Add nginx ingress annotation to increase proxy body size limit

Categorize and add missing entries to app list
Remake Ansible playbook to target MikroTik router
2026-03-12 19:14:11 +01:00 · 2026-03-12 18:48:28 +01:00 · 2026-03-12 18:03:17 +01:00 · 2026-03-12 16:56:05 +00:00 · 2026-03-12 16:55:09 +00:00 · 2026-03-12 16:47:00 +00:00
61 changed files with 103 additions and 1474 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -10,4 +10,3 @@ devenv.local.yaml
 # pre-commit
 .pre-commit-config.yaml
 .opencode
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -2,7 +2,6 @@
  "recommendations": [
    "jnoortheen.nix-ide",
    "detachhead.basedpyright",
-    "mkhl.direnv",
+    "mkhl.direnv"
    "mermaidchart.vscode-mermaid-chart"
  ]
 }
--- a/20
+++ b/20
@@ -1,7 +1,3 @@
 SHELL := /usr/bin/env bash
 .PHONY: install-router gen-talos-config apply-talos-config get-kubeconfig garm-image-build garm-image-push garm-image-build-push
 install-router:
 	ansible-playbook ansible/playbook.yml -i ansible/hosts
@@ -27,19 +23,3 @@ apply-talos-config:
 get-kubeconfig:
 	talosctl -n anapistula-delrosalae kubeconfig talos/generated/kubeconfig
 garm-image-build:
 	set -euo pipefail; \
 	source apps/garm/image-source.env; \
 	docker build \
 		-f docker/garm/Dockerfile \
 		--build-arg GARM_COMMIT=$$GARM_COMMIT \
 		-t $$GARM_IMAGE \
 		.
 garm-image-push:
 	set -euo pipefail; \
 	source apps/garm/image-source.env; \
 	docker push $$GARM_IMAGE
 garm-image-build-push: garm-image-build garm-image-push
--- a/apps/authentik/kustomization.yaml
+++ b/apps/authentik/kustomization.yaml
@@ -1,8 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - postgres-volume.yaml
  - postgres-cluster.yaml
  - secret.yaml
  - release.yaml
--- a/apps/authentik/namespace.yaml
+++ b/apps/authentik/namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: authentik
--- a/apps/authentik/postgres-cluster.yaml
+++ b/apps/authentik/postgres-cluster.yaml
@@ -1,23 +0,0 @@
 ---
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  name: authentik-postgresql-cluster-lvmhdd
  namespace: authentik
 spec:
  instances: 1
  imageName: ghcr.io/cloudnative-pg/postgresql:17.4
  bootstrap:
    initdb:
      database: authentik
      owner: authentik
  storage:
    pvcTemplate:
      storageClassName: hdd-lvmpv
      resources:
        requests:
          storage: 10Gi
      volumeName: authentik-postgresql-cluster-lvmhdd-1
--- a/apps/authentik/postgres-volume.yaml
+++ b/apps/authentik/postgres-volume.yaml
@@ -1,33 +0,0 @@
 apiVersion: local.openebs.io/v1alpha1
 kind: LVMVolume
 metadata:
  labels:
    kubernetes.io/nodename: anapistula-delrosalae
  name: authentik-postgresql-cluster-lvmhdd-1
  namespace: openebs
 spec:
  capacity: 10Gi
  ownerNodeID: anapistula-delrosalae
  shared: "yes"
  thinProvision: "no"
  vgPattern: ^openebs-hdd$
  volGroup: openebs-hdd
 ---
 kind: PersistentVolume
 apiVersion: v1
 metadata:
  name: authentik-postgresql-cluster-lvmhdd-1
 spec:
  capacity:
    storage: 10Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: hdd-lvmpv
  volumeMode: Filesystem
  csi:
    driver: local.csi.openebs.io
    fsType: btrfs
    volumeHandle: authentik-postgresql-cluster-lvmhdd-1
 ---
 # PVCs are dynamically created by the Postgres operator
--- a/apps/authentik/release.yaml
+++ b/apps/authentik/release.yaml
@@ -1,61 +0,0 @@
 ---
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: authentik
  namespace: authentik
 spec:
  interval: 24h
  url: https://charts.goauthentik.io
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: authentik
  namespace: authentik
 spec:
  interval: 30m
  chart:
    spec:
      chart: authentik
      version: 2026.2.1
      sourceRef:
        kind: HelmRepository
        name: authentik
        namespace: authentik
      interval: 12h
  values:
    authentik:
      postgresql:
        host: authentik-postgresql-cluster-lvmhdd-rw
        name: authentik
        user: authentik
    global:
      env:
        - name: AUTHENTIK_SECRET_KEY
          valueFrom:
            secretKeyRef:
              name: authentik-secret
              key: secret_key
        - name: AUTHENTIK_POSTGRESQL__PASSWORD
          valueFrom:
            secretKeyRef:
              name: authentik-postgresql-cluster-lvmhdd-app
              key: password
    postgresql:
      enabled: false
    server:
      ingress:
        enabled: true
        ingressClassName: nginx-ingress
        annotations:
          cert-manager.io/cluster-issuer: letsencrypt
        hosts:
          - authentik.lumpiasty.xyz
        tls:
          - secretName: authentik-ingress
            hosts:
              - authentik.lumpiasty.xyz
--- a/apps/authentik/secret.yaml
+++ b/apps/authentik/secret.yaml
@@ -1,38 +0,0 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: authentik-secret
  namespace: authentik
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: authentik
  namespace: authentik
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: authentik
    serviceAccount: authentik-secret
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: authentik-secret
  namespace: authentik
 spec:
  type: kv-v2
  mount: secret
  path: authentik
  destination:
    create: true
    name: authentik-secret
    type: Opaque
    transformation:
      excludeRaw: true
  vaultAuthRef: authentik
--- a/apps/crawl4ai-proxy/deployment.yaml
+++ b/apps/crawl4ai-proxy/deployment.yaml
@@ -1,48 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: crawl4ai-proxy
  namespace: crawl4ai
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: crawl4ai-proxy
  template:
    metadata:
      labels:
        app: crawl4ai-proxy
    spec:
      containers:
        - name: crawl4ai-proxy
          image: gitea.lumpiasty.xyz/lumpiasty/crawl4ai-proxy-fit:latest
          imagePullPolicy: Always
          env:
            - name: LISTEN_PORT
              value: "8000"
            - name: CRAWL4AI_ENDPOINT
              value: http://crawl4ai.crawl4ai.svc.cluster.local:11235/crawl
          ports:
            - name: http
              containerPort: 8000
          readinessProbe:
            tcpSocket:
              port: http
            initialDelaySeconds: 3
            periodSeconds: 10
            timeoutSeconds: 2
            failureThreshold: 6
          livenessProbe:
            tcpSocket:
              port: http
            initialDelaySeconds: 10
            periodSeconds: 15
            timeoutSeconds: 2
            failureThreshold: 6
          resources:
            requests:
              cpu: 25m
              memory: 32Mi
            limits:
              cpu: 200m
              memory: 128Mi
--- a/apps/crawl4ai-proxy/kustomization.yaml
+++ b/apps/crawl4ai-proxy/kustomization.yaml
@@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - deployment.yaml
  - service.yaml
--- a/apps/crawl4ai-proxy/service.yaml
+++ b/apps/crawl4ai-proxy/service.yaml
@@ -1,14 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: crawl4ai-proxy
  namespace: crawl4ai
 spec:
  type: ClusterIP
  selector:
    app: crawl4ai-proxy
  ports:
    - name: http
      port: 8000
      targetPort: 8000
      protocol: TCP
--- a/apps/crawl4ai/deployment.yaml
+++ b/apps/crawl4ai/deployment.yaml
@@ -1,62 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: crawl4ai
  namespace: crawl4ai
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: crawl4ai
  template:
    metadata:
      labels:
        app: crawl4ai
    spec:
      containers:
        - name: crawl4ai
          image: unclecode/crawl4ai:latest
          imagePullPolicy: IfNotPresent
          env:
            - name: CRAWL4AI_API_TOKEN
              valueFrom:
                secretKeyRef:
                  name: crawl4ai-secret
                  key: api_token
                  optional: false
            - name: MAX_CONCURRENT_TASKS
              value: "5"
          ports:
            - name: http
              containerPort: 11235
          readinessProbe:
            httpGet:
              path: /health
              port: http
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 3
            failureThreshold: 6
          livenessProbe:
            httpGet:
              path: /health
              port: http
            initialDelaySeconds: 30
            periodSeconds: 15
            timeoutSeconds: 3
            failureThreshold: 6
          resources:
            requests:
              cpu: 500m
              memory: 1Gi
            limits:
              cpu: "2"
              memory: 4Gi
          volumeMounts:
            - name: dshm
              mountPath: /dev/shm
      volumes:
        - name: dshm
          emptyDir:
            medium: Memory
            sizeLimit: 1Gi
--- a/apps/crawl4ai/kustomization.yaml
+++ b/apps/crawl4ai/kustomization.yaml
@@ -1,7 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - secret.yaml
  - deployment.yaml
  - service.yaml
--- a/apps/crawl4ai/namespace.yaml
+++ b/apps/crawl4ai/namespace.yaml
@@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: crawl4ai
--- a/apps/crawl4ai/secret.yaml
+++ b/apps/crawl4ai/secret.yaml
@@ -1,38 +0,0 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: crawl4ai-secret
  namespace: crawl4ai
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: crawl4ai
  namespace: crawl4ai
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: crawl4ai
    serviceAccount: crawl4ai-secret
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: crawl4ai-secret
  namespace: crawl4ai
 spec:
  type: kv-v2
  mount: secret
  path: crawl4ai
  destination:
    create: true
    name: crawl4ai-secret
    type: Opaque
    transformation:
      excludeRaw: true
  vaultAuthRef: crawl4ai
--- a/apps/crawl4ai/service.yaml
+++ b/apps/crawl4ai/service.yaml
@@ -1,14 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: crawl4ai
  namespace: crawl4ai
 spec:
  type: ClusterIP
  selector:
    app: crawl4ai
  ports:
    - name: http
      port: 11235
      targetPort: 11235
      protocol: TCP
--- a/apps/garm/README.md
+++ b/apps/garm/README.md
@@ -1,49 +0,0 @@
 # garm
 This app deploys `garm` with external `garm-provider-k8s`.
 - API/UI ingress: `https://garm.lumpiasty.xyz`
 - Internal service DNS: `http://garm.garm.svc.cluster.local:9997`
 ## Vault secret requirements
 `VaultStaticSecret` reads `secret/data/garm` and expects at least:
 - `jwt_auth_secret`
 - `database_passphrase` (must be 32 characters)
 ## Connect garm to Gitea
 After Flux reconciles this app, initialize garm and add Gitea endpoint/credentials.
 ```bash
 # 1) Initialize garm (from your local devenv shell)
 garm-cli init \
  --name homelab \
  --url https://garm.lumpiasty.xyz \
  --username admin \
  --email admin@lumpiasty.xyz \
  --password '<STRONG_ADMIN_PASSWORD>' \
  --metadata-url http://garm.garm.svc.cluster.local:9997/api/v1/metadata \
  --callback-url http://garm.garm.svc.cluster.local:9997/api/v1/callbacks \
  --webhook-url http://garm.garm.svc.cluster.local:9997/webhooks
 # 2) Add Gitea endpoint
 garm-cli gitea endpoint create \
  --name local-gitea \
  --description 'Cluster Gitea' \
  --base-url http://gitea-http.gitea.svc.cluster.local:80 \
  --api-base-url http://gitea-http.gitea.svc.cluster.local:80/api/v1
 # 3) Add Gitea PAT credentials
 garm-cli gitea credentials add \
  --name gitea-pat \
  --description 'PAT for garm' \
  --endpoint local-gitea \
  --auth-type pat \
  --pat-oauth-token '<GITEA_PAT_WITH_write:repository,write:organization>'
 ```
 Then add repositories/orgs and create pools against provider `kubernetes_external`.
 If Gitea refuses webhook installation to cluster-local URLs, set `gitea.config.webhook.ALLOWED_HOST_LIST` in `apps/gitea/release.yaml`.
--- a/apps/garm/configmap.yaml
+++ b/apps/garm/configmap.yaml
@@ -1,19 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: garm-provider-k8s-config
  namespace: garm
 data:
  provider-config.yaml: |
    kubeConfigPath: ""
    runnerNamespace: "garm-runners"
    podTemplate:
      spec:
        restartPolicy: Never
    flavors:
      default:
        requests:
          cpu: 100m
          memory: 512Mi
        limits:
          memory: 2Gi
--- a/apps/garm/deployment.yaml
+++ b/apps/garm/deployment.yaml
@@ -1,106 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: garm
  namespace: garm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: garm
  template:
    metadata:
      labels:
        app: garm
    spec:
      serviceAccountName: garm
      initContainers:
        - name: render-garm-config
          image: alpine:3.23
          env:
            - name: JWT_AUTH_SECRET
              valueFrom:
                secretKeyRef:
                  name: garm-config
                  key: jwt_auth_secret
            - name: DATABASE_PASSPHRASE
              valueFrom:
                secretKeyRef:
                  name: garm-config
                  key: database_passphrase
          command:
            - /bin/sh
            - -ec
            - |
              cat <<EOF > /etc/garm/config.toml
              [default]
              enable_webhook_management = true
              [logging]
              enable_log_streamer = true
              log_format = "text"
              log_level = "info"
              log_source = false
              [metrics]
              enable = true
              disable_auth = false
              [jwt_auth]
              secret = "${JWT_AUTH_SECRET}"
              time_to_live = "8760h"
              [apiserver]
                bind = "0.0.0.0"
                port = 9997
                use_tls = false
                [apiserver.webui]
                  enable = true
              [database]
                backend = "sqlite3"
                passphrase = "${DATABASE_PASSPHRASE}"
                [database.sqlite3]
                  db_file = "/data/garm.db"
                  busy_timeout_seconds = 5
              [[provider]]
              name = "kubernetes_external"
              description = "Kubernetes provider"
              provider_type = "external"
              [provider.external]
              config_file = "/etc/garm/provider-config.yaml"
              provider_executable = "/opt/garm/providers.d/garm-provider-k8s"
              environment_variables = ["KUBERNETES_"]
              EOF
          volumeMounts:
            - name: config-dir
              mountPath: /etc/garm
      containers:
        - name: garm
          image: gitea.lumpiasty.xyz/lumpiasty/garm-k8s:r1380
          imagePullPolicy: IfNotPresent
          command:
            - /bin/garm
            - --config
            - /etc/garm/config.toml
          ports:
            - name: http
              containerPort: 9997
          volumeMounts:
            - name: data
              mountPath: /data
            - name: config-dir
              mountPath: /etc/garm
            - name: provider-config
              mountPath: /etc/garm/provider-config.yaml
              subPath: provider-config.yaml
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: garm-lvmhdd
        - name: config-dir
          emptyDir: {}
        - name: provider-config
          configMap:
            name: garm-provider-k8s-config
--- a/apps/garm/image-source.env
+++ b/apps/garm/image-source.env
@@ -1,5 +0,0 @@
 # renovate: datasource=github-refs depName=cloudbase/garm versioning=git
 GARM_COMMIT=818a9dddccba5f2843f185e6a846770988f31fc5
 GARM_COMMIT_NUMBER=1380
 GARM_IMAGE_REPO=gitea.lumpiasty.xyz/lumpiasty/garm-k8s
 GARM_IMAGE=gitea.lumpiasty.xyz/lumpiasty/garm-k8s:r1380
--- a/apps/garm/ingress.yaml
+++ b/apps/garm/ingress.yaml
@@ -1,24 +0,0 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  namespace: garm
  name: garm
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
 spec:
  ingressClassName: nginx-ingress
  rules:
    - host: garm.lumpiasty.xyz
      http:
        paths:
          - backend:
              service:
                name: garm
                port:
                  number: 9997
            path: /
            pathType: Prefix
  tls:
    - hosts:
        - garm.lumpiasty.xyz
      secretName: garm-ingress
--- a/apps/garm/kustomization.yaml
+++ b/apps/garm/kustomization.yaml
@@ -1,11 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - pvc.yaml
  - configmap.yaml
  - service.yaml
  - ingress.yaml
  - rbac.yaml
  - secret.yaml
  - deployment.yaml
--- a/apps/garm/namespace.yaml
+++ b/apps/garm/namespace.yaml
@@ -1,9 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: garm
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: garm-runners
--- a/apps/garm/pvc.yaml
+++ b/apps/garm/pvc.yaml
@@ -1,46 +0,0 @@
 ---
 apiVersion: local.openebs.io/v1alpha1
 kind: LVMVolume
 metadata:
  labels:
    kubernetes.io/nodename: anapistula-delrosalae
  name: garm-lvmhdd
  namespace: openebs
 spec:
  capacity: 5Gi
  ownerNodeID: anapistula-delrosalae
  shared: "yes"
  thinProvision: "no"
  vgPattern: ^openebs-hdd$
  volGroup: openebs-hdd
 ---
 kind: PersistentVolume
 apiVersion: v1
 metadata:
  name: garm-lvmhdd
 spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: hdd-lvmpv
  volumeMode: Filesystem
  csi:
    driver: local.csi.openebs.io
    fsType: btrfs
    volumeHandle: garm-lvmhdd
 ---
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: garm-lvmhdd
  namespace: garm
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi
  storageClassName: hdd-lvmpv
  volumeName: garm-lvmhdd
--- a/apps/garm/rbac.yaml
+++ b/apps/garm/rbac.yaml
@@ -1,51 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: garm
  namespace: garm
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: garm-provider-k8s
  namespace: garm-runners
 rules:
  - apiGroups: [""]
    resources: ["pods", "pods/log", "configmaps", "secrets", "events"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: garm-provider-k8s
  namespace: garm-runners
 subjects:
  - kind: ServiceAccount
    name: garm
    namespace: garm
 roleRef:
  kind: Role
  name: garm-provider-k8s
  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: garm-namespace-manager
 rules:
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: garm-namespace-manager
 subjects:
  - kind: ServiceAccount
    name: garm
    namespace: garm
 roleRef:
  kind: ClusterRole
  name: garm-namespace-manager
  apiGroup: rbac.authorization.k8s.io
--- a/apps/garm/secret.yaml
+++ b/apps/garm/secret.yaml
@@ -1,32 +0,0 @@
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: garm
  namespace: garm
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: garm
    serviceAccount: garm
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: garm-config
  namespace: garm
 spec:
  type: kv-v2
  mount: secret
  path: garm
  destination:
    create: true
    name: garm-config
    type: Opaque
    transformation:
      excludeRaw: true
  vaultAuthRef: garm
--- a/apps/garm/service.yaml
+++ b/apps/garm/service.yaml
@@ -1,14 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: garm
  namespace: garm
 spec:
  type: ClusterIP
  selector:
    app: garm
  ports:
    - name: http
      port: 9997
      targetPort: 9997
      protocol: TCP
--- a/apps/gitea/release.yaml
+++ b/apps/gitea/release.yaml
@@ -72,8 +72,6 @@ spec:
        indexer:
          ISSUE_INDEXER_TYPE: bleve
          REPO_INDEXER_ENABLED: true
        webhook:
          ALLOWED_HOST_LIST: garm.garm.svc.cluster.local
      admin:
        username: GiteaAdmin
        email: gi@tea.com
@@ -90,11 +88,6 @@ spec:
        # Requirement for sharing ip with other service
        externalTrafficPolicy: Cluster
        ipFamilyPolicy: RequireDualStack
      http:
        type: ClusterIP
        # We need the service to be at port 80 specifically
        # to work around bug of Actions Runner
        port: 80
    ingress:
      enabled: true
@@ -102,7 +95,7 @@ spec:
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt
        acme.cert-manager.io/http01-edit-in-place: "true"
-        nginx.ingress.kubernetes.io/proxy-body-size: "1g"
+        nginx.ingress.kubernetes.io/proxy-body-size: "100m"
      hosts:
        - host: gitea.lumpiasty.xyz
          paths:
--- a/apps/immich/release.yaml
+++ b/apps/immich/release.yaml
@@ -18,7 +18,7 @@ spec:
  chart:
    spec:
      chart: immich
-      version: 1.2.2
+      version: 1.1.1
      sourceRef:
        kind: HelmRepository
        name: secustor
--- a/apps/kustomization.yaml
+++ b/apps/kustomization.yaml
@@ -1,9 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - crawl4ai
  - crawl4ai-proxy
  - authentik
  - gitea
  - renovate
  - librechat
@@ -14,4 +11,3 @@ resources:
  - searxng
  - ispeak3
  - openwebui
  - garm
--- a/apps/llama/configs/config.yaml
+++ b/apps/llama/configs/config.yaml
@@ -4,16 +4,12 @@ logToStdout: "both" # proxy and upstream
 macros:
  base_args: "--no-warmup --port ${PORT}"
-  common_args: "--fit-target 1536 --no-warmup --port ${PORT}"
+  common_args: "--fit-target 1536 --fit-ctx 65536 --no-warmup --port ${PORT}"
  gemma3_ctx_128k: "--ctx-size 131072"
  qwen35_ctx_128k: "--ctx-size 131072"
  qwen35_ctx_256k: "--ctx-size 262144"
  gemma_sampling: "--prio 2 --temp 1.0 --repeat-penalty 1.0 --min-p 0.00 --top-k 64 --top-p 0.95"
-  qwen35_sampling: "--temp 0.6 --top-p 0.95 --top-k 20 --min-p 0.00 -ctk q8_0 -ctv q8_0"
+  qwen35_sampling: "--temp 0.6 --top-p 0.95 --top-k 20 --min-p 0.00 -ctk q4_0 -ctv q4_0"
-  qwen35_35b_args: "--temp 1.0 --min-p 0.00 --top-p 0.95 --top-k 20 -ctk q8_0 -ctv q8_0"
+  qwen35_35b_args: "--temp 1.0 --min-p 0.00 --top-p 0.95 --top-k 20 -ctk q4_0 -ctv q4_0"
  qwen35_35b_heretic_mmproj: "--mmproj-url https://huggingface.co/unsloth/Qwen3.5-35B-A3B-GGUF/resolve/main/mmproj-F16.gguf --mmproj /root/.cache/llama.cpp/unsloth_Qwen3.5-35B-A3B-GGUF_mmproj-F16.gguf"
  qwen35_4b_heretic_mmproj: "--mmproj-url https://huggingface.co/unsloth/Qwen3.5-4B-GGUF/resolve/main/mmproj-F16.gguf --mmproj /root/.cache/llama.cpp/unsloth_Qwen3.5-4B-GGUF_mmproj-F16.gguf"
  glm47_flash_args: "--temp 0.7 --top-p 1.0 --min-p 0.01 --repeat-penalty 1.0"
  thinking_on: "--chat-template-kwargs '{\"enable_thinking\": true}'"
  thinking_off: "--chat-template-kwargs '{\"enable_thinking\": false}'"
@@ -42,7 +38,6 @@ models:
    cmd: |
      /app/llama-server
        -hf unsloth/gemma-3-12b-it-GGUF:Q4_K_M
        ${gemma3_ctx_128k}
        ${gemma_sampling}
        ${common_args}
@@ -50,7 +45,6 @@ models:
    cmd: |
      /app/llama-server
        -hf unsloth/gemma-3-12b-it-GGUF:Q4_K_M
        ${gemma3_ctx_128k}
        ${gemma_sampling}
        --no-mmproj
        ${common_args}
@@ -59,7 +53,6 @@ models:
    cmd: |
      /app/llama-server
        -hf unsloth/gemma-3-4b-it-GGUF:Q4_K_M
        ${gemma3_ctx_128k}
        ${gemma_sampling}
        ${common_args}
@@ -67,7 +60,6 @@ models:
    cmd: |
      /app/llama-server
        -hf unsloth/gemma-3-4b-it-GGUF:Q4_K_M
        ${gemma3_ctx_128k}
        ${gemma_sampling}
        --no-mmproj
        ${common_args}
@@ -83,14 +75,13 @@ models:
        --top-p 0.95
        --top-k 40
        --repeat-penalty 1.0
-        -ctk q8_0 -ctv q8_0
+        -ctk q4_0 -ctv q4_0
        ${common_args}
  "Qwen3.5-35B-A3B-GGUF:Q4_K_M":
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen3.5-35B-A3B-GGUF:Q4_K_M
        ${qwen35_ctx_256k}
        ${qwen35_35b_args}
        ${common_args}
@@ -98,7 +89,6 @@ models:
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen3.5-35B-A3B-GGUF:Q4_K_M
        ${qwen35_ctx_256k}
        ${qwen35_35b_args}
        ${common_args}
        ${thinking_off}
@@ -110,7 +100,6 @@ models:
      /app/llama-server
        -hf mradermacher/Qwen3.5-35B-A3B-heretic-GGUF:Q4_K_M
        ${qwen35_35b_heretic_mmproj}
        ${qwen35_ctx_256k}
        ${qwen35_35b_args}
        ${common_args}
@@ -119,7 +108,6 @@ models:
      /app/llama-server
        -hf mradermacher/Qwen3.5-35B-A3B-heretic-GGUF:Q4_K_M
        ${qwen35_35b_heretic_mmproj}
        ${qwen35_ctx_256k}
        ${qwen35_35b_args}
        ${common_args}
        ${thinking_off}
@@ -128,7 +116,6 @@ models:
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen3.5-0.8B-GGUF:Q4_K_XL
        ${qwen35_ctx_256k}
        ${qwen35_sampling}
        ${base_args}
        ${thinking_on}
@@ -146,7 +133,6 @@ models:
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen3.5-2B-GGUF:Q4_K_M
        ${qwen35_ctx_256k}
        ${qwen35_sampling}
        ${common_args}
        ${thinking_on}
@@ -155,7 +141,6 @@ models:
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen3.5-2B-GGUF:Q4_K_M
        ${qwen35_ctx_256k}
        ${qwen35_sampling}
        ${common_args}
        ${thinking_off}
@@ -164,7 +149,6 @@ models:
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen3.5-4B-GGUF:Q4_K_M
        ${qwen35_ctx_128k}
        ${qwen35_sampling}
        ${common_args}
        ${thinking_on}
@@ -173,7 +157,6 @@ models:
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen3.5-4B-GGUF:Q4_K_M
        ${qwen35_ctx_128k}
        ${qwen35_sampling}
        ${common_args}
        ${thinking_off}
@@ -183,7 +166,6 @@ models:
      /app/llama-server
        -hf mradermacher/Qwen3.5-4B-heretic-GGUF:Q4_K_M
        ${qwen35_4b_heretic_mmproj}
        ${qwen35_ctx_128k}
        ${qwen35_sampling}
        ${common_args}
        ${thinking_on}
@@ -193,7 +175,6 @@ models:
      /app/llama-server
        -hf mradermacher/Qwen3.5-4B-heretic-GGUF:Q4_K_M
        ${qwen35_4b_heretic_mmproj}
        ${qwen35_ctx_128k}
        ${qwen35_sampling}
        ${common_args}
        ${thinking_off}
@@ -202,7 +183,6 @@ models:
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen3.5-9B-GGUF:Q4_K_M
        ${qwen35_ctx_256k}
        ${qwen35_sampling}
        ${common_args}
        ${thinking_on}
@@ -211,7 +191,6 @@ models:
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen3.5-9B-GGUF:Q4_K_M
        ${qwen35_ctx_256k}
        ${qwen35_sampling}
        ${common_args}
        ${thinking_off}
@@ -220,7 +199,6 @@ models:
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen3.5-9B-GGUF:Q3_K_M
        ${qwen35_ctx_256k}
        ${qwen35_sampling}
        ${common_args}
        ${thinking_on}
@@ -229,7 +207,6 @@ models:
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen3.5-9B-GGUF:Q3_K_M
        ${qwen35_ctx_256k}
        ${qwen35_sampling}
        ${common_args}
        ${thinking_off}
@@ -238,7 +215,6 @@ models:
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen3.5-27B-GGUF:Q3_K_M
        ${qwen35_ctx_256k}
        ${qwen35_sampling}
        ${common_args}
        ${thinking_on}
@@ -247,14 +223,6 @@ models:
    cmd: |
      /app/llama-server
        -hf unsloth/Qwen3.5-27B-GGUF:Q3_K_M
        ${qwen35_ctx_256k}
        ${qwen35_sampling}
        ${common_args}
        ${thinking_off}
  "GLM-4.7-Flash-GGUF:Q4_K_M":
    cmd: |
      /app/llama-server
        -hf unsloth/GLM-4.7-Flash-GGUF:Q4_K_M
        ${glm47_flash_args}
        ${common_args}
--- a/apps/llama/deployment.yaml
+++ b/apps/llama/deployment.yaml
@@ -18,7 +18,7 @@ spec:
    spec:
      containers:
        - name: llama-swap
-          image: ghcr.io/mostlygeek/llama-swap:v199-vulkan-b8576
+          image: ghcr.io/mostlygeek/llama-swap:v197-vulkan-b8248
          imagePullPolicy: IfNotPresent
          command:
            - /app/llama-swap
--- a/apps/openwebui/kustomization.yaml
+++ b/apps/openwebui/kustomization.yaml
@@ -4,6 +4,5 @@ resources:
  - namespace.yaml
  - pvc.yaml
  - pvc-pipelines.yaml
  - secret.yaml
  - release.yaml
  - ingress.yaml
--- a/apps/openwebui/release.yaml
+++ b/apps/openwebui/release.yaml
@@ -18,7 +18,7 @@ spec:
  chart:
    spec:
      chart: open-webui
-      version: 12.13.0
+      version: 12.10.0
      sourceRef:
        kind: HelmRepository
        name: open-webui
@@ -44,30 +44,3 @@ spec:
      persistence:
        enabled: true
        existingClaim: openwebui-pipelines-lvmhdd
    # SSO with Authentik
    extraEnvVars:
      - name: WEBUI_URL
        value: "https://openwebui.lumpiasty.xyz"
      - name: OAUTH_CLIENT_ID
        valueFrom:
          secretKeyRef:
            name: openwebui-authentik
            key: client_id
      - name: OAUTH_CLIENT_SECRET
        valueFrom:
          secretKeyRef:
            name: openwebui-authentik
            key: client_secret
      - name: OAUTH_PROVIDER_NAME
        value: "authentik"
      - name: OPENID_PROVIDER_URL
        value: "https://authentik.lumpiasty.xyz/application/o/open-web-ui/.well-known/openid-configuration"
      - name: OPENID_REDIRECT_URI
        value: "https://openwebui.lumpiasty.xyz/oauth/oidc/callback"
      - name: ENABLE_OAUTH_SIGNUP
        value: "true"
      - name: ENABLE_LOGIN_FORM
        value: "false"
      - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL
        value: "true"
--- a/apps/openwebui/secret.yaml
+++ b/apps/openwebui/secret.yaml
@@ -1,43 +0,0 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: openwebui-secret
  namespace: openwebui
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: openwebui
  namespace: openwebui
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: openwebui
    serviceAccount: openwebui-secret
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: openwebui-authentik
  namespace: openwebui
 spec:
  type: kv-v2
  mount: secret
  path: authentik/openwebui
  destination:
    create: true
    name: openwebui-authentik
    type: Opaque
    transformation:
      excludeRaw: true
      templates:
        client_id:
          text: '{{ get .Secrets "client_id" }}'
        client_secret:
          text: '{{ get .Secrets "client_secret" }}'
  vaultAuthRef: openwebui
--- a/apps/renovate/configmap.yaml
+++ b/apps/renovate/configmap.yaml
@@ -9,4 +9,3 @@ data:
  RENOVATE_ENDPOINT: https://gitea.lumpiasty.xyz/api/v1
  RENOVATE_PLATFORM: gitea
  RENOVATE_GIT_AUTHOR: Renovate Bot <renovate@lumpiasty.xyz>
  RENOVATE_ALLOWED_COMMANDS: '["^node utils/update-garm-cli-hash\\.mjs$", "^node utils/update-garm-image-pin\\.mjs$"]'
--- a/apps/renovate/cronjob.yaml
+++ b/apps/renovate/cronjob.yaml
@@ -15,7 +15,7 @@ spec:
            - name: renovate
              # Update this to the latest available and then enable Renovate on
              # the manifest
-              image: renovate/renovate:43.95.0-full
+              image: renovate/renovate:43.64.6-full
              envFrom:
                - secretRef:
                    name: renovate-gitea-token
--- a/devenv.lock
+++ b/devenv.lock
@@ -3,11 +3,10 @@
    "devenv": {
      "locked": {
        "dir": "src/modules",
-        "lastModified": 1773504385,
+        "lastModified": 1769881431,
        "narHash": "sha256-ANaeR+xVHxjGz36VI4qlZUbdhrlSE0xU7O7AUJKw3zU=",
        "owner": "cachix",
        "repo": "devenv",
-        "rev": "4bce49e6f60c69e99eeb643efbbf74125cefd329",
+        "rev": "72d5e66e2dd5112766ef4c9565872b51094b542d",
        "type": "github"
      },
      "original": {
@@ -17,13 +16,27 @@
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1767039857,
        "owner": "NixOS",
        "repo": "flake-compat",
        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
@@ -35,6 +48,47 @@
        "type": "github"
      }
    },
    "git-hooks": {
      "inputs": {
        "flake-compat": "flake-compat",
        "gitignore": "gitignore",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1769069492,
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "rev": "a1ef738813b15cf8ec759bdff5761b027e3e1d23",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "type": "github"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "git-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1762808025,
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "cb5e3fdca1de58ccbc3ef53de65bd372b48f567c",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "krew2nix": {
      "inputs": {
        "flake-utils": "flake-utils",
@@ -45,11 +99,10 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1773451905,
+        "lastModified": 1769904483,
        "narHash": "sha256-S/bukFEwbOYQbnR5UpciwYA42aEt1w5LK73GwARhsaA=",
        "owner": "a1994sc",
        "repo": "krew2nix",
-        "rev": "bc779a8cf59ebf76ae60556bfe2d781a0a4cdbd9",
+        "rev": "17d6ad3375899bd3f7d4d298481536155f3ec13c",
        "type": "github"
      },
      "original": {
@@ -60,11 +113,10 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1773389992,
+        "lastModified": 1769461804,
        "narHash": "sha256-wvfdLLWJ2I9oEpDd9PfMA8osfIZicoQ5MT1jIwNs9Tk=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c06b4ae3d6599a672a6210b7021d699c351eebda",
+        "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
        "type": "github"
      },
      "original": {
@@ -77,14 +129,17 @@
    "root": {
      "inputs": {
        "devenv": "devenv",
        "git-hooks": "git-hooks",
        "krew2nix": "krew2nix",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
        "pre-commit-hooks": [
          "git-hooks"
        ]
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
@@ -99,7 +154,6 @@
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
@@ -119,11 +173,10 @@
        ]
      },
      "locked": {
-        "lastModified": 1773297127,
+        "lastModified": 1769691507,
        "narHash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "71b125cd05fbfd78cab3e070b73544abe24c5016",
+        "rev": "28b19c5844cc6e2257801d43f2772a4b4c050a1b",
        "type": "github"
      },
      "original": {
@@ -135,4 +188,4 @@
  },
  "root": "root",
  "version": 7
-}
+}
--- a/devenv.nix
+++ b/devenv.nix
@@ -6,8 +6,6 @@ let
    hvac
    librouteros
  ]);
  garm-cli = pkgs.callPackage ./nix/garm-cli.nix { };
 in
 {
  # Overlays - apply krew2nix to get kubectl with krew support
@@ -43,9 +41,6 @@ in
    openbao
    pv-migrate
    mermaid-cli
    opencode
    garm-cli
    tea
  ];
  # Scripts
--- a/docker/garm/Dockerfile
+++ b/docker/garm/Dockerfile
@@ -1,28 +0,0 @@
 FROM golang:1.26-alpine AS build
 ARG GARM_COMMIT
 ARG GARM_PROVIDER_K8S_VERSION=0.3.2
 RUN apk add --no-cache ca-certificates git wget tar build-base util-linux-dev linux-headers
 WORKDIR /src
 RUN git clone https://github.com/cloudbase/garm.git . && git checkout "${GARM_COMMIT}"
 RUN CGO_ENABLED=1 GOOS=linux GOARCH=amd64 \
  go build -trimpath \
  -tags osusergo,netgo,sqlite_omit_load_extension \
  -ldflags="-linkmode external -extldflags '-static' -s -w" \
  -o /out/garm ./cmd/garm
 RUN mkdir -p /out/providers.d \
  && wget -qO /tmp/garm-provider-k8s.tar.gz "https://github.com/mercedes-benz/garm-provider-k8s/releases/download/v${GARM_PROVIDER_K8S_VERSION}/garm-provider-k8s_Linux_x86_64.tar.gz" \
  && tar -xzf /tmp/garm-provider-k8s.tar.gz -C /out/providers.d \
  && chmod 0755 /out/providers.d/garm-provider-k8s
 FROM busybox
 COPY --from=build /out/garm /bin/garm
 COPY --from=build /out/providers.d/garm-provider-k8s /opt/garm/providers.d/garm-provider-k8s
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 ENTRYPOINT ["/bin/garm"]
--- a/infra/controllers/cert-manager-webhook-ovh.yaml
+++ b/infra/controllers/cert-manager-webhook-ovh.yaml
@@ -18,7 +18,7 @@ spec:
  chart:
    spec:
      chart: cert-manager-webhook-ovh
-      version: 0.9.5
+      version: 0.9.4
      sourceRef:
        kind: HelmRepository
        name: cert-manager-webhook-ovh
--- a/infra/controllers/cert-manager.yaml
+++ b/infra/controllers/cert-manager.yaml
@@ -23,7 +23,7 @@ spec:
  chart:
    spec:
      chart: cert-manager
-      version: v1.20.1
+      version: v1.20.0
      sourceRef:
        kind: HelmRepository
        name: cert-manager
--- a/infra/controllers/cilium.yaml
+++ b/infra/controllers/cilium.yaml
@@ -23,7 +23,7 @@ spec:
  chart:
    spec:
      chart: cilium
-      version: 1.19.2
+      version: 1.19.1
      sourceRef:
        kind: HelmRepository
        name: cilium
--- a/infra/controllers/cloudnative-pg.yaml
+++ b/infra/controllers/cloudnative-pg.yaml
@@ -23,7 +23,7 @@ spec:
  chart:
    spec:
      chart: cloudnative-pg
-      version: 0.28.0
+      version: 0.27.1
      sourceRef:
        kind: HelmRepository
        name: cnpg
--- a/infra/controllers/k8up.yaml
+++ b/infra/controllers/k8up.yaml
@@ -23,7 +23,7 @@ spec:
  chart:
    spec:
      chart: k8up
-      version: 4.9.0
+      version: 4.8.6
      sourceRef:
        kind: HelmRepository
        name: k8up-io
--- a/infra/controllers/nginx-ingress.yaml
+++ b/infra/controllers/nginx-ingress.yaml
@@ -23,7 +23,7 @@ spec:
  chart:
    spec:
      chart: ingress-nginx
-      version: 4.15.1
+      version: 4.15.0
      sourceRef:
        kind: HelmRepository
        name: ingress-nginx
--- a/infra/controllers/openbao.yaml
+++ b/infra/controllers/openbao.yaml
@@ -23,7 +23,7 @@ spec:
  chart:
    spec:
      chart: openbao
-      version: 0.26.2
+      version: 0.25.7
      sourceRef:
        kind: HelmRepository
        name: openbao
--- a/monke/gpt-researcher.yaml
+++ b/monke/gpt-researcher.yaml
@@ -0,0 +1,16 @@
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: tavily
  namespace: gpt-researcher
 stringData:
  TAVILY_API_KEY: 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
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: openrouter
  namespace: gpt-researcher
 stringData:
  OPENROUTER_API_KEY: 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
--- a/nix/garm-cli.nix
+++ b/nix/garm-cli.nix
@@ -1,45 +0,0 @@
 { lib, buildGoModule, fetchFromGitHub, installShellFiles }:
 buildGoModule rec {
  pname = "garm-cli";
  version = "r1380";
  garmCommit = "818a9dddccba5f2843f185e6a846770988f31fc5";
  src = fetchFromGitHub {
    owner = "cloudbase";
    repo = "garm";
    rev = garmCommit;
    hash = "sha256-CTqqabNYUMSrmnQVCWml1/vkDw+OP1uJo1KFhBSZpYY=";
  };
  subPackages = [ "cmd/garm-cli" ];
  nativeBuildInputs = [ installShellFiles ];
  vendorHash = null;
  ldflags = [
    "-s"
    "-w"
    "-X main.version=${version}"
  ];
  postInstall = ''
    # We need to set a temporary HOME for the completion scripts as workaround
    # because garm-cli tries to write config to the home directory
    # when generating the completion scripts
    export HOME="$(mktemp -d)"
    installShellCompletion --cmd garm-cli \
      --bash <($out/bin/garm-cli completion bash) \
      --fish <($out/bin/garm-cli completion fish) \
      --zsh <($out/bin/garm-cli completion zsh)
  '';
  meta = {
    description = "CLI for GitHub Actions Runner Manager";
    homepage = "https://github.com/cloudbase/garm";
    license = lib.licenses.asl20;
    mainProgram = "garm-cli";
  };
 }
--- a/renovate.json
+++ b/renovate.json
@@ -10,57 +10,8 @@
      "gotk-components\\.ya?ml$"
    ]
  },
  "customManagers": [
    {
      "customType": "regex",
      "description": "Track garm-cli pinned main commit",
      "managerFilePatterns": ["^nix/garm-cli\\.nix$"],
      "matchStrings": ["garmCommit = \\\"(?<currentValue>[a-f0-9]{40})\\\";"],
      "depNameTemplate": "cloudbase/garm",
      "datasourceTemplate": "github-refs",
      "versioningTemplate": "git"
    },
    {
      "customType": "regex",
      "description": "Track garm-provider-k8s release in garm image Dockerfile",
      "managerFilePatterns": ["^docker/garm/Dockerfile$"],
      "matchStrings": ["ARG GARM_PROVIDER_K8S_VERSION=(?<currentValue>[0-9]+\\.[0-9]+\\.[0-9]+)"],
      "depNameTemplate": "mercedes-benz/garm-provider-k8s",
      "datasourceTemplate": "github-releases",
      "versioningTemplate": "semver"
    },
    {
      "customType": "regex",
      "description": "Track pinned garm main commit",
      "managerFilePatterns": ["^apps/garm/image-source\\.env$"],
      "matchStrings": ["GARM_COMMIT=(?<currentValue>[a-f0-9]{40})"],
      "depNameTemplate": "cloudbase/garm",
      "datasourceTemplate": "github-refs",
      "versioningTemplate": "git"
    }
  ],
  "prHourlyLimit": 9,
  "packageRules": [
    {
      "matchManagers": ["custom.regex"],
      "matchDepNames": ["cloudbase/garm"],
      "matchFileNames": ["nix/garm-cli.nix"],
      "postUpgradeTasks": {
        "commands": ["node utils/update-garm-cli-hash.mjs"],
        "fileFilters": ["nix/garm-cli.nix"],
        "executionMode": "update"
      }
    },
    {
      "matchManagers": ["custom.regex"],
      "matchDepNames": ["cloudbase/garm"],
      "matchFileNames": ["apps/garm/image-source.env"],
      "postUpgradeTasks": {
        "commands": ["node utils/update-garm-image-pin.mjs"],
        "fileFilters": ["apps/garm/image-source.env", "apps/garm/deployment.yaml"],
        "executionMode": "update"
      }
    },
    {
      "matchDatasources": ["docker"],
      "matchPackageNames": ["ghcr.io/mostlygeek/llama-swap"],
--- a/utils/update-garm-cli-hash.mjs
+++ b/utils/update-garm-cli-hash.mjs
@@ -1,320 +0,0 @@
 import { createHash } from "node:crypto";
 import { Buffer } from "node:buffer";
 import fs from "node:fs";
 import https from "node:https";
 import zlib from "node:zlib";
 const nixFile = "nix/garm-cli.nix";
 function die(message) {
  console.error(message);
  process.exit(1);
 }
 function readText(filePath) {
  try {
    return fs.readFileSync(filePath, "utf8");
  } catch {
    die(`Missing ${filePath}`);
  }
 }
 function extractVersion(text) {
  const match = text.match(/^\s*version\s*=\s*"([^"]+)";/m);
  if (!match) {
    die(`Unable to extract version from ${nixFile}`);
  }
  return match[1];
 }
 function extractCommit(text) {
  const match = text.match(/^\s*garmCommit\s*=\s*"([a-f0-9]{40})";/m);
  return match ? match[1] : null;
 }
 function writeU64LE(hash, value) {
  const buf = Buffer.alloc(8);
  buf.writeBigUInt64LE(BigInt(value), 0);
  hash.update(buf);
 }
 function writeNarString(hash, data) {
  writeU64LE(hash, data.length);
  hash.update(data);
  const pad = (8 - (data.length % 8)) % 8;
  if (pad) {
    hash.update(Buffer.alloc(pad));
  }
 }
 function writeNarText(hash, text) {
  writeNarString(hash, Buffer.from(text, "utf8"));
 }
 function parseOctal(field) {
  const clean = field.toString("ascii").replace(/\0.*$/, "").trim();
  if (!clean) {
    return 0;
  }
  return Number.parseInt(clean, 8);
 }
 function parseTarHeader(block) {
  const name = block.subarray(0, 100).toString("utf8").replace(/\0.*$/, "");
  const mode = parseOctal(block.subarray(100, 108));
  const size = parseOctal(block.subarray(124, 136));
  const typeflagRaw = block[156];
  const typeflag = typeflagRaw === 0 ? "0" : String.fromCharCode(typeflagRaw);
  const linkname = block.subarray(157, 257).toString("utf8").replace(/\0.*$/, "");
  const prefix = block.subarray(345, 500).toString("utf8").replace(/\0.*$/, "");
  return {
    name: prefix ? `${prefix}/${name}` : name,
    mode,
    size,
    typeflag,
    linkname,
  };
 }
 function parsePax(data) {
  const out = {};
  let i = 0;
  while (i < data.length) {
    let sp = i;
    while (sp < data.length && data[sp] !== 0x20) sp += 1;
    if (sp >= data.length) break;
    const len = Number.parseInt(data.subarray(i, sp).toString("utf8"), 10);
    if (!Number.isFinite(len) || len <= 0) break;
    const record = data.subarray(sp + 1, i + len).toString("utf8");
    const eq = record.indexOf("=");
    if (eq > 0) {
      const key = record.slice(0, eq);
      const value = record.slice(eq + 1).replace(/\n$/, "");
      out[key] = value;
    }
    i += len;
  }
  return out;
 }
 function parseTarEntries(archiveBuffer) {
  const gz = zlib.gunzipSync(archiveBuffer);
  const entries = [];
  let i = 0;
  let pendingPax = null;
  let longName = null;
  let longLink = null;
  while (i + 512 <= gz.length) {
    const header = gz.subarray(i, i + 512);
    i += 512;
    if (header.every((b) => b === 0)) {
      break;
    }
    const h = parseTarHeader(header);
    const data = gz.subarray(i, i + h.size);
    const dataPad = (512 - (h.size % 512)) % 512;
    i += h.size + dataPad;
    if (h.typeflag === "x") {
      pendingPax = parsePax(data);
      continue;
    }
    if (h.typeflag === "g") {
      continue;
    }
    if (h.typeflag === "L") {
      longName = data.toString("utf8").replace(/\0.*$/, "");
      continue;
    }
    if (h.typeflag === "K") {
      longLink = data.toString("utf8").replace(/\0.*$/, "");
      continue;
    }
    const path = pendingPax?.path ?? longName ?? h.name;
    const linkpath = pendingPax?.linkpath ?? longLink ?? h.linkname;
    entries.push({
      path,
      typeflag: h.typeflag,
      mode: h.mode,
      linkname: linkpath,
      data,
    });
    pendingPax = null;
    longName = null;
    longLink = null;
  }
  return entries;
 }
 function stripTopDir(path) {
  const cleaned = path.replace(/^\.?\//, "").replace(/\/$/, "");
  const idx = cleaned.indexOf("/");
  if (idx === -1) return "";
  return cleaned.slice(idx + 1);
 }
 function ensureDir(root, relPath) {
  if (!relPath) return root;
  const parts = relPath.split("/").filter(Boolean);
  let cur = root;
  for (const part of parts) {
    let child = cur.children.get(part);
    if (!child) {
      child = { kind: "directory", children: new Map() };
      cur.children.set(part, child);
    }
    if (child.kind !== "directory") {
      die(`Path conflict while building tree at ${relPath}`);
    }
    cur = child;
  }
  return cur;
 }
 function buildTree(entries) {
  const root = { kind: "directory", children: new Map() };
  for (const entry of entries) {
    const rel = stripTopDir(entry.path);
    if (!rel) {
      continue;
    }
    const parts = rel.split("/").filter(Boolean);
    const name = parts.pop();
    const parent = ensureDir(root, parts.join("/"));
    if (entry.typeflag === "5") {
      const existing = parent.children.get(name);
      if (!existing) {
        parent.children.set(name, { kind: "directory", children: new Map() });
      } else if (existing.kind !== "directory") {
        die(`Path conflict at ${rel}`);
      }
      continue;
    }
    if (entry.typeflag === "2") {
      parent.children.set(name, { kind: "symlink", target: entry.linkname });
      continue;
    }
    if (entry.typeflag === "0") {
      parent.children.set(name, {
        kind: "regular",
        executable: (entry.mode & 0o111) !== 0,
        contents: Buffer.from(entry.data),
      });
      continue;
    }
  }
  return root;
 }
 function compareUtf8(a, b) {
  return Buffer.from(a, "utf8").compare(Buffer.from(b, "utf8"));
 }
 function narDump(hash, node) {
  if (node.kind === "directory") {
    writeNarText(hash, "(");
    writeNarText(hash, "type");
    writeNarText(hash, "directory");
    const names = [...node.children.keys()].sort(compareUtf8);
    for (const name of names) {
      writeNarText(hash, "entry");
      writeNarText(hash, "(");
      writeNarText(hash, "name");
      writeNarString(hash, Buffer.from(name, "utf8"));
      writeNarText(hash, "node");
      narDump(hash, node.children.get(name));
      writeNarText(hash, ")");
    }
    writeNarText(hash, ")");
    return;
  }
  if (node.kind === "symlink") {
    writeNarText(hash, "(");
    writeNarText(hash, "type");
    writeNarText(hash, "symlink");
    writeNarText(hash, "target");
    writeNarString(hash, Buffer.from(node.target, "utf8"));
    writeNarText(hash, ")");
    return;
  }
  writeNarText(hash, "(");
  writeNarText(hash, "type");
  writeNarText(hash, "regular");
  if (node.executable) {
    writeNarText(hash, "executable");
    writeNarText(hash, "");
  }
  writeNarText(hash, "contents");
  writeNarString(hash, node.contents);
  writeNarText(hash, ")");
 }
 function fetchBuffer(url) {
  return new Promise((resolve, reject) => {
    https
      .get(url, (res) => {
        if (res.statusCode && res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
          const redirectUrl = new URL(res.headers.location, url).toString();
          res.resume();
          fetchBuffer(redirectUrl).then(resolve, reject);
          return;
        }
        if (!res.statusCode || res.statusCode < 200 || res.statusCode >= 300) {
          reject(new Error(`Failed to fetch ${url}: ${res.statusCode ?? "unknown"}`));
          res.resume();
          return;
        }
        const chunks = [];
        res.on("data", (chunk) => chunks.push(chunk));
        res.on("end", () => resolve(Buffer.concat(chunks)));
      })
      .on("error", reject);
  });
 }
 function computeSRIFromGitHubTar(ref) {
  const url = `https://github.com/cloudbase/garm/archive/${ref}.tar.gz`;
  return fetchBuffer(url).then((archive) => {
      const entries = parseTarEntries(archive);
      const root = buildTree(entries);
      const hash = createHash("sha256");
      writeNarText(hash, "nix-archive-1");
      narDump(hash, root);
      return `sha256-${hash.digest("base64")}`;
    });
 }
 function updateHash(text, sri) {
  const pattern = /(^\s*hash\s*=\s*")sha256-[^"]+(";)/m;
  if (!pattern.test(text)) {
    die(`Unable to update hash in ${nixFile}`);
  }
  const next = text.replace(pattern, `$1${sri}$2`);
  return next;
 }
 async function main() {
  const text = readText(nixFile);
  const version = extractVersion(text);
  const commit = extractCommit(text);
  const ref = commit ?? `v${version}`;
  const sri = await computeSRIFromGitHubTar(ref);
  const updated = updateHash(text, sri);
  fs.writeFileSync(nixFile, updated, "utf8");
  console.log(`Updated ${nixFile} hash to ${sri}`);
 }
 main().catch((err) => die(err.message));
--- a/utils/update-garm-image-pin.mjs
+++ b/utils/update-garm-image-pin.mjs
@@ -1,91 +0,0 @@
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import { execFileSync } from "node:child_process";
 const pinFile = "apps/garm/image-source.env";
 const deploymentFile = "apps/garm/deployment.yaml";
 function fail(message) {
  console.error(message);
  process.exit(1);
 }
 function parseEnvFile(content) {
  const vars = {};
  for (const line of content.split(/\r?\n/)) {
    if (!line || line.startsWith("#")) {
      continue;
    }
    const idx = line.indexOf("=");
    if (idx === -1) {
      continue;
    }
    const key = line.slice(0, idx).trim();
    const value = line.slice(idx + 1).trim();
    vars[key] = value;
  }
  return vars;
 }
 function updateOrAdd(content, key, value) {
  const pattern = new RegExp(`^${key}=.*$`, "m");
  if (pattern.test(content)) {
    return content.replace(pattern, `${key}=${value}`);
  }
  return `${content.trimEnd()}\n${key}=${value}\n`;
 }
 function gitOut(args, options = {}) {
  return execFileSync("git", args, {
    encoding: "utf8",
    ...options,
  }).trim();
 }
 function gitRun(args, options = {}) {
  execFileSync("git", args, options);
 }
 const pinContent = fs.readFileSync(pinFile, "utf8");
 const vars = parseEnvFile(pinContent);
 const commit = vars.GARM_COMMIT;
 const imageRepo = vars.GARM_IMAGE_REPO || "gitea.lumpiasty.xyz/lumpiasty/garm-k8s";
 if (!commit || !/^[0-9a-f]{40}$/.test(commit)) {
  fail(`Invalid or missing GARM_COMMIT in ${pinFile}`);
 }
 const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "garm-main-"));
 let commitNumber;
 try {
  gitRun(["clone", "--filter=blob:none", "https://github.com/cloudbase/garm.git", tmpDir], {
    stdio: "ignore",
  });
  commitNumber = gitOut(["-C", tmpDir, "rev-list", "--count", commit]);
 } finally {
  fs.rmSync(tmpDir, { recursive: true, force: true });
 }
 if (!/^\d+$/.test(commitNumber)) {
  fail(`Unable to resolve commit number for ${commit}`);
 }
 const image = `${imageRepo}:r${commitNumber}`;
 let nextPin = pinContent;
 nextPin = updateOrAdd(nextPin, "GARM_COMMIT_NUMBER", commitNumber);
 nextPin = updateOrAdd(nextPin, "GARM_IMAGE_REPO", imageRepo);
 nextPin = updateOrAdd(nextPin, "GARM_IMAGE", image);
 fs.writeFileSync(pinFile, nextPin, "utf8");
 const deployment = fs.readFileSync(deploymentFile, "utf8");
 const imagePattern = /image:\s*(?:ghcr\.io\/cloudbase\/garm:[^\s]+|gitea\.lumpiasty\.xyz\/(?:Lumpiasty|lumpiasty)\/garm(?:-k8s)?:[^\s]+)/;
 if (!imagePattern.test(deployment)) {
  fail(`Unable to update garm image in ${deploymentFile}`);
 }
 const updatedDeployment = deployment.replace(imagePattern, `image: ${image}`);
 fs.writeFileSync(deploymentFile, updatedDeployment, "utf8");
 console.log(`Pinned garm image to ${image}`);
--- a/vault/kubernetes-roles/authentik.yaml
+++ b/vault/kubernetes-roles/authentik.yaml
@@ -1,6 +0,0 @@
 bound_service_account_names:
  - authentik-secret
 bound_service_account_namespaces:
  - authentik
 token_policies:
  - authentik
--- a/vault/kubernetes-roles/crawl4ai.yaml
+++ b/vault/kubernetes-roles/crawl4ai.yaml
@@ -1,6 +0,0 @@
 bound_service_account_names:
  - crawl4ai-secret
 bound_service_account_namespaces:
  - crawl4ai
 token_policies:
  - crawl4ai
--- a/vault/kubernetes-roles/garm.yaml
+++ b/vault/kubernetes-roles/garm.yaml
@@ -1,6 +0,0 @@
 bound_service_account_names:
  - garm
 bound_service_account_namespaces:
  - garm
 token_policies:
  - garm
--- a/vault/kubernetes-roles/openwebui.yaml
+++ b/vault/kubernetes-roles/openwebui.yaml
@@ -1,6 +0,0 @@
 bound_service_account_names:
  - openwebui-secret
 bound_service_account_namespaces:
  - openwebui
 token_policies:
  - openwebui
--- a/vault/policy/authentik.hcl
+++ b/vault/policy/authentik.hcl
@@ -1,3 +0,0 @@
 path "secret/data/authentik" {
    capabilities = ["read"]
 }
--- a/vault/policy/crawl4ai.hcl
+++ b/vault/policy/crawl4ai.hcl
@@ -1,3 +0,0 @@
 path "secret/data/crawl4ai" {
    capabilities = ["read"]
 }
--- a/vault/policy/garm.hcl
+++ b/vault/policy/garm.hcl
@@ -1,7 +0,0 @@
 path "secret/data/garm" {
    capabilities = ["read"]
 }
 path "secret/data/backblaze" {
    capabilities = ["read"]
 }
--- a/vault/policy/openwebui.hcl
+++ b/vault/policy/openwebui.hcl
@@ -1,3 +0,0 @@
 path "secret/data/authentik/openwebui" {
    capabilities = ["read"]
 }