml
  - release.yaml
  - webrtc-svc.yaml
--- a/apps/frigate/media-pvc.yaml
+++ b/apps/frigate/media-pvc.yaml
@@ -0,0 +1,49 @@
 apiVersion: local.openebs.io/v1alpha1
 kind: LVMVolume
 metadata:
  labels:
    kubernetes.io/nodename: anapistula-delrosalae
  name: frigate-media
  namespace: openebs
 spec:
  capacity: 500Gi
  ownerNodeID: anapistula-delrosalae
  shared: "yes"
  thinProvision: "no"
  vgPattern: ^openebs-hdd$
  volGroup: openebs-hdd
 ---
 kind: PersistentVolume
 apiVersion: v1
 metadata:
  name: frigate-media
 spec:
  capacity:
    storage: 500Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: openebs-lvmpv
  volumeMode: Filesystem
  csi:
    driver: local.csi.openebs.io
    volumeHandle: frigate-media
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    namespace: frigate
    name: frigate-media
 ---
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: frigate-media
  namespace: frigate
 spec:
  storageClassName: openebs-lvmpv
  accessModes:
    - ReadWriteOnce
  resources:
   requests:
     storage: 500Gi
  volumeName: frigate-media
--- a/apps/frigate/namespace.yaml
+++ b/apps/frigate/namespace.yaml
@@ -0,0 +1,5 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: frigate
--- a/apps/frigate/release.yaml
+++ b/apps/frigate/release.yaml
@@ -0,0 +1,181 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: blakeblackshear
  namespace: frigate
 spec:
  interval: 24h
  url: https://blakeblackshear.github.io/blakeshome-charts/
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: frigate
  namespace: frigate
 spec:
  interval: 30m
  chart:
    spec:
      chart: frigate
      version: 7.8.0
      sourceRef:
        kind: HelmRepository
        name: blakeblackshear
        namespace: frigate
      interval: 12h
  values:
    config: |
      mqtt:
        enabled: False
      tls:
        enabled: False
      auth:
        enabled: True
        cookie_secure: True
      record:
        expire_interval: 1440 # 24h
        sync_recordings: True
        enabled: True
        retain:
          days: 90
          mode: motion
      objects:
        track:
          - person
          - bicycle
          - car
          - motorcycle
          - cat
          - dog
          - horse
          - sheep
          - cow
          - bear
      review:
        alerts:
          labels:
            - person
            - bicycle
            - car
            - motorcycle
            - cat
            - dog
            - horse
            - sheep
            - cow
            - bear
      cameras:
        dom:
          enabled: True
          ffmpeg:
            inputs:
              - path: rtsp://127.0.0.1:8554/dom
                roles:
                  - audio
                  - detect
                  - record
            output_args:
              record: preset-record-generic-audio-copy
          motion:
            mask:
              # Sasiad
              - 0.436,0,0.421,0.072,0.424,0.124,0.304,0.242,0.295,0.194,0.035,0.497,0.035,0.6,0,0.664,0,0
        garaz:
          enabled: True
          ffmpeg:
            inputs:
              - path: rtsp://127.0.0.1:8554/garaz
                roles:
                  - audio
                  - detect
                  - record
            output_args:
              record: preset-record-generic-audio-copy
          motion:
            mask:
              # Sasiad
              - 0.662,0.212,0.569,0.2,0.566,0.149,0.549,0.119,0.532,0.169,0.495,0.14,0.491,0,0.881,0,1,0.154,1,0.221,0.986,0.296,0.94,0.28,0.944,0.178,0.664,0.126
              # Drzewo
              - 0.087,0.032,0,0.174,0,0.508,0.139,0.226,0.12,0.108
          objects:
            filters:
              person:
                # Uparty false positive
                mask: 0.739,0.725,0.856,0.76,0.862,0.659,0.746,0.614
      # ffmpeg:
      #   hwaccel_args: preset-vaapi
      detectors:
        ov_0:
          type: openvino
          device: CPU
      model:
        width: 300
        height: 300
        input_tensor: nhwc
        input_pixel_format: bgr
        path: /openvino-model/ssdlite_mobilenet_v2.xml
        labelmap_path: /openvino-model/coco_91cl_bkgr.txt
      go2rtc:
        streams:
          dom:
            - rtsp://{FRIGATE_RTSP_DOM_USER}:{FRIGATE_RTSP_DOM_PASSWORD_URLENCODED}@192.168.3.10:554/Streaming/Channels/101
          garaz:
            - rtsp://{FRIGATE_RTSP_GARAZ_USER}:{FRIGATE_RTSP_GARAZ_PASSWORD_URLENCODED}@192.168.3.11:554/Streaming/Channels/101
        webrtc:
          candidates:
            - frigate-rtc.lumpiasty.xyz:8555
    persistence:
      media:
        enabled: true
        size: 500Gi
        storageClass: mayastor-single-hdd
        skipuninstall: true
      config:
        enabled: true
        size: 5Gi
        storageClass: mayastor-single-hdd
        skipuninstall: true
    envFromSecrets:
      - frigate-camera-rtsp
    ingress:
      enabled: true
      ingressClassName: nginx-ingress
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt
      hosts:
        - host: frigate.lumpiasty.xyz
          paths:
            - path: /
              portName: http-auth
      tls:
        - hosts:
            - frigate.lumpiasty.xyz
          secretName: frigate-ingress
    nodeSelector:
      kubernetes.io/hostname: anapistula-delrosalae
    # GPU access
    # extraVolumes:
    #   - name: dri
    #     hostPath:
    #       path: /dev/dri/renderD128
    #       type: CharDevice
    # extraVolumeMounts:
    #   - name: dri
    #     mountPath: /dev/dri/renderD128
    # securityContext:
    #   # Not ideal
    #   privileged: true
--- a/apps/frigate/secret.yaml
+++ b/apps/frigate/secret.yaml
@@ -0,0 +1,43 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: camera
  namespace: frigate
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: camera
  namespace: frigate
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: frigate-camera
    serviceAccount: camera
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: frigate-camera-rtsp
  namespace: frigate
 spec:
  type: kv-v2
  mount: secret
  path: cameras
  destination:
    create: true
    name: frigate-camera-rtsp
    type: Opaque
    transformation:
      excludeRaw: true
      templates:
        FRIGATE_RTSP_DOM_PASSWORD_URLENCODED:
          text: '{{ urlquery (get .Secrets "FRIGATE_RTSP_DOM_PASSWORD") }}'
        FRIGATE_RTSP_GARAZ_PASSWORD_URLENCODED:
          text: '{{ urlquery (get .Secrets "FRIGATE_RTSP_GARAZ_PASSWORD") }}'
  vaultAuthRef: camera
--- a/apps/frigate/webrtc-svc.yaml
+++ b/apps/frigate/webrtc-svc.yaml
@@ -0,0 +1,20 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: go2rtc
  namespace: frigate
 spec:
  type: LoadBalancer
  selector:
    app.kubernetes.io/instance: frigate
    app.kubernetes.io/name: frigate
  ipFamilyPolicy: RequireDualStack
  ports:
    - name: webrtc-tcp
      protocol: TCP
      port: 8555
      targetPort: webrtc-tcp
    - name: webrtc-udp
      protocol: UDP
      port: 8555
      targetPort: webrtc-udp
--- a/apps/gitea/backups.yaml
+++ b/apps/gitea/backups.yaml
@@ -0,0 +1,33 @@
 apiVersion: k8up.io/v1
 kind: Schedule
 metadata:
  name: gitea-backup
  namespace: gitea
 spec:
  backend:
    # Manually adding secrets for now
    repoPasswordSecretRef:
      name: gitea-backup-restic
      key: password
    s3:
      endpoint: https://s3.eu-central-003.backblazeb2.com
      bucket: lumpiasty-backups
      accessKeyIDSecretRef:
        name: gitea-backup-backblaze
        key: aws_access_key_id
      secretAccessKeySecretRef:
        name: gitea-backup-backblaze
        key: aws_secret_access_key
  backup:
    schedule: "@daily-random"
    failedJobsHistoryLimit: 2
    successfulJobsHistoryLimit: 2
  check:
    schedule: "@daily-random"
  prune:
    schedule: "@daily-random"
    retention:
      keepLast: 14
      keepDaily: 14
      keepWeekly: 50
      keepYearly: 10
--- a/apps/gitea/kustomization.yaml
+++ b/apps/gitea/kustomization.yaml
@@ -0,0 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - postgres-volume.yaml
  - postgres-cluster.yaml
  - release.yaml
  - secret.yaml
  - backups.yaml
--- a/apps/gitea/namespace.yaml
+++ b/apps/gitea/namespace.yaml
@@ -0,0 +1,5 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: gitea
--- a/apps/gitea/postgres-cluster.yaml
+++ b/apps/gitea/postgres-cluster.yaml
@@ -0,0 +1,16 @@
 ---
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  name: gitea-postgresql-cluster
  namespace: gitea
 spec:
  instances: 1
  storage:
    size: 10Gi
    storageClass: mayastor-single-hdd
  backup:
    volumeSnapshot:
      className: csi-mayastor-snapshotclass
--- a/apps/gitea/postgres-volume.yaml
+++ b/apps/gitea/postgres-volume.yaml
@@ -0,0 +1,32 @@
 apiVersion: local.openebs.io/v1alpha1
 kind: LVMVolume
 metadata:
  labels:
    kubernetes.io/nodename: anapistula-delrosalae
  name: gitea-postgresql-cluster-lvmhdd-1
  namespace: openebs
 spec:
  capacity: 20Gi
  ownerNodeID: anapistula-delrosalae
  shared: "yes"
  thinProvision: "no"
  vgPattern: ^openebs-hdd$
  volGroup: openebs-hdd
 ---
 kind: PersistentVolume
 apiVersion: v1
 metadata:
  name: gitea-postgresql-cluster-lvmhdd-1
 spec:
  capacity:
    storage: 20Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: openebs-lvmpv
  volumeMode: Filesystem
  csi:
    driver: local.csi.openebs.io
    volumeHandle: gitea-postgresql-cluster-lvmhdd-1
 ---
 # PVCs are dynamically created by the Postgres operator
--- a/apps/gitea/release.yaml
+++ b/apps/gitea/release.yaml
@@ -1,9 +1,3 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: gitea
 ---
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
@@ -23,7 +17,7 @@ spec:
  chart:
    spec:
      chart: gitea
-      version: 10.6.0
+      version: 12.5.0
      sourceRef:
        kind: HelmRepository
        name: gitea-charts
@@ -34,7 +28,7 @@ spec:
      enabled: false
    postgresql:
-      enabled: true
+      enabled: false
      primary:
        persistence:
          enabled: true
@@ -43,12 +37,12 @@ spec:
          requests:
            cpu: 0
-    redis-cluster:
+    valkey-cluster:
      enabled: false
-    redis:
+    valkey:
      enabled: true
-      master:
+      primary:
        persistence:
          enabled: true
          storageClass: mayastor-single-hdd
@@ -60,13 +54,19 @@ spec:
      enabled: true
      storageClass: mayastor-single-hdd
    image:
      tag: 1.23.3
    gitea:
      additionalConfigFromEnvs:
        - name: GITEA__DATABASE__PASSWD
          valueFrom:
            secretKeyRef:
              name: gitea-postgresql-cluster-app
              key: password
      config:
        database:
          DB_TYPE: postgres
          HOST: gitea-postgresql-cluster-rw:5432
          NAME: app
          USER: app
        indexer:
          ISSUE_INDEXER_TYPE: bleve
          REPO_INDEXER_ENABLED: true
@@ -79,8 +79,8 @@ spec:
      ssh:
        annotations:
          lbipam.cilium.io/sharing-key: gitea
-          lbipam.cilium.io/sharing-cross-namespace: nginx-ingress-controller
+          lbipam.cilium.io/sharing-cross-namespace: nginx-ingress
-          lbipam.cilium.io/ips: 10.44.0.0,2001:470:61a3:400::1
+          lbipam.cilium.io/ips: 10.44.0.6,2001:470:61a3:400::6
        type: LoadBalancer
        port: 22
        # Requirement for sharing ip with other service
@@ -89,7 +89,7 @@ spec:
    ingress:
      enabled: true
-      className: nginx
+      className: nginx-ingress
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt
        acme.cert-manager.io/http01-edit-in-place: "true"
@@ -111,37 +111,3 @@ spec:
      resources:
        requests:
          cpu: 0
 ---
 apiVersion: k8up.io/v1
 kind: Schedule
 metadata:
  name: gitea-backup
  namespace: gitea
 spec:
  backend:
    # Manually adding secrets for now
    repoPasswordSecretRef:
      name: restic-repo
      key: password
    s3:
      endpoint: https://s3.eu-central-003.backblazeb2.com
      bucket: lumpiasty-backups
      accessKeyIDSecretRef:
        name: backblaze
        key: keyid
      secretAccessKeySecretRef:
        name: backblaze
        key: secret
  backup:
    schedule: "@daily-random"
    failedJobsHistoryLimit: 2
    successfulJobsHistoryLimit: 2
  check:
    schedule: "@daily-random"
  prune:
    schedule: "@daily-random"
    retention:
      keepLast: 14
      keepDaily: 14
      keepWeekly: 50
      keepYearly: 10
--- a/apps/gitea/secret.yaml
+++ b/apps/gitea/secret.yaml
@@ -0,0 +1,58 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: backup
  namespace: gitea
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: backup
  namespace: gitea
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: backup
    serviceAccount: backup
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: gitea-backup-restic
  namespace: gitea
 spec:
  type: kv-v2
  mount: secret
  path: restic
  destination:
    create: true
    name: gitea-backup-restic
    type: Opaque
    transformation:
      excludeRaw: true
  vaultAuthRef: backup
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: gitea-backup-backblaze
  namespace: gitea
 spec:
  type: kv-v2
  mount: secret
  path: backblaze
  destination:
    create: true
    name: gitea-backup-backblaze
    type: Opaque
    transformation:
      excludeRaw: true
  vaultAuthRef: backup
--- a/apps/immich/kustomization.yaml
+++ b/apps/immich/kustomization.yaml
@@ -0,0 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - volume.yaml
  - redis.yaml
  - postgres-password.yaml
  - postgres-cluster.yaml
  - release.yaml
--- a/apps/immich/namespace.yaml
+++ b/apps/immich/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: immich
--- a/apps/immich/postgres-cluster.yaml
+++ b/apps/immich/postgres-cluster.yaml
@@ -0,0 +1,32 @@
 ---
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  name: immich-db
  namespace: immich
 spec:
  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:14-0.4.3
  instances: 1
  storage:
    size: 10Gi
    storageClass: mayastor-single-hdd
  bootstrap:
    initdb:
      # Defaults of immich chart
      database: immich
      owner: immich
  # We need to create custom role because default one does not allow to set up
  # vectorchord extension
  managed:
    roles:
      - name: immich
        createdb: true
        login: true
        superuser: true
        # We need to manually create secret
        # https://github.com/cloudnative-pg/cloudnative-pg/issues/3788
        passwordSecret:
          name: immich-db-immich
--- a/apps/immich/postgres-password.yaml
+++ b/apps/immich/postgres-password.yaml
@@ -0,0 +1,38 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: immich-password
  namespace: immich
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: immich
  namespace: immich
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: immich
    serviceAccount: immich-password
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: immich-db
  namespace: immich
 spec:
  type: kv-v2
  mount: secret
  path: immich-db
  destination:
    create: true
    name: immich-db-immich
    type: kubernetes.io/basic-auth
    transformation:
      excludeRaw: true
  vaultAuthRef: immich
--- a/apps/immich/redis.yaml
+++ b/apps/immich/redis.yaml
@@ -0,0 +1,29 @@
 ---
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: bitnami
  namespace: immich
 spec:
  interval: 24h
  type: "oci"
  url: oci://registry-1.docker.io/bitnamicharts/
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: redis
  namespace: immich
 spec:
  interval: 30m
  chart:
    spec:
      chart: redis
      version: 24.1.3
      sourceRef:
        kind: HelmRepository
        name: bitnami
  values:
    global:
      defaultStorageClass: mayastor-single-hdd
    architecture: standalone
--- a/apps/immich/release.yaml
+++ b/apps/immich/release.yaml
@@ -0,0 +1,69 @@
 ---
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: secustor
  namespace: immich
 spec:
  interval: 24h
  url: https://secustor.dev/helm-charts
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: immich
  namespace: immich
 spec:
  interval: 30m
  chart:
    spec:
      chart: immich
      version: 1.0.12
      sourceRef:
        kind: HelmRepository
        name: secustor
  values:
    common:
      config:
        vecotrExtension: vectorchord
      postgres:
        host: immich-db-rw
        existingSecret:
          enabled: true
          secretName: immich-db-immich
          usernameKey: username
          passwordKey: password
      redis:
        host: redis-master
        existingSecret:
          enabled: true
          secretName: redis
          passwordKey: redis-password
    server:
      volumeMounts:
        - mountPath: /usr/src/app/upload
          name: uploads
      volumes:
        - name: uploads
          persistentVolumeClaim:
            claimName: library
    machineLearning:
      enabled: true
    ingress:
      enabled: true
      className: nginx-ingress
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt
        nginx.ingress.kubernetes.io/proxy-body-size: "0"
      hosts:
        - host: immich.lumpiasty.xyz
          paths:
            - path: /
              pathType: Prefix
      tls:
        - hosts:
            - immich.lumpiasty.xyz
          secretName: immich-ingress
--- a/apps/immich/volume.yaml
+++ b/apps/immich/volume.yaml
@@ -0,0 +1,13 @@
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: library
  namespace: immich
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 150Gi
  storageClassName: mayastor-single-hdd
--- a/apps/ispeak3/kustomization.yaml
+++ b/apps/ispeak3/kustomization.yaml
@@ -0,0 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - pvc.yaml
  - statefulset.yaml
  - service.yaml
--- a/apps/ispeak3/namespace.yaml
+++ b/apps/ispeak3/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: ispeak3
--- a/apps/ispeak3/pvc.yaml
+++ b/apps/ispeak3/pvc.yaml
@@ -0,0 +1,49 @@
 apiVersion: local.openebs.io/v1alpha1
 kind: LVMVolume
 metadata:
  labels:
    kubernetes.io/nodename: anapistula-delrosalae
  name: ispeak3-ts3-data
  namespace: openebs
 spec:
  capacity: 1Gi
  ownerNodeID: anapistula-delrosalae
  shared: "yes"
  thinProvision: "no"
  vgPattern: ^openebs-hdd$
  volGroup: openebs-hdd
 ---
 kind: PersistentVolume
 apiVersion: v1
 metadata:
  name: ispeak3-ts3-data
 spec:
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Delete
  storageClassName: openebs-lvmpv
  volumeMode: Filesystem
  csi:
    driver: local.csi.openebs.io
    volumeHandle: ispeak3-ts3-data
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    namespace: ispeak3
    name: ispeak3-ts3-data
 ---
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: ispeak3-ts3-data
  namespace: ispeak3
 spec:
  storageClassName: openebs-lvmpv
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  volumeName: ispeak3-ts3-data
--- a/apps/ispeak3/service.yaml
+++ b/apps/ispeak3/service.yaml
@@ -0,0 +1,20 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: teamspeak3
  namespace: ispeak3
 spec:
  selector:
    app: teamspeak3
  ports:
  - name: voice
    protocol: UDP
    port: 9987
    targetPort: 9987
  - name: filetransfer
    protocol: TCP
    port: 30033
    targetPort: 30033
  type: LoadBalancer
  externalTrafficPolicy: Local
  ipFamilyPolicy: PreferDualStack
--- a/apps/ispeak3/statefulset.yaml
+++ b/apps/ispeak3/statefulset.yaml
@@ -0,0 +1,34 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: teamspeak3-server
  namespace: ispeak3
 spec:
  serviceName: "teamspeak3"
  replicas: 1
  selector:
    matchLabels:
      app: teamspeak3
  template:
    metadata:
      labels:
        app: teamspeak3
    spec:
      containers:
      - name: teamspeak3
        image: teamspeak:3.13.7
        ports:
        - containerPort: 9987
          name: voice
          protocol: UDP
        - containerPort: 10011
          name: query
        - containerPort: 30033
          name: filetransfer
        volumeMounts:
        - name: ts3-data
          mountPath: /var/ts3server/
      volumes:
      - name: ts3-data
        persistentVolumeClaim:
          claimName: ispeak3-ts3-data
--- a/apps/kustomization.yaml
+++ b/apps/kustomization.yaml
@@ -1,5 +1,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - gitea.yaml
+  - gitea
-  - renovate.yaml
+  - registry
  - renovate
  - librechat
  - frigate
  - llama
  - immich
  - nas
  - searxng
  - ispeak3
--- a/apps/librechat/kustomization.yaml
+++ b/apps/librechat/kustomization.yaml
@@ -0,0 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - release.yaml
--- a/apps/librechat/namespace.yaml
+++ b/apps/librechat/namespace.yaml
@@ -0,0 +1,5 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: librechat
--- a/apps/librechat/release.yaml
+++ b/apps/librechat/release.yaml
@@ -0,0 +1,120 @@
 ---
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: dynomite567-charts
  namespace: librechat
 spec:
  interval: 24h
  url: https://dynomite567.github.io/helm-charts/
 ---
 # apiVersion: helm.toolkit.fluxcd.io/v2
 # kind: HelmRelease
 # metadata:
 #   name: librechat
 #   namespace: librechat
 # spec:
 #   interval: 30m
 #   chart:
 #     spec:
 #       chart: librechat
 #       version: 1.9.1
 #       sourceRef:
 #         kind: HelmRepository
 #         name: dynomite567-charts
 #   values:
 #     global:
 #       librechat:
 #         existingSecretName: librechat
 #     librechat:
 #       configEnv:
 #         PLUGIN_MODELS: null
 #         ALLOW_REGISTRATION: "false"
 #         TRUST_PROXY: "1"
 #         DOMAIN_CLIENT: https://librechat.lumpiasty.xyz
 #         SEARCH: "true"
 #       existingSecretName: librechat
 #       configYamlContent: |
 #         version: 1.0.3
 #         endpoints:
 #           custom:
 #             - name: "Llama.cpp"
 #               apiKey: "llama"
 #               baseURL: "http://llama.llama.svc.cluster.local:11434/v1"
 #               models:
 #                 default: [
 #                   "DeepSeek-R1-0528-Qwen3-8B-GGUF",
 #                   "Qwen3-8B-GGUF",
 #                   "Qwen3-8B-GGUF-no-thinking",
 #                   "gemma3n-e4b",
 #                   "gemma3-12b",
 #                   "gemma3-12b-q2",
 #                   "gemma3-12b-novision",
 #                   "gemma3-4b",
 #                   "gemma3-4b-novision",
 #                   "Qwen3-4B-Thinking-2507",
 #                   "Qwen3-4B-Thinking-2507-long-ctx",
 #                   "Qwen2.5-VL-7B-Instruct-GGUF",
 #                   "Qwen2.5-VL-32B-Instruct-GGUF-IQ1_S",
 #                   "Qwen2.5-VL-32B-Instruct-GGUF-Q2_K_L",
 #                   "Qwen3-VL-2B-Instruct-GGUF",
 #                   "Qwen3-VL-2B-Instruct-GGUF-unslothish",
 #                   "Qwen3-VL-2B-Thinking-GGUF",
 #                   "Qwen3-VL-4B-Instruct-GGUF",
 #                   "Qwen3-VL-4B-Instruct-GGUF-unslothish",
 #                   "Qwen3-VL-4B-Thinking-GGUF",
 #                   "Qwen3-VL-8B-Instruct-GGUF",
 #                   "Qwen3-VL-8B-Instruct-GGUF-unslothish",
 #                   "Qwen3-VL-8B-Thinking-GGUF",
 #                   "Huihui-Qwen3-VL-8B-Instruct-abliterated-GGUF",
 #                   "Huihui-Qwen3-VL-8B-Thinking-abliterated-GGUF"
 #                 ]
 #               titleConvo: true
 #               titleModel: "gemma3-4b-novision"
 #               summarize: false
 #               summaryModel: "gemma3-4b-novision"
 #               forcePrompt: false
 #               modelDisplayLabel: "Llama.cpp"
 #               # ✨ IMPORTANT: let llama-swap/llama-server own all these
 #               dropParams:
 #                 - "temperature"
 #                 - "top_p"
 #                 - "top_k"
 #                 - "presence_penalty"
 #                 - "frequency_penalty"
 #                 - "stop"
 #                 - "max_tokens"
 #       imageVolume:
 #         enabled: true
 #         size: 10G
 #         accessModes: ReadWriteOnce
 #         storageClassName: mayastor-single-hdd
 #     ingress:
 #       enabled: true
 #       className: nginx-ingress
 #       annotations:
 #         cert-manager.io/cluster-issuer: letsencrypt
 #         nginx.ingress.kubernetes.io/proxy-body-size: "0"
 #         nginx.ingress.kubernetes.io/proxy-buffering: "false"
 #         nginx.ingress.kubernetes.io/proxy-read-timeout: 30m
 #       hosts:
 #         - host: librechat.lumpiasty.xyz
 #           paths:
 #             - path: /
 #               pathType: ImplementationSpecific
 #       tls:
 #         - hosts:
 #             - librechat.lumpiasty.xyz
 #           secretName: librechat-ingress
 #     mongodb:
 #       persistence:
 #         storageClass: mayastor-single-hdd
 #     meilisearch:
 #       persistence:
 #         storageClass: mayastor-single-hdd
 #       auth:
 #         existingMasterKeySecret: librechat
--- a/apps/llama/auth-proxy.yaml
+++ b/apps/llama/auth-proxy.yaml
@@ -0,0 +1,68 @@
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: llama-proxy
  namespace: llama
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: llama-proxy
  template:
    metadata:
      labels:
        app.kubernetes.io/name: llama-proxy
    spec:
      containers:
        - name: caddy
          image: caddy:2.10.2-alpine
          imagePullPolicy: IfNotPresent
          volumeMounts:
            - mountPath: /etc/caddy
              name: proxy-config
          env:
            - name: API_KEY
              valueFrom:
                secretKeyRef:
                  name: llama-api-key
                  key: API_KEY
      volumes:
        - name: proxy-config
          configMap:
            name: llama-proxy-config
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  namespace: llama
  name: llama-proxy-config
 data:
  Caddyfile: |
    http://llama.lumpiasty.xyz {
      @requireAuth {
        not header Authorization "Bearer {env.API_KEY}"
      }
      respond @requireAuth "Unauthorized" 401
      reverse_proxy llama:11434 {
        flush_interval -1
      }
    }
 ---
 apiVersion: v1
 kind: Service
 metadata:
  namespace: llama
  name: llama-proxy
 spec:
  type: ClusterIP
  selector:
    app.kubernetes.io/name: llama-proxy
  ports:
    - name: http
      port: 80
      targetPort: 80
      protocol: TCP
--- a/apps/llama/configs/config.yaml
+++ b/apps/llama/configs/config.yaml
@@ -0,0 +1,468 @@
 healthCheckTimeout: 600
 models:
  "DeepSeek-R1-0528-Qwen3-8B-GGUF":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf unsloth/DeepSeek-R1-0528-Qwen3-8B-GGUF:Q4_K_M
        --n-gpu-layers 37
        --ctx-size 16384
        --no-warmup
        --port ${PORT}
  "Qwen3-8B-GGUF":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen3-8B-GGUF:Q4_K_M
        --n-gpu-layers 37
        --ctx-size 16384
        --no-warmup
        --port ${PORT}
  "Qwen3-8B-GGUF-no-thinking":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen3-8B-GGUF:Q4_K_M
        --n-gpu-layers 37
        --ctx-size 16384
        --jinja
        --chat-template-file /config/qwen_nothink_chat_template.jinja
        --no-warmup
        --port ${PORT}
  "gemma3n-e4b":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf unsloth/gemma-3n-E4B-it-GGUF:UD-Q4_K_XL
        --ctx-size 16384
        --n-gpu-layers 99
        --seed 3407
        --prio 2
        --temp 1.0
        --repeat-penalty 1.0
        --min-p 0.00
        --top-k 64
        --top-p 0.95
        --no-warmup
        --port ${PORT}
  "gemma3-12b":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf unsloth/gemma-3-12b-it-GGUF:Q4_K_M
        --ctx-size 16384
        --n-gpu-layers 99
        --prio 2
        --temp 1.0
        --repeat-penalty 1.0
        --min-p 0.00
        --top-k 64
        --top-p 0.95
        --no-warmup
        --port ${PORT}
  "gemma3-12b-novision":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf unsloth/gemma-3-12b-it-GGUF:Q4_K_M
        --ctx-size 16384
        --n-gpu-layers 99
        --prio 2
        --temp 1.0
        --repeat-penalty 1.0
        --min-p 0.00
        --top-k 64
        --top-p 0.95
        --no-mmproj
        --no-warmup
        --port ${PORT}
  "gemma3-12b-q2":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf unsloth/gemma-3-12b-it-GGUF:Q2_K_L
        --ctx-size 16384
        --n-gpu-layers 99
        --prio 2
        --temp 1.0
        --repeat-penalty 1.0
        --min-p 0.00
        --top-k 64
        --top-p 0.95
        --no-warmup
        --port ${PORT}
  "gemma3-4b":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf unsloth/gemma-3-4b-it-GGUF:Q4_K_M
        --ctx-size 16384
        --n-gpu-layers 99
        --prio 2
        --temp 1.0
        --repeat-penalty 1.0
        --min-p 0.00
        --top-k 64
        --top-p 0.95
        --no-warmup
        --port ${PORT}
  "gemma3-4b-novision":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf unsloth/gemma-3-4b-it-GGUF:Q4_K_M
        --ctx-size 16384
        --n-gpu-layers 99
        --prio 2
        --temp 1.0
        --repeat-penalty 1.0
        --min-p 0.00
        --top-k 64
        --top-p 0.95
        --no-mmproj
        --no-warmup
        --port ${PORT}
  "Qwen3-4B-Thinking-2507":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen3-4B-Thinking-2507-GGUF:Q4_K_M
        --n-gpu-layers 99
        --ctx-size 16384
        --predict 8192
        --temp 0.6
        --min-p 0.00
        --top-p 0.95
        --top-k 20
        --repeat-penalty 1.0
        --no-warmup
        --port ${PORT}
  "Qwen3-4B-Thinking-2507-long-ctx":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen3-4B-Thinking-2507-GGUF:Q4_K_M
        --n-gpu-layers 99
        --ctx-size 262144
        --predict 81920
        --temp 0.6
        --min-p 0.00
        --top-p 0.95
        --top-k 20
        --repeat-penalty 1.0
        --no-warmup
        --flash-attn auto
        --cache-type-k q8_0
        --cache-type-v q8_0
        --port ${PORT}
  "Qwen3-4B-Instruct-2507":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen3-4B-Instruct-2507-GGUF:Q4_K_M
        --n-gpu-layers 99
        --ctx-size 16384
        --predict 8192
        --temp 0.7
        --min-p 0.00
        --top-p 0.8
        --top-k 20
        --repeat-penalty 1.0
        --no-warmup
        --port ${PORT}
  "Qwen3-4B-Instruct-2507-long-ctx":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen3-4B-Instruct-2507-GGUF:Q4_K_M
        --n-gpu-layers 99
        --ctx-size 262144
        --predict 81920
        --temp 0.7
        --min-p 0.00
        --top-p 0.8
        --top-k 20
        --repeat-penalty 1.0
        --no-warmup
        --flash-attn auto
        --cache-type-k q8_0
        --cache-type-v q8_0
        --port ${PORT}
  "Qwen2.5-VL-32B-Instruct-GGUF-IQ1_S":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen2.5-VL-32B-Instruct-GGUF:IQ1_S
        --n-gpu-layers 99
        --ctx-size 16384
        --predict 8192
        --temp 0.7
        --min-p 0.00
        --top-p 0.8
        --top-k 20
        --repeat-penalty 1.0
        --no-warmup
        --port ${PORT}
  "Qwen2.5-VL-32B-Instruct-GGUF-Q2_K_L":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen2.5-VL-32B-Instruct-GGUF:Q2_K_L
        --n-gpu-layers 99
        --ctx-size 16384
        --predict 8192
        --temp 0.7
        --min-p 0.00
        --top-p 0.8
        --top-k 20
        --repeat-penalty 1.0
        --no-warmup
        --port ${PORT}
  "Qwen2.5-VL-7B-Instruct-GGUF":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen2.5-VL-7B-Instruct-GGUF:Q4_K_M
        --n-gpu-layers 37
        --ctx-size 16384
        --predict 8192
        --temp 0.7
        --min-p 0.00
        --top-p 0.8
        --top-k 20
        --repeat-penalty 1.0
        --no-warmup
        --port ${PORT}
  "Qwen3-VL-2B-Instruct-GGUF":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf Qwen/Qwen3-VL-2B-Instruct-GGUF:Q8_0
        --n-gpu-layers 99
        --ctx-size 12288
        --predict 4096
        --flash-attn auto
        --jinja
        --temp 0.7
        --top-p 0.85
        --top-k 20
        --min-p 0.05
        --repeat-penalty 1.15
        --frequency-penalty 0.5
        --presence-penalty 0.4
        --no-warmup
        --port ${PORT}
  "Qwen3-VL-4B-Instruct-GGUF":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf Qwen/Qwen3-VL-4B-Instruct-GGUF:Q8_0
        --n-gpu-layers 99
        --ctx-size 12288
        --predict 4096
        --flash-attn auto
        --jinja
        --temp 0.7
        --top-p 0.85
        --top-k 20
        --min-p 0.05
        --repeat-penalty 1.15
        --frequency-penalty 0.5
        --presence-penalty 0.4
        --no-warmup
        --port ${PORT}
  "Qwen3-VL-8B-Instruct-GGUF":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf Qwen/Qwen3-VL-8B-Instruct-GGUF:Q4_K_M
        --n-gpu-layers 99
        --ctx-size 12288
        --predict 4096
        --flash-attn auto
        --jinja
        --temp 0.7
        --top-p 0.85
        --top-k 20
        --min-p 0.05
        --repeat-penalty 1.15
        --frequency-penalty 0.5
        --presence-penalty 0.4
        --no-warmup
        --port ${PORT}
  "Qwen3-VL-2B-Instruct-GGUF-unslothish":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf Qwen/Qwen3-VL-2B-Instruct-GGUF:Q8_0
        --n-gpu-layers 99
        --ctx-size 12288
        --predict 4096
        --flash-attn auto
        --jinja
        --temp 0.7
        --top-p 0.8
        --top-k 20
        --min-p 0.05
        --repeat-penalty 1.15
        --frequency-penalty 0.5
        --presence-penalty 0.6
        --no-warmup
        --port ${PORT}
  "Qwen3-VL-4B-Instruct-GGUF-unslothish":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf Qwen/Qwen3-VL-4B-Instruct-GGUF:Q8_0
        --n-gpu-layers 99
        --ctx-size 12288
        --predict 4096
        --flash-attn auto
        --jinja
        --temp 0.7
        --top-p 0.8
        --top-k 20
        --min-p 0.05
        --repeat-penalty 1.15
        --frequency-penalty 0.5
        --presence-penalty 0.6
        --no-warmup
        --port ${PORT}
  "Qwen3-VL-8B-Instruct-GGUF-unslothish":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf Qwen/Qwen3-VL-8B-Instruct-GGUF:Q4_K_M
        --n-gpu-layers 99
        --ctx-size 12288
        --predict 4096
        --flash-attn auto
        --jinja
        --temp 0.7
        --top-p 0.8
        --top-k 20
        --min-p 0.05
        --repeat-penalty 1.15
        --frequency-penalty 0.5
        --presence-penalty 0.6
        --no-warmup
        --port ${PORT}
  "Qwen3-VL-2B-Thinking-GGUF":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf Qwen/Qwen3-VL-2B-Thinking-GGUF:Q8_0
        --n-gpu-layers 99
        --ctx-size 12288
        --predict 4096
        --flash-attn auto
        --jinja
        --top-p 0.95
        --top-k 20
        --temp 1.0
        --min-p 0.0
        --repeat-penalty 1.0
        --presence-penalty 0.0
        --no-warmup
        --port ${PORT}
  "Qwen3-VL-4B-Thinking-GGUF":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf Qwen/Qwen3-VL-4B-Thinking-GGUF:Q4_K_M
        --n-gpu-layers 99
        --ctx-size 12288
        --predict 4096
        --flash-attn auto
        --jinja
        --top-p 0.95
        --top-k 20
        --temp 1.0
        --min-p 0.0
        --repeat-penalty 1.0
        --presence-penalty 0.0
        --no-warmup
        --port ${PORT}
  "Qwen3-VL-8B-Thinking-GGUF":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf Qwen/Qwen3-VL-8B-Thinking-GGUF:Q4_K_M
        --n-gpu-layers 99
        --ctx-size 12288
        --predict 4096
        --flash-attn auto
        --jinja
        --top-p 0.95
        --top-k 20
        --temp 1.0
        --min-p 0.0
        --repeat-penalty 1.0
        --presence-penalty 0.0
        --no-warmup
        --port ${PORT}
  "Huihui-Qwen3-VL-8B-Instruct-abliterated-GGUF":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf noctrex/Huihui-Qwen3-VL-8B-Instruct-abliterated-GGUF:Q6_K
        --n-gpu-layers 99
        --ctx-size 12288
        --predict 4096
        --flash-attn auto
        --jinja
        --temp 0.7
        --top-p 0.85
        --top-k 20
        --min-p 0.05
        --repeat-penalty 1.15
        --frequency-penalty 0.5
        --presence-penalty 0.4
        --no-warmup
        --port ${PORT}
  "Huihui-Qwen3-VL-8B-Thinking-abliterated-GGUF":
    ttl: 600
    cmd: |
      /app/llama-server
        -hf noctrex/Huihui-Qwen3-VL-8B-Thinking-abliterated-GGUF:Q6_K
        --n-gpu-layers 99
        --ctx-size 12288
        --predict 4096
        --flash-attn auto
        --jinja
        --temp 0.7
        --top-p 0.85
        --top-k 20
        --min-p 0.05
        --repeat-penalty 1.15
        --frequency-penalty 0.5
        --presence-penalty 0.4
        --no-warmup
        --port ${PORT}
--- a/apps/llama/configs/qwen_nothink_chat_template.jinja
+++ b/apps/llama/configs/qwen_nothink_chat_template.jinja
@@ -0,0 +1,101 @@
 {%- if not add_generation_prompt is defined %}
    {%- set add_generation_prompt = false %}
 {%- endif %}
 {%- set ns = namespace(is_first=false, is_tool=false, is_output_first=true, system_prompt='', is_first_sp=true, is_last_user=false) %}
 {%- for message in messages %}
    {%- if message['role'] == 'system' %}
        {%- if ns.is_first_sp %}
            {%- set ns.system_prompt = ns.system_prompt + message['content'] %}
            {%- set ns.is_first_sp = false %}
        {%- else %}
            {%- set ns.system_prompt = ns.system_prompt + '\n\n' + message['content'] %}
        {%- endif %}
    {%- endif %}
 {%- endfor %}
 {#- Adapted from https://github.com/sgl-project/sglang/blob/main/examples/chat_template/tool_chat_template_deepseekr1.jinja #}
 {%- if tools is defined and tools is not none %}
    {%- set tool_ns = namespace(text='You are a helpful assistant with tool calling capabilities. ' + 'When a tool call is needed, you MUST use the following format to issue the call:\n' + '<｜tool▁calls▁begin｜><｜tool▁call▁begin｜>function<｜tool▁sep｜>FUNCTION_NAME\n' + '```json\n{"param1": "value1", "param2": "value2"}\n```<｜tool▁call▁end｜><｜tool▁calls▁end｜>\n\n' + 'Make sure the JSON is valid.' + '## Tools\n\n### Function\n\nYou have the following functions available:\n\n') %}
    {%- for tool in tools %}
        {%- set tool_ns.text = tool_ns.text + '\n```json\n' + (tool | tojson) + '\n```\n' %}
    {%- endfor %}
    {%- if ns.system_prompt|length != 0 %}
        {%- set ns.system_prompt = ns.system_prompt + '\n\n' + tool_ns.text %}
    {%- else %}
        {%- set ns.system_prompt = tool_ns.text %}
    {%- endif %}
 {%- endif %}
 {{- bos_token }}
 {{- '/no_think' + ns.system_prompt }}
 {%- set last_index = (messages|length - 1) %}
 {%- for message in messages %}
    {%- set content = message['content'] %}
    {%- if message['role'] == 'user' %}
        {%- set ns.is_tool = false -%}
        {%- set ns.is_first = false -%}
        {%- set ns.is_last_user = true -%}
        {%- if loop.index0 == last_index %}
            {{- '<｜User｜>' + content }}
        {%- else %}
            {{- '<｜User｜>' + content + '<｜Assistant｜>'}}
        {%- endif %}
    {%- endif %}
    {%- if message['role'] == 'assistant' %}
        {%- if '</think>' in content %}
            {%- set content = (content.split('</think>')|last) %}
        {%- endif %}
    {%- endif %}
    {%- if message['role'] == 'assistant' and message['tool_calls'] is defined and message['tool_calls'] is not none %}
        {%- set ns.is_last_user = false -%}
        {%- if ns.is_tool %}
            {{- '<｜tool▁outputs▁end｜>'}}
        {%- endif %}
        {%- set ns.is_first = false %}
        {%- set ns.is_tool = false -%}
        {%- set ns.is_output_first = true %}
        {%- for tool in message['tool_calls'] %}
            {%- set arguments = tool['function']['arguments'] %}
            {%- if arguments is not string %}
                {%- set arguments = arguments|tojson %}
            {%- endif %}
            {%- if not ns.is_first %}
                {%- if content is none %}
                    {{- '<｜tool▁calls▁begin｜><｜tool▁call▁begin｜>' + tool['type'] + '<｜tool▁sep｜>' + tool['function']['name'] + '\n' + '```json' + '\n' + arguments + '\n' + '```' + '<｜tool▁call▁end｜>'}}
                }
                {%- else %}
                    {{- content + '<｜tool▁calls▁begin｜><｜tool▁call▁begin｜>' + tool['type'] + '<｜tool▁sep｜>' + tool['function']['name'] + '\n' + '```json' + '\n' + arguments + '\n' + '```' + '<｜tool▁call▁end｜>'}}
                {%- endif %}
                {%- set ns.is_first = true -%}
            {%- else %}
                {{- '\n' + '<｜tool▁call▁begin｜>' + tool['type'] + '<｜tool▁sep｜>' + tool['function']['name'] + '\n' + '```json' + '\n' + arguments + '\n' + '```' + '<｜tool▁call▁end｜>'}}
            {%- endif %}
        {%- endfor %}
        {{- '<｜tool▁calls▁end｜><｜end▁of▁sentence｜>'}}
    {%- endif %}
    {%- if message['role'] == 'assistant' and (message['tool_calls'] is not defined or message['tool_calls'] is none) %}
        {%- set ns.is_last_user = false -%}
        {%- if ns.is_tool %}
            {{- '<｜tool▁outputs▁end｜>' + content + '<｜end▁of▁sentence｜>'}}
            {%- set ns.is_tool = false -%}
        {%- else %}
            {{- content + '<｜end▁of▁sentence｜>'}}
        {%- endif %}
    {%- endif %}
    {%- if message['role'] == 'tool' %}
        {%- set ns.is_last_user = false -%}
        {%- set ns.is_tool = true -%}
        {%- if ns.is_output_first %}
            {{- '<｜tool▁outputs▁begin｜><｜tool▁output▁begin｜>' + content + '<｜tool▁output▁end｜>'}}
            {%- set ns.is_output_first = false %}
        {%- else %}
            {{- '\n<｜tool▁output▁begin｜>' + content + '<｜tool▁output▁end｜>'}}
        {%- endif %}
    {%- endif %}
 {%- endfor -%}
 {%- if ns.is_tool %}
    {{- '<｜tool▁outputs▁end｜>'}}
 {%- endif %}
 {#- if add_generation_prompt and not ns.is_last_user and not ns.is_tool #}
 {%- if add_generation_prompt and not ns.is_tool %}
    {{- '<｜Assistant｜>'}}
 {%- endif %}
--- a/apps/llama/deployment.yaml
+++ b/apps/llama/deployment.yaml
@@ -0,0 +1,70 @@
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: llama-swap
  namespace: llama
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: llama-swap
  template:
    metadata:
      labels:
        app: llama-swap
    spec:
      containers:
        - name: llama-swap
          image: ghcr.io/mostlygeek/llama-swap:v172-vulkan-b7062
          imagePullPolicy: IfNotPresent
          command:
            - /app/llama-swap
          args:
            - --config=/config/config.yaml
            - --watch-config
          ports:
            - containerPort: 8080
              name: http
              protocol: TCP
          volumeMounts:
            - name: models
              mountPath: /app/.cache
            - mountPath: /dev/kfd
              name: kfd
            - mountPath: /dev/dri
              name: dri
            - mountPath: /config
              name: config
          securityContext:
            privileged: true
      volumes:
        - name: models
          persistentVolumeClaim:
            claimName: llama-models
        - name: kfd
          hostPath:
            path: /dev/kfd
            type: CharDevice
        - name: dri
          hostPath:
            path: /dev/dri
            type: Directory
        - name: config
          configMap:
            name: llama-swap
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: llama
  namespace: llama
 spec:
  type: ClusterIP
  ports:
    - name: http
      port: 11434
      targetPort: 8080
      protocol: TCP
  selector:
    app: llama-swap
--- a/apps/llama/ingress.yaml
+++ b/apps/llama/ingress.yaml
@@ -0,0 +1,28 @@
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  namespace: llama
  name: llama
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    acme.cert-manager.io/http01-edit-in-place: "true"
    nginx.ingress.kubernetes.io/proxy-buffering: "false"
    nginx.ingress.kubernetes.io/proxy-read-timeout: 30m
 spec:
  ingressClassName: nginx-ingress
  rules:
    - host: llama.lumpiasty.xyz
      http:
        paths:
          - backend:
              service:
                name: llama-proxy
                port:
                  number: 80
            path: /
            pathType: Prefix
  tls:
    - hosts:
        - llama.lumpiasty.xyz
      secretName: llama-ingress
--- a/apps/llama/kustomization.yaml
+++ b/apps/llama/kustomization.yaml
@@ -0,0 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - secret.yaml
  - auth-proxy.yaml
  - ingress.yaml
  - pvc.yaml
  - deployment.yaml
 configMapGenerator:
  - name: llama-swap
    namespace: llama
    files:
      - config.yaml=configs/config.yaml
      - qwen_nothink_chat_template.jinja=configs/qwen_nothink_chat_template.jinja
--- a/apps/llama/namespace.yaml
+++ b/apps/llama/namespace.yaml
@@ -0,0 +1,5 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: llama
--- a/apps/llama/pvc.yaml
+++ b/apps/llama/pvc.yaml
@@ -0,0 +1,13 @@
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  namespace: llama
  name: llama-models
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 200Gi
  storageClassName: mayastor-single-ssd
--- a/apps/llama/secret.yaml
+++ b/apps/llama/secret.yaml
@@ -0,0 +1,38 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: llama-proxy
  namespace: llama
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: llama
  namespace: llama
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: llama-proxy
    serviceAccount: llama-proxy
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: llama-api-key
  namespace: llama
 spec:
  type: kv-v2
  mount: secret
  path: ollama
  destination:
    create: true
    name: llama-api-key
    type: Opaque
    transformation:
      excludeRaw: true
  vaultAuthRef: llama
--- a/apps/nas/configmap.yaml
+++ b/apps/nas/configmap.yaml
@@ -0,0 +1,28 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: nas-sftp-config
  namespace: nas
 data:
  sftp.json: |
    {
      "Global": {
        "Chroot": {
          "Directory": "%h",
          "StartPath": "data"
        },
        "Directories": [
          "data"
        ]
      },
      "Users": [
        {
          "Username": "nas",
          "UID": 1000,
          "GID": 1000,
          "PublicKeys": [
            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCresbDFZijI+rZMgd3LdciPjpb4x4S5B7y0U+EoYPaz6hILT72fyz3QdcgKJJv8JUJI6g0811/yFRuOzCXgWaA922c/S/t6HMUrorh7mPVQMTN2dc/SVBvMa7S2M9NYBj6z1X2LRHs+g1JTMCtL202PIjes/E9qu0as0Vx6n/6HHNmtmA9LrpiAmurbeKXDmrYe2yWg/FA6cX5d86SJb21Dj8WqdCd3Hz0Pi6FzMKXhpWvs5Hfei1htsjsRzCxkpSTjlgFEFVfmHIXPfB06Sa6aCnkxAFnE7N+xNa9RIWeZmOXdA74LsfSKQ9eAXSrsC/IRxo2ce8cBzXJy+Itxw24fUqGYXBiCgx8i3ZA9IdwI1u71xYo9lyNjav5VykzKnAHRAYnDm9UsCf8k04reBevcLdtxL11vPCtind3xn76Nhy2b45dcp/MdYFANGsCcXJOMb6Aisb03HPGhs/aU3tCAQbTVe195mL9FWhGqIK2wBmF1SKW+4ssX2bIU6YaCYc= cardno:23_671_999"
          ]
        }
      ]
    }
--- a/apps/nas/deployment.yaml
+++ b/apps/nas/deployment.yaml
@@ -0,0 +1,68 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: nas-sftp
  namespace: nas
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: nas-sftp
  template:
    metadata:
      labels:
        app: nas-sftp
    spec:
      initContainers:
        - name: prepare-home
          image: alpine:3.23.3
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
            - -c
            - |
              set -euo pipefail
              mkdir -p /volume/sftp-root
              chown root:root /volume/sftp-root
              chmod 755 /volume/sftp-root
              mkdir -p /volume/sftp-root/data
              chown 1000:1000 /volume/sftp-root/data
              chmod 750 /volume/sftp-root/data
              mkdir -p /volume/host-keys
              chown root:root /volume/host-keys
              chmod 700 /volume/host-keys
          volumeMounts:
            - name: home
              mountPath: /volume
      containers:
        - name: sftp
          image: docker.io/emberstack/sftp:build-5.1.72
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 22
              name: sftp
              protocol: TCP
          volumeMounts:
            - name: config
              mountPath: /app/config/sftp.json
              subPath: sftp.json
              readOnly: true
            - name: home
              mountPath: /home/nas
              subPath: sftp-root
            - name: home
              mountPath: /etc/ssh/keys
              subPath: host-keys
          resources:
            requests:
              cpu: 50m
              memory: 128Mi
            limits:
              memory: 512Mi
      volumes:
        - name: home
          persistentVolumeClaim:
            claimName: nas-data-lvm-hdd
        - name: config
          configMap:
            name: nas-sftp-config
--- a/apps/nas/kustomization.yaml
+++ b/apps/nas/kustomization.yaml
@@ -0,0 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - configmap.yaml
  - pvc.yaml
  - deployment.yaml
  - service.yaml
--- a/apps/nas/namespace.yaml
+++ b/apps/nas/namespace.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: nas
--- a/apps/nas/pvc.yaml
+++ b/apps/nas/pvc.yaml
@@ -0,0 +1,49 @@
 apiVersion: local.openebs.io/v1alpha1
 kind: LVMVolume
 metadata:
  labels:
    kubernetes.io/nodename: anapistula-delrosalae
  name: nas-data-lvm-hdd
  namespace: openebs
 spec:
  capacity: 4Gi
  ownerNodeID: anapistula-delrosalae
  shared: "yes"
  thinProvision: "no"
  vgPattern: ^openebs-hdd$
  volGroup: openebs-hdd
 ---
 kind: PersistentVolume
 apiVersion: v1
 metadata:
  name: nas-data-lvm-hdd
 spec:
  capacity:
    storage: 4Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Delete
  storageClassName: openebs-lvmpv
  volumeMode: Filesystem
  csi:
    driver: local.csi.openebs.io
    volumeHandle: nas-data-lvm-hdd
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    namespace: nas
    name: nas-data-lvm-hdd
 ---
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: nas-data-lvm-hdd
  namespace: nas
 spec:
  storageClassName: openebs-lvmpv
  accessModes:
    - ReadWriteOnce
  resources:
   requests:
     storage: 4Gi
  volumeName: nas-data-lvm-hdd
--- a/apps/nas/service.yaml
+++ b/apps/nas/service.yaml
@@ -0,0 +1,15 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: nas-sftp
  namespace: nas
 spec:
  type: LoadBalancer
  externalTrafficPolicy: Cluster
  ports:
    - name: sftp
      port: 22
      targetPort: 22
      protocol: TCP
  selector:
    app: nas-sftp
--- a/apps/registry/deployment.yaml
+++ b/apps/registry/deployment.yaml
@@ -0,0 +1,40 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: registry
  namespace: registry
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: registry
  template:
    metadata:
      labels:
        app: registry
    spec:
      containers:
        - name: registry
          image: registry:3.0.0
          ports:
            - containerPort: 5000
          volumeMounts:
            - name: data
              mountPath: /var/lib/registry
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: registry-data
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: registry-service
  namespace: registry
 spec:
  selector:
    app: registry
  ports:
    - protocol: TCP
      port: 80
      targetPort: 5000
--- a/apps/registry/ingress.yaml
+++ b/apps/registry/ingress.yaml
@@ -0,0 +1,26 @@
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  namespace: registry
  name: registry
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
 spec:
  ingressClassName: nginx-ingress
  rules:
    - host: registry.lumpiasty.xyz
      http:
        paths:
          - backend:
              service:
                name: registry-service
                port:
                  number: 80
            path: /
            pathType: Prefix
  tls:
    - hosts:
        - registry.lumpiasty.xyz
      secretName: researcher-ingress
--- a/apps/registry/kustomization.yaml
+++ b/apps/registry/kustomization.yaml
@@ -0,0 +1,8 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - volume.yaml
  - deployment.yaml
  - ingress.yaml
--- a/apps/registry/namespace.yaml
+++ b/apps/registry/namespace.yaml
@@ -0,0 +1,5 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: registry
--- a/apps/registry/volume.yaml
+++ b/apps/registry/volume.yaml
@@ -0,0 +1,13 @@
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: registry-data
  namespace: registry
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 50Gi
  storageClassName: mayastor-single-hdd
--- a/apps/renovate/configmap.yaml
+++ b/apps/renovate/configmap.yaml
@@ -0,0 +1,11 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  namespace: renovate
  name: renovate-config
 data:
  RENOVATE_AUTODISCOVER: "true"
  RENOVATE_ENDPOINT: https://gitea.lumpiasty.xyz/api/v1
  RENOVATE_PLATFORM: gitea
  RENOVATE_GIT_AUTHOR: Renovate Bot <renovate@lumpiasty.xyz>
--- a/apps/renovate/cronjob.yaml
+++ b/apps/renovate/cronjob.yaml
@@ -1,16 +1,11 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: renovate
 ---
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: renovate
  namespace: renovate
 spec:
-  schedule: "@hourly"
+  schedule: "@daily"
  concurrencyPolicy: Forbid
  jobTemplate:
    spec:
@@ -20,8 +15,10 @@ spec:
            - name: renovate
              # Update this to the latest available and then enable Renovate on
              # the manifest
-              image: renovate/renovate:39.215.2-full
+              image: renovate/renovate:43.4.3-full
              envFrom:
                - secretRef:
-                    name: renovate-env
+                    name: renovate-gitea-token
                - configMapRef:
                    name: renovate-config
          restartPolicy: Never
--- a/apps/renovate/kustomization.yaml
+++ b/apps/renovate/kustomization.yaml
@@ -0,0 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - configmap.yaml
  - secret.yaml
  - cronjob.yaml
--- a/apps/renovate/namespace.yaml
+++ b/apps/renovate/namespace.yaml
@@ -0,0 +1,5 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: renovate
--- a/apps/renovate/secret.yaml
+++ b/apps/renovate/secret.yaml
@@ -0,0 +1,38 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: renovate
  namespace: renovate
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: renovate
  namespace: renovate
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: renovate
    serviceAccount: renovate
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: renovate-gitea-token
  namespace: renovate
 spec:
  type: kv-v2
  mount: secret
  path: renovate
  destination:
    create: true
    name: renovate-gitea-token
    type: Opaque
    transformation:
      excludeRaw: true
  vaultAuthRef: renovate
--- a/apps/searxng/configs/settings.yml
+++ b/apps/searxng/configs/settings.yml
@@ -0,0 +1 @@
 use_default_settings: true
--- a/apps/searxng/deployment.yaml
+++ b/apps/searxng/deployment.yaml
@@ -0,0 +1,42 @@
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: searxng
  namespace: searxng
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: searxng
  template:
    metadata:
      labels:
        app: searxng
    spec:
      containers:
        - name: searxng
          image: searxng/searxng:2025.8.12-6b1516d
          ports:
            - containerPort: 8080
          env:
            - name: SEARXNG_SECRET
              valueFrom:
                secretKeyRef:
                  name: searxng-secret
                  key: SEARXNG_SECRET
                  optional: false
          volumeMounts:
            - name: config-volume
              mountPath: /etc/searxng/settings.yml
              subPath: settings.yml
              readOnly: true
            - name: searxng-persistent-data
              mountPath: /var/cache/searxng
      volumes:
        - name: config-volume
          configMap:
            name: searxng-config
        - name: searxng-persistent-data
          persistentVolumeClaim:
            claimName: searxng-persistent-data
--- a/apps/searxng/ingress.yaml
+++ b/apps/searxng/ingress.yaml
@@ -0,0 +1,25 @@
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  namespace: searxng
  name: searxng
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
 spec:
  ingressClassName: nginx-ingress
  rules:
    - host: searxng.lumpiasty.xyz
      http:
        paths:
          - backend:
              service:
                name: searxng
                port:
                  number: 8080
            path: /
            pathType: Prefix
  tls:
    - hosts:
        - searxng.lumpiasty.xyz
      secretName: searxng-ingress
--- a/apps/searxng/kustomization.yaml
+++ b/apps/searxng/kustomization.yaml
@@ -0,0 +1,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - pvc.yaml
  - deployment.yaml
  - service.yaml
  - ingress.yaml
 configMapGenerator:
  - name: searxng-config
    namespace: searxng
    files:
      - settings.yml=configs/settings.yml
--- a/apps/searxng/namespace.yaml
+++ b/apps/searxng/namespace.yaml
@@ -0,0 +1,5 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: searxng
--- a/apps/searxng/pvc.yaml
+++ b/apps/searxng/pvc.yaml
@@ -0,0 +1,13 @@
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  namespace: searxng
  name: searxng-persistent-data
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: mayastor-single-ssd
--- a/apps/searxng/service.yaml
+++ b/apps/searxng/service.yaml
@@ -0,0 +1,14 @@
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: searxng
  namespace: searxng
 spec:
  selector:
    app: searxng
  ports:
    - protocol: TCP
      port: 8080
      targetPort: 8080
  type: ClusterIP
--- a/cluster/flux-system/gotk-components.yaml
+++ b/cluster/flux-system/gotk-components.yaml
--- a/devenv.lock
+++ b/devenv.lock
@@ -1,17 +1,34 @@
 {
  "nodes": {
-    "flake-compat": {
+    "devenv": {
      "locked": {
-        "lastModified": 1733328505,
+        "dir": "src/modules",
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "lastModified": 1769881431,
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "owner": "cachix",
-        "revCount": 69,
+        "repo": "devenv",
-        "type": "tarball",
+        "rev": "72d5e66e2dd5112766ef4c9565872b51094b542d",
-        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz"
+        "type": "github"
      },
      "original": {
-        "type": "tarball",
+        "dir": "src/modules",
-        "url": "https://flakehub.com/f/edolstra/flake-compat/1.1.0.tar.gz"
+        "owner": "cachix",
        "repo": "devenv",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1767039857,
        "owner": "NixOS",
        "repo": "flake-compat",
        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-utils": {
@@ -19,11 +36,10 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1710146030,
+        "lastModified": 1731533236,
        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@@ -32,6 +48,47 @@
        "type": "github"
      }
    },
    "git-hooks": {
      "inputs": {
        "flake-compat": "flake-compat",
        "gitignore": "gitignore",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1769069492,
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "rev": "a1ef738813b15cf8ec759bdff5761b027e3e1d23",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "type": "github"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "git-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1762808025,
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "cb5e3fdca1de58ccbc3ef53de65bd372b48f567c",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "krew2nix": {
      "inputs": {
        "flake-utils": "flake-utils",
@@ -42,11 +99,10 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1738540903,
+        "lastModified": 1769904483,
        "narHash": "sha256-/C5RTu3yCpVFHIL7u3hL9ZRGrXmIrLg3iB4+z9A3E8A=",
        "owner": "a1994sc",
        "repo": "krew2nix",
-        "rev": "5bc50d65d6496ad30f897a9fe5532f440fb143ef",
+        "rev": "17d6ad3375899bd3f7d4d298481536155f3ec13c",
        "type": "github"
      },
      "original": {
@@ -57,11 +113,10 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1742069588,
+        "lastModified": 1769461804,
        "narHash": "sha256-C7jVfohcGzdZRF6DO+ybyG/sqpo1h6bZi9T56sxLy+k=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5",
+        "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
        "type": "github"
      },
      "original": {
@@ -73,15 +128,18 @@
    },
    "root": {
      "inputs": {
-        "flake-compat": "flake-compat",
+        "devenv": "devenv",
        "git-hooks": "git-hooks",
        "krew2nix": "krew2nix",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
        "pre-commit-hooks": [
          "git-hooks"
        ]
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
@@ -96,7 +154,6 @@
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
@@ -116,11 +173,10 @@
        ]
      },
      "locked": {
-        "lastModified": 1715940852,
+        "lastModified": 1769691507,
        "narHash": "sha256-wJqHMg/K6X3JGAE9YLM0LsuKrKb4XiBeVaoeMNlReZg=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "2fba33a182602b9d49f0b2440513e5ee091d838b",
+        "rev": "28b19c5844cc6e2257801d43f2772a4b4c050a1b",
        "type": "github"
      },
      "original": {
--- a/devenv.nix
+++ b/devenv.nix
@@ -0,0 +1,59 @@
 { pkgs, lib, config, inputs, ... }:
 let
  # Python with hvac package
  python = pkgs.python313.withPackages (python-pkgs: with python-pkgs; [
    hvac
  ]);
 in
 {
  # Overlays - apply krew2nix to get kubectl with krew support
  overlays = [
    inputs.krew2nix.overlay
  ];
  # Environment variables
  env = {
    GREET = "devenv";
    TALOSCONFIG = "${config.devenv.root}/talos/generated/talosconfig";
    EDITOR = "vim";
    RESTIC_REPOSITORY = "s3:https://s3.eu-central-003.backblazeb2.com/lumpiasty-backups";
    VAULT_ADDR = "https://openbao.lumpiasty.xyz:8200";
    PATH = "${config.devenv.root}/utils:${pkgs.coreutils}/bin";
    PYTHON_BIN = "${python}/bin/python";
  };
  # Packages
  packages = with pkgs; [
    python
    vim gnumake
    talosctl cilium-cli
    kubectx k9s kubernetes-helm
    (kubectl.withKrewPlugins (plugins: with plugins; [
      mayastor
      openebs
    ]))
    ansible
    fluxcd
    restic
    openbao
    pv-migrate
  ];
  # Scripts
  scripts.hello.exec = ''
    echo hello from $GREET
  '';
  # Shell hooks
  enterShell = ''
    source ${pkgs.bash-completion}/share/bash-completion/bash_completion
    echo "Environment ready!"
  '';
  # Tests
  enterTest = ''
    echo "Running tests"
    git --version | grep --color=auto "${pkgs.git.version}"
  '';
 }
--- a/devenv.yaml
+++ b/devenv.yaml
@@ -0,0 +1,20 @@
 # yaml-language-server: $schema=https://devenv.sh/devenv.schema.json
 inputs:
  nixpkgs:
    url: github:NixOS/nixpkgs/nixos-unstable
  krew2nix:
    url: github:a1994sc/krew2nix
    inputs:
      nixpkgs:
        follows: nixpkgs
 # If you're using non-OSS software, you can set allowUnfree to true.
 # allowUnfree: true
 # If you're willing to use a package that's vulnerable
 # permittedInsecurePackages:
 #  - "openssl-1.1.1w"
 # If you have more than one devenv you can merge them
 #imports:
 # - ./backend
--- a/flake.nix
+++ b/flake.nix
@@ -1,59 +0,0 @@
 {
    inputs = {
        nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
        # Only to ease updating flake.lock, flake-compat is used by shell.nix
        flake-compat.url = https://flakehub.com/f/edolstra/flake-compat/1.1.0.tar.gz;
        # Allows us to install krew plugins
        krew2nix.url = "github:a1994sc/krew2nix";
        krew2nix.inputs.nixpkgs.follows = "nixpkgs";
    };
    outputs = { self, nixpkgs, krew2nix, ... }: let 
        system = "x86_64-linux";
    in {
        devShells."${system}".default =
        let
            pkgs = import nixpkgs {
                overlays = [ krew2nix.overlay ];
                inherit system;
            };
        in
            pkgs.mkShell {
                packages = with pkgs; [
                    (python313.withPackages (python-pkgs: with python-pkgs; [
                        hvac
                    ]))
                    vim gnumake
                    talosctl cilium-cli
                    kubectx k9s kubernetes-helm
                    (kubectl.withKrewPlugins (plugins: with plugins; [
                        mayastor
                        openebs
                    ]))
                    ansible
                    fluxcd
                    restic
                    openbao
                ];
                shellHook = ''
                # Get completions working
                source ${pkgs.bash-completion}/share/bash-completion/bash_completion
                export TALOSCONFIG=$(pwd)/talos/generated/talosconfig
                export EDITOR=vim
                export RESTIC_REPOSITORY=s3:https://s3.eu-central-003.backblazeb2.com/lumpiasty-backups
                # export AWS_ACCESS_KEY_ID=?
                # export AWS_SECRET_ACCESS_KEY=?
                # export RESTIC_PASSWORD=?
                export VAULT_ADDR=https://openbao.lumpiasty.xyz:8200
                # Add scripts from utils subdir
                export PATH="$PATH:$(pwd)/utils"
                '';
            };
    };
 }
--- a/infra/configs/lvmpv-hdd-sc.yaml
+++ b/infra/configs/lvmpv-hdd-sc.yaml
@@ -0,0 +1,12 @@
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
 metadata:
  name: hdd-lvmpv
 parameters:
  storage: "lvm"
  volgroup: "openebs-hdd"
  fsType: "btrfs"
  shared: "yes"
 provisioner: local.csi.openebs.io
 allowVolumeExpansion: true
 volumeBindingMode: Immediate
--- a/infra/configs/ovh-cert-manager-secret.yaml
+++ b/infra/configs/ovh-cert-manager-secret.yaml
@@ -0,0 +1,38 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: ovh-credentials
  namespace: cert-manager
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: cert-manager
  namespace: cert-manager
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: cert-manager
    serviceAccount: ovh-credentials
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: webhook-ovh-credentials
  namespace: cert-manager
 spec:
  type: kv-v2
  mount: secret
  path: ovh-cert-manager
  destination:
    create: true
    name: ovh-credentials
    type: Opaque
    transformation:
      excludeRaw: true
  vaultAuthRef: cert-manager
--- a/infra/configs/single-hdd-sc.yaml
+++ b/infra/configs/single-hdd-sc.yaml
@@ -16,3 +16,5 @@ parameters:
  poolAffinityTopologyLabel: |
    type: hdd
 provisioner: io.openebs.csi-mayastor
 # Allow expansion of volumes
 allowVolumeExpansion: true
--- a/infra/configs/single-ssd-sc.yaml
+++ b/infra/configs/single-ssd-sc.yaml
@@ -0,0 +1,18 @@
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
 metadata:
  name: mayastor-single-ssd
 parameters:
  protocol: nvmf
  # Single replica
  repl: "1"
  # Thin provision volumes
  thin: "true"
  # Generate new filesystem's uuid when cloning
  cloneFsIdAsVolumeId: "true"
  # Schedule this sconly on ssd
  poolAffinityTopologyLabel: |
    type: ssd
 provisioner: io.openebs.csi-mayastor
 # Allow expansion of volumes
 allowVolumeExpansion: true
--- a/infra/controllers/cert-manager-webhook-ovh.yaml
+++ b/infra/controllers/cert-manager-webhook-ovh.yaml
@@ -18,14 +18,14 @@ spec:
  chart:
    spec:
      chart: cert-manager-webhook-ovh
-      version: 0.7.3
+      version: 0.8.0
      sourceRef:
        kind: HelmRepository
        name: cert-manager-webhook-ovh
        namespace: cert-manager
      interval: 12h
  values:
-    configVersion: 0.0.1
+    configVersion: 0.0.2
    groupName: lumpiasty-homelab
    certManager:
      namespace: cert-manager
@@ -38,6 +38,7 @@ spec:
        acmeServerUrl: https://acme-v02.api.letsencrypt.org/directory
        email: arek.dzski@gmail.com
        ovhEndpointName: ovh-eu
        ovhAuthenticationMethod: application
        ovhAuthenticationRef:
          applicationKeyRef:
            name: ovh-credentials
@@ -45,6 +46,6 @@ spec:
          applicationSecretRef:
            name: ovh-credentials
            key: applicationSecret
-          consumerKeyRef:
+          applicationConsumerKeyRef:
            name: ovh-credentials
            key: consumerKey
--- a/infra/controllers/cert-manager.yaml
+++ b/infra/controllers/cert-manager.yaml
@@ -23,7 +23,7 @@ spec:
  chart:
    spec:
      chart: cert-manager
-      version: 1.17.0
+      version: v1.19.3
      sourceRef:
        kind: HelmRepository
        name: cert-manager
--- a/infra/controllers/cilium.yaml
+++ b/infra/controllers/cilium.yaml
@@ -23,7 +23,7 @@ spec:
  chart:
    spec:
      chart: cilium
-      version: 1.17.2
+      version: 1.18.6
      sourceRef:
        kind: HelmRepository
        name: cilium
--- a/infra/controllers/cloudnative-pg.yaml
+++ b/infra/controllers/cloudnative-pg.yaml
@@ -0,0 +1,31 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: cnpg-system
 ---
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: cnpg
  namespace: cnpg-system
 spec:
  interval: 24h
  url: https://cloudnative-pg.github.io/charts
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: cnpg
  namespace: cnpg-system
 spec:
  interval: 30m
  chart:
    spec:
      chart: cloudnative-pg
      version: 0.27.0
      sourceRef:
        kind: HelmRepository
        name: cnpg
        namespace: cnpg-system
      interval: 12h
--- a/infra/controllers/dns-public.yaml
+++ b/infra/controllers/dns-public.yaml
@@ -97,7 +97,7 @@ spec:
          env:
            - name: GOMEMLIMIT
              value: 161MiB
-          image: registry.k8s.io/coredns/coredns:v1.12.0
+          image: registry.k8s.io/coredns/coredns:v1.14.1
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 5
--- a/infra/controllers/external-secrets.yaml
+++ b/infra/controllers/external-secrets.yaml
@@ -0,0 +1,32 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: external-secrets
 ---
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: external-secrets
  namespace: external-secrets
 spec:
  interval: 24h
  url: https://charts.external-secrets.io
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: external-secrets
  namespace: external-secrets
 spec:
  interval: 30m
  chart:
    spec:
      chart: external-secrets
      version: 0.16.2
      sourceRef:
        kind: HelmRepository
        name: external-secrets
        namespace: external-secrets
      interval: 12h
  values:
--- a/infra/controllers/k8up.yaml
+++ b/infra/controllers/k8up.yaml
@@ -23,7 +23,7 @@ spec:
  chart:
    spec:
      chart: k8up
-      version: 4.8.3
+      version: 4.8.6
      sourceRef:
        kind: HelmRepository
        name: k8up-io
--- a/infra/controllers/mongodb-operator.yaml
+++ b/infra/controllers/mongodb-operator.yaml
@@ -0,0 +1,33 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: mongodb
 ---
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: mongodb
  namespace: mongodb
 spec:
  interval: 24h
  url: https://mongodb.github.io/helm-charts
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: mongodb-operator
  namespace: mongodb
 spec:
  interval: 30m
  chart:
    spec:
      chart: community-operator
      version: 0.13.0
      sourceRef:
        kind: HelmRepository
        name: mongodb
        namespace: mongodb
  values:
    operator:
      watchNamespace: "*"
--- a/infra/controllers/nginx-ingress.yaml
+++ b/infra/controllers/nginx-ingress.yaml
@@ -2,32 +2,32 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: nginx-ingress-controller
+  name: nginx-ingress
 ---
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
-  name: nginx
+  name: ingress-nginx
-  namespace: nginx-ingress-controller
+  namespace: nginx-ingress
 spec:
  interval: 24h
-  url: https://helm.nginx.com/stable
+  url: https://kubernetes.github.io/ingress-nginx
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: nginx-ingress
-  namespace: nginx-ingress-controller
+  namespace: nginx-ingress
 spec:
  interval: 30m
  chart:
    spec:
-      chart: nginx-ingress
+      chart: ingress-nginx
-      version: 2.0.1
+      version: 4.14.3
      sourceRef:
        kind: HelmRepository
-        name: nginx
+        name: ingress-nginx
-        namespace: nginx-ingress-controller
+        namespace: nginx-ingress
      interval: 12h
  values:
    controller:
@@ -39,9 +39,11 @@ spec:
          cpu: 100m
          memory: 128Mi
-      ingressClass:
+      ingressClass: "nginx-ingress"
-        create: true
+      ingressClassResource:
-        setAsDefaultIngress: true
+        name: "nginx-ingress"
        enabled: true
        default: false
      service:
        create: true
@@ -49,8 +51,11 @@ spec:
        # Requirement for sharing ip with other service
        externalTrafficPolicy: Cluster
        ipFamilyPolicy: RequireDualStack
        ipFamilies:
          - IPv4
          - IPv6
        annotations:
          # Share IP with gitea ssh so we can have the same domain for both port
          lbipam.cilium.io/sharing-key: gitea
          lbipam.cilium.io/sharing-cross-namespace: gitea
-          lbipam.cilium.io/ips: 10.44.0.0,2001:470:61a3:400::1
+          lbipam.cilium.io/ips: 10.44.0.6,2001:470:61a3:400::6
--- a/infra/controllers/openbao.yaml
+++ b/infra/controllers/openbao.yaml
@@ -23,7 +23,7 @@ spec:
  chart:
    spec:
      chart: openbao
-      version: 0.8.1
+      version: 0.25.0
      sourceRef:
        kind: HelmRepository
        name: openbao
@@ -77,3 +77,5 @@ spec:
        storageClass: mayastor-single-hdd
    csi:
      enabled: true
    injector:
      affinity: ""
--- a/infra/controllers/openebs.yaml
+++ b/infra/controllers/openebs.yaml
@@ -23,7 +23,7 @@ spec:
  chart:
    spec:
      chart: openebs
-      version: 4.1.3
+      version: 4.4.0
      sourceRef:
        kind: HelmRepository
        name: openebs
@@ -38,7 +38,7 @@ spec:
    lvm-localpv:
      crds:
        lmvLocalPv:
-          enabled: false
+          enabled: true
    mayastor:
      csi:
@@ -63,7 +63,7 @@ spec:
        # Workaround for crashing io-engine
        # https://github.com/openebs/mayastor/issues/1763#issuecomment-2481922234
        envcontext: "iova-mode=pa"
-        coreList: [2, 3]
+        coreList: [1, 7]
        resources:
          limits:
            cpu: 4
@@ -102,10 +102,29 @@ spec:
            requests:
              cpu: 0
      # Remove antiaffinity, breaks when I set it to 1 replica
      nats:
        cluster:
          enable: true
          replicas: 3
        affinity:
          podAntiAffinity:
            requiredDuringSchedulingIgnoredDuringExecution: []
    loki:
      loki:
        commonConfig:
          replication_factor: 1
      singleBinary:
        replicas: 1
      minio:
        replicas: 1
        mode: standalone
    engines:
      local:
        lvm:
-          enabled: false
+          enabled: true
        zfs:
          enabled: false
      replicated:
--- a/infra/controllers/vault-secrets-operator.yaml
+++ b/infra/controllers/vault-secrets-operator.yaml
@@ -0,0 +1,35 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: vault-secrets-operator
 ---
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: hashicorp
  namespace: vault-secrets-operator
 spec:
  interval: 24h
  url: https://helm.releases.hashicorp.com
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: vault-secrets-operator
  namespace: vault-secrets-operator
 spec:
  interval: 30m
  chart:
    spec:
      chart: vault-secrets-operator
      version: 1.2.0
      sourceRef:
        kind: HelmRepository
        name: hashicorp
        namespace: vault-secrets-operator
      interval: 12h
  values:
    defaultVaultConnection:
      enabled: true
      address: "https://openbao.lumpiasty.xyz:8200"
--- a/infra/diskpools/anapistula-delrosalae-hdd.yaml
+++ b/infra/diskpools/anapistula-delrosalae-hdd.yaml
@@ -1,4 +1,4 @@
-apiVersion: "openebs.io/v1beta2"
+apiVersion: "openebs.io/v1beta3"
 kind: DiskPool
 metadata:
  name: anapistula-delrosalae-hdd
--- a/infra/diskpools/anapistula-delrosalae-ssd.yaml
+++ b/infra/diskpools/anapistula-delrosalae-ssd.yaml
@@ -0,0 +1,11 @@
 apiVersion: "openebs.io/v1beta3"
 kind: DiskPool
 metadata:
  name: anapistula-delrosalae-ssd
  namespace: openebs
 spec:
  node: anapistula-delrosalae
  disks: ["aio:///dev/disk/by-id/nvme-eui.000000000000000000a07501ead1ebdb"]
  topology:
    labelled:
      type: ssd
--- a/infra/kustomization.yaml
+++ b/infra/kustomization.yaml
@@ -3,16 +3,24 @@ kind: Kustomization
 resources:
  - controllers/k8up-crd-4.8.3.yaml
  - controllers/cilium.yaml
-  - controllers/nginx.yaml
+  - controllers/nginx-ingress.yaml
  - controllers/dns-public.yaml
  - controllers/cert-manager.yaml
  - controllers/cert-manager-webhook-ovh.yaml
  - controllers/openebs.yaml
  - controllers/k8up.yaml
  - controllers/openbao.yaml
  - controllers/external-secrets.yaml
  - controllers/vault-secrets-operator.yaml
  - controllers/mongodb-operator.yaml
  - controllers/cloudnative-pg.yaml
  - diskpools/anapistula-delrosalae-hdd.yaml
  - diskpools/anapistula-delrosalae-ssd.yaml
  - configs/bgp-cluster-config.yaml
  - configs/loadbalancer-ippool.yaml
  - configs/single-hdd-sc.yaml
  - configs/single-ssd-sc.yaml
  - configs/lvmpv-hdd-sc.yaml
  - configs/mayastor-snapshotclass.yaml
  - configs/openbao-cert.yaml
  - configs/ovh-cert-manager-secret.yaml
--- a/monke/gpt-researcher.yaml
+++ b/monke/gpt-researcher.yaml
@@ -0,0 +1,16 @@
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: tavily
  namespace: gpt-researcher
 stringData:
  TAVILY_API_KEY: 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
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: openrouter
  namespace: gpt-researcher
 stringData:
  OPENROUTER_API_KEY: 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
--- a/pyrightconfig.json
+++ b/pyrightconfig.json
@@ -0,0 +1,3 @@
 {
  "allowedUntypedLibraries": ["hvac"]
 }
--- a/renovate.json
+++ b/renovate.json
@@ -1,10 +1,14 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "kubernetes": {
-    "fileMatch": ["\\.yaml$"]
+    "fileMatch": ["infra/.+\\.yaml$", "apps/.+\\.yaml$"]
  },
  "flux": {
-    "fileMatch": ["infra/.+\\.yaml$", "apps/.+\\.yaml$"]
+    "fileMatch": [
      "infra/.+\\.yaml$",
      "apps/.+\\.yaml$",
      "gotk-components\\.ya?ml$"
    ]
  },
  "prHourlyLimit": 9
 }
--- a/shell.nix
+++ b/shell.nix
@@ -1,15 +0,0 @@
 # Needed for Nix Environment Selector
 # https://github.com/edolstra/flake-compat/
 (import
  (
    let
      lock = builtins.fromJSON (builtins.readFile ./flake.lock);
      nodeName = lock.nodes.root.inputs.flake-compat;
    in
    fetchTarball {
      url = lock.nodes.${nodeName}.locked.url;
      sha256 = lock.nodes.${nodeName}.locked.narHash;
    }
  )
  { src = ./.; }
 ).shellNix
--- a/talos/patches/anapistula-delrosalae.patch
+++ b/talos/patches/anapistula-delrosalae.patch
@@ -1,7 +1,7 @@
 machine:
  network:
    interfaces:
-      - interface: enp4s0
+      - interface: eno1
        addresses:
          - 2001:470:61a3:100::3/64
          - 192.168.1.35/24
@@ -10,13 +10,20 @@ machine:
            gateway: 2001:470:61a3:100:ffff:ffff:ffff:ffff
          - network: 0.0.0.0/0
            gateway: 192.168.1.1
-        mtu: 1500
+        mtu: 1280
  install:
    diskSelector:
      wwid: t10.ATA     SSDPR-CX400-256                         GUH039914
    # Generated on https://factory.talos.dev/
-    # intel-ucode and amdgpu
+    # amd-ucode and amdgpu
-    image: factory.talos.dev/installer/06deebb947b815afa53f04c450d355d3c8bc28927a387c754db1622a0a06349e:v1.9.5
+    image: factory.talos.dev/metal-installer/9c1d1b442d73f96dcd04e81463eb20000ab014062d22e1b083e1773336bc1dd5:v1.10.6
    extraKernelArgs:
      - cpufreq.default_governor=performance
  sysfs:
    devices.system.cpu.cpu0.cpufreq.scaling_max_freq: "550000"
    devices.system.cpu.cpu1.cpufreq.scaling_max_freq: "550000"
    devices.system.cpu.cpu2.cpufreq.scaling_max_freq: "550000"
    devices.system.cpu.cpu6.cpufreq.scaling_max_freq: "550000"
    devices.system.cpu.cpu7.cpufreq.scaling_max_freq: "550000"
    devices.system.cpu.cpu8.cpufreq.scaling_max_freq: "550000"
--- a/talos/patches/frigate.patch
+++ b/talos/patches/frigate.patch
@@ -0,0 +1,11 @@
 # CSI driver requirement
 cluster:
  apiServer:
    admissionControl:
      - name: PodSecurity
        configuration:
          apiVersion: pod-security.admission.config.k8s.io/v1beta1
          kind: PodSecurityConfiguration
          exemptions:
            namespaces:
              - frigate
--- a/talos/patches/llama.patch
+++ b/talos/patches/llama.patch
@@ -0,0 +1,11 @@
 # CSI driver requirement
 cluster:
  apiServer:
    admissionControl:
      - name: PodSecurity
        configuration:
          apiVersion: pod-security.admission.config.k8s.io/v1beta1
          kind: PodSecurityConfiguration
          exemptions:
            namespaces:
              - llama
--- a/talos/patches/ollama.patch
+++ b/talos/patches/ollama.patch
@@ -0,0 +1,11 @@
 # CSI driver requirement
 cluster:
  apiServer:
    admissionControl:
      - name: PodSecurity
        configuration:
          apiVersion: pod-security.admission.config.k8s.io/v1beta1
          kind: PodSecurityConfiguration
          exemptions:
            namespaces:
              - ollama
--- a/talos/patches/openebs.patch
+++ b/talos/patches/openebs.patch
@@ -16,7 +16,7 @@ machine:
          - rw
  install:
    extraKernelArgs:
-      - isolcpus=2,3
+      - isolcpus=1,7
 cluster:
  apiServer:
--- a/Show More
+++ b/Show More