Update renovate/renovate Docker tag to v41.17.0

Reviewed-on: #39

.vscode/extensions.json

@@ -1,3 +1,7 @@
 {
-  "recommendations": ["arrterian.nix-env-selector", "jnoortheen.nix-ide"]
+  "recommendations": [
+    "arrterian.nix-env-selector",
+    "jnoortheen.nix-ide",
+    "detachhead.basedpyright"
+  ]
 }

.vscode/settings.json

@@ -8,5 +8,6 @@
     }
   },
   "terminal.integrated.defaultProfile.linux": "Nix Shell",
-  "ansible.python.interpreterPath": "/bin/python"
+  "ansible.python.interpreterPath": "/bin/python",
+  "python.defaultInterpreterPath": "${env:PYTHON_BIN}"
 }

apps/frigate/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - secret.yaml
+  - release.yaml
+  - webrtc-svc.yaml

apps/frigate/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: frigate

apps/frigate/release.yaml

@@ -0,0 +1,100 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: blakeblackshear
+  namespace: frigate
+spec:
+  interval: 24h
+  url: https://blakeblackshear.github.io/blakeshome-charts/
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: frigate
+  namespace: frigate
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: frigate
+      version: 7.8.0
+      sourceRef:
+        kind: HelmRepository
+        name: blakeblackshear
+        namespace: frigate
+      interval: 12h
+  values:
+    config: |
+      mqtt:
+        enabled: False
+
+      tls:
+        enabled: False
+
+      auth:
+        enabled: True
+        cookie_secure: True
+
+      record:
+        enabled: True
+        retain:
+          days: 90
+          mode: motion
+
+      cameras:
+        dom:
+          enabled: True
+          ffmpeg:
+            inputs:
+              - path: rtsp://{FRIGATE_RTSP_DOM_USER}:{FRIGATE_RTSP_DOM_PASSWORD}@192.168.3.10:554/Streaming/Channels/101
+                roles:
+                  - audio
+                  - detect
+                  - record
+        garaz:
+          enabled: True
+          ffmpeg:
+            inputs:
+              - path: rtsp://{FRIGATE_RTSP_GARAZ_USER}:{FRIGATE_RTSP_GARAZ_PASSWORD}@192.168.3.11:554/Streaming/Channels/101
+                roles:
+                  - audio
+                  - detect
+                  - record
+
+      go2rtc:
+        streams:
+          dom:
+            - rtsp://{FRIGATE_RTSP_DOM_USER}:{FRIGATE_RTSP_DOM_PASSWORD_URLENCODED}@192.168.3.10:554/Streaming/Channels/101
+          garaz:
+            - rtsp://{FRIGATE_RTSP_GARAZ_USER}:{FRIGATE_RTSP_GARAZ_PASSWORD_URLENCODED}@192.168.3.11:554/Streaming/Channels/101
+        webrtc:
+          candidates:
+            - frigate-rtc.lumpiasty.xyz:8555
+    persistence:
+      media:
+        enabled: true
+        size: 100Gi
+        storageClass: mayastor-single-hdd
+        skipuninstall: true
+      config:
+        enabled: true
+        size: 100Mi
+        storageClass: mayastor-single-hdd
+        skipuninstall: true
+    envFromSecrets:
+      - frigate-camera-rtsp
+
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt
+        nginx.org/websocket-services: frigate
+      hosts:
+        - host: frigate.lumpiasty.xyz
+          paths:
+            - path: /
+              portName: http-auth
+      tls:
+        - hosts:
+            - frigate.lumpiasty.xyz
+          secretName: frigate-ingress

apps/frigate/secret.yaml

@@ -0,0 +1,43 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: camera
+  namespace: frigate
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: camera
+  namespace: frigate
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: frigate-camera
+    serviceAccount: camera
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: frigate-camera-rtsp
+  namespace: frigate
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: cameras
+
+  destination:
+    create: true
+    name: frigate-camera-rtsp
+    type: Opaque
+    transformation:
+      excludeRaw: true
+      templates:
+        FRIGATE_RTSP_DOM_PASSWORD_URLENCODED:
+          text: '{{ urlquery (get .Secrets "FRIGATE_RTSP_DOM_PASSWORD") }}'
+        FRIGATE_RTSP_GARAZ_PASSWORD_URLENCODED:
+          text: '{{ urlquery (get .Secrets "FRIGATE_RTSP_GARAZ_PASSWORD") }}'
+
+  vaultAuthRef: camera

apps/frigate/webrtc-svc.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: go2rtc
+  namespace: frigate
+spec:
+  type: LoadBalancer
+  selector:
+    app.kubernetes.io/instance: frigate
+    app.kubernetes.io/name: frigate
+  ipFamilyPolicy: RequireDualStack
+  ports:
+    - name: webrtc-tcp
+      protocol: TCP
+      port: 8555
+      targetPort: webrtc-tcp
+    - name: webrtc-udp
+      protocol: UDP
+      port: 8555
+      targetPort: webrtc-udp

apps/gitea/backups.yaml

@@ -0,0 +1,33 @@
+apiVersion: k8up.io/v1
+kind: Schedule
+metadata:
+  name: gitea-backup
+  namespace: gitea
+spec:
+  backend:
+    # Manually adding secrets for now
+    repoPasswordSecretRef:
+      name: gitea-backup-restic
+      key: password
+    s3:
+      endpoint: https://s3.eu-central-003.backblazeb2.com
+      bucket: lumpiasty-backups
+      accessKeyIDSecretRef:
+        name: gitea-backup-backblaze
+        key: aws_access_key_id
+      secretAccessKeySecretRef:
+        name: gitea-backup-backblaze
+        key: aws_secret_access_key
+  backup:
+    schedule: "@daily-random"
+    failedJobsHistoryLimit: 2
+    successfulJobsHistoryLimit: 2
+  check:
+    schedule: "@daily-random"
+  prune:
+    schedule: "@daily-random"
+    retention:
+      keepLast: 14
+      keepDaily: 14
+      keepWeekly: 50
+      keepYearly: 10

apps/gitea/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - postgres-cluster.yaml
+  - release.yaml
+  - secret.yaml
+  - backups.yaml

apps/gitea/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitea

apps/gitea/postgres-cluster.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: gitea-postgresql-cluster
+  namespace: gitea
+spec:
+  instances: 1
+
+  storage:
+    size: 10Gi
+    storageClass: mayastor-single-hdd

apps/gitea/release.yaml

@@ -1,9 +1,3 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: gitea
----
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
@@ -23,7 +17,7 @@ spec:
   chart:
     spec:
       chart: gitea
-      version: 10.6.0
+      version: 12.1.1
       sourceRef:
         kind: HelmRepository
         name: gitea-charts
@@ -34,7 +28,7 @@ spec:
       enabled: false
 
     postgresql:
-      enabled: true
+      enabled: false
       primary:
         persistence:
           enabled: true
@@ -43,12 +37,12 @@ spec:
           requests:
             cpu: 0
 
-    redis-cluster:
+    valkey-cluster:
       enabled: false
 
-    redis:
+    valkey:
       enabled: true
-      master:
+      primary:
         persistence:
           enabled: true
           storageClass: mayastor-single-hdd
@@ -60,13 +54,19 @@ spec:
       enabled: true
       storageClass: mayastor-single-hdd
 
-    image:
-      tag: 1.23.3
-
     gitea:
+      additionalConfigFromEnvs:
+        - name: GITEA__DATABASE__PASSWD
+          valueFrom:
+            secretKeyRef:
+              name: gitea-postgresql-cluster-app
+              key: password
       config:
         database:
           DB_TYPE: postgres
+          HOST: gitea-postgresql-cluster-rw:5432
+          NAME: app
+          USER: app
         indexer:
           ISSUE_INDEXER_TYPE: bleve
           REPO_INDEXER_ENABLED: true
@@ -111,37 +111,3 @@ spec:
       resources:
         requests:
           cpu: 0
----
-apiVersion: k8up.io/v1
-kind: Schedule
-metadata:
-  name: gitea-backup
-  namespace: gitea
-spec:
-  backend:
-    # Manually adding secrets for now
-    repoPasswordSecretRef:
-      name: restic-repo
-      key: password
-    s3:
-      endpoint: https://s3.eu-central-003.backblazeb2.com
-      bucket: lumpiasty-backups
-      accessKeyIDSecretRef:
-        name: backblaze
-        key: keyid
-      secretAccessKeySecretRef:
-        name: backblaze
-        key: secret
-  backup:
-    schedule: "@daily-random"
-    failedJobsHistoryLimit: 2
-    successfulJobsHistoryLimit: 2
-  check:
-    schedule: "@daily-random"
-  prune:
-    schedule: "@daily-random"
-    retention:
-      keepLast: 14
-      keepDaily: 14
-      keepWeekly: 50
-      keepYearly: 10

apps/gitea/secret.yaml

@@ -0,0 +1,58 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: backup
+  namespace: gitea
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: backup
+  namespace: gitea
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: backup
+    serviceAccount: backup
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-backup-restic
+  namespace: gitea
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: restic
+
+  destination:
+    create: true
+    name: gitea-backup-restic
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: backup
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-backup-backblaze
+  namespace: gitea
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: backblaze
+
+  destination:
+    create: true
+    name: gitea-backup-backblaze
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: backup

apps/kustomization.yaml

@@ -1,5 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - gitea.yaml
-  - renovate.yaml
+  - gitea
+  - registry
+  - renovate
+  - ollama
+  - librechat
+  - frigate

apps/librechat/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - release.yaml

apps/librechat/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: librechat

apps/librechat/release.yaml

@@ -0,0 +1,90 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: bat-librechat
+  namespace: librechat
+spec:
+  interval: 24h
+  url: https://charts.blue-atlas.de
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: librechat
+  namespace: librechat
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: librechat
+      version: 1.8.10
+      sourceRef:
+        kind: HelmRepository
+        name: bat-librechat
+  values:
+    global:
+      librechat:
+        existingSecretName: librechat
+    librechat:
+      configEnv:
+        PLUGIN_MODELS: null
+        ALLOW_REGISTRATION: "false"
+        TRUST_PROXY: "1"
+        DOMAIN_CLIENT: https://librechat.lumpiasty.xyz
+        SEARCH: "true"
+      existingSecretName: librechat
+      configYamlContent: |
+        version: 1.0.3
+
+        endpoints:
+          custom:
+            - name: "Ollama"
+              apiKey: "ollama"
+              baseURL: "http://ollama.ollama.svc.cluster.local:11434/v1/chat/completions" 
+              models:
+                default: [
+                  "llama2",
+                  "mistral",
+                  "codellama",
+                  "dolphin-mixtral",
+                  "mistral-openorca"
+                  ]
+                # fetching list of models is supported but the `name` field must start
+                # with `ollama` (case-insensitive), as it does in this example.
+                fetch: true
+              titleConvo: true
+              titleModel: "current_model"
+              summarize: false
+              summaryModel: "current_model"
+              forcePrompt: false
+              modelDisplayLabel: "Ollama"
+      imageVolume:
+        enabled: true
+        size: 10G
+        accessModes: ReadWriteOnce
+        storageClassName: mayastor-single-hdd
+    ingress:
+      enabled: true
+      className: nginx
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt
+      hosts:
+        - host: librechat.lumpiasty.xyz
+          paths:
+            - path: /
+              pathType: ImplementationSpecific
+      tls:
+        - hosts:
+            - librechat.lumpiasty.xyz
+          secretName: librechat-ingress
+
+    mongodb:
+      persistence:
+        storageClass: mayastor-single-hdd
+
+    meilisearch:
+      persistence:
+        storageClass: mayastor-single-hdd
+      auth:
+        existingMasterKeySecret: librechat

apps/ollama/auth-proxy.yaml

@@ -0,0 +1,68 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ollama-proxy
+  namespace: ollama
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: ollama-proxy
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: ollama-proxy
+    spec:
+      containers:
+        - name: caddy
+          image: caddy:2.10.0-alpine
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - mountPath: /etc/caddy
+              name: proxy-config
+          env:
+            - name: API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: ollama-api-key
+                  key: API_KEY
+      volumes:
+        - name: proxy-config
+          configMap:
+            name: ollama-proxy-config
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: ollama
+  name: ollama-proxy-config
+data:
+  Caddyfile: |
+    http://ollama.lumpiasty.xyz {
+
+      @requireAuth {
+        not header Authorization "Bearer {env.API_KEY}"
+      }
+
+      respond @requireAuth "Unauthorized" 401
+
+      reverse_proxy ollama:11434 {
+        flush_interval -1
+      }
+    }
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: ollama
+  name: ollama-proxy
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: ollama-proxy
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+      protocol: TCP

apps/ollama/ingress.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: ollama
+  name: ollama
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    acme.cert-manager.io/http01-edit-in-place: "true"
+    nginx.ingress.kubernetes.io/proxy-buffering: "false"
+    nginx.org/proxy-read-timeout: 30m
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: ollama.lumpiasty.xyz
+      http:
+        paths:
+          - backend:
+              service:
+                name: ollama-proxy
+                port:
+                  number: 80
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - ollama.lumpiasty.xyz
+      secretName: ollama-ingress

apps/ollama/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - release.yaml
+  - secret.yaml
+  - auth-proxy.yaml
+  - ingress.yaml

apps/ollama/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ollama

apps/ollama/release.yaml

@@ -0,0 +1,60 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: ollama-helm
+  namespace: ollama
+spec:
+  interval: 24h
+  url: https://otwld.github.io/ollama-helm/
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: ollama
+  namespace: ollama
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: ollama
+      version: 1.21.0
+      sourceRef:
+        kind: HelmRepository
+        name: ollama-helm
+        namespace: ollama
+      interval: 12h
+  values:
+    ollama:
+      gpu:
+        enabled: false
+    persistentVolume:
+      enabled: true
+      storageClass: mayastor-single-hdd
+      size: 200Gi
+    # GPU support
+    # Rewrite of options in
+    # https://hub.docker.com/r/grinco/ollama-amd-apu
+    image:
+      repository: grinco/ollama-amd-apu
+      tag: vulkan
+    securityContext:
+      # Not ideal
+      privileged: true
+      capabilities:
+        add:
+          - PERFMON
+    volumeMounts:
+      - name: kfd
+        mountPath: /dev/kfd
+      - name: dri
+        mountPath: /dev/dri
+    volumes:
+      - name: kfd
+        hostPath:
+          path: /dev/kfd
+          type: CharDevice
+      - name: dri
+        hostPath:
+          path: /dev/dri
+          type: Directory

apps/ollama/secret.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ollama-proxy
+  namespace: ollama
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: ollama
+  namespace: ollama
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: ollama-proxy
+    serviceAccount: ollama-proxy
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: ollama-api-key
+  namespace: ollama
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: ollama
+
+  destination:
+    create: true
+    name: ollama-api-key
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: ollama

apps/registry/deployment.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: registry
+  namespace: registry
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: registry
+  template:
+    metadata:
+      labels:
+        app: registry
+    spec:
+      containers:
+        - name: registry
+          image: registry:3.0.0
+          ports:
+            - containerPort: 5000
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/registry
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: registry-data
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: registry-service
+  namespace: registry
+spec:
+  selector:
+    app: registry
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 5000

apps/registry/ingress.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: registry
+  name: registry
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.org/client-max-body-size: "0"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: registry.lumpiasty.xyz
+      http:
+        paths:
+          - backend:
+              service:
+                name: registry-service
+                port:
+                  number: 80
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - registry.lumpiasty.xyz
+      secretName: researcher-ingress

apps/registry/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - volume.yaml
+  - deployment.yaml
+  - ingress.yaml

apps/registry/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: registry

apps/registry/volume.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: registry-data
+  namespace: registry
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 50Gi
+  storageClassName: mayastor-single-hdd

apps/renovate/configmap.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: renovate
+  name: renovate-config
+data:
+  RENOVATE_AUTODISCOVER: "true"
+  RENOVATE_ENDPOINT: https://gitea.lumpiasty.xyz/api/v1
+  RENOVATE_PLATFORM: gitea
+  RENOVATE_GIT_AUTHOR: Renovate Bot <renovate@lumpiasty.xyz>

apps/renovate/cronjob.yaml

@@ -1,9 +1,4 @@
 ---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: renovate
----
 apiVersion: batch/v1
 kind: CronJob
 metadata:
@@ -20,8 +15,10 @@ spec:
             - name: renovate
               # Update this to the latest available and then enable Renovate on
               # the manifest
-              image: renovate/renovate:39.215.2-full
+              image: renovate/renovate:41.17.0-full
               envFrom:
                 - secretRef:
-                    name: renovate-env
+                    name: renovate-gitea-token
+                - configMapRef:
+                    name: renovate-config
           restartPolicy: Never

apps/renovate/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - configmap.yaml
+  - secret.yaml
+  - cronjob.yaml

apps/renovate/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: renovate

apps/renovate/secret.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: renovate
+  namespace: renovate
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: renovate
+  namespace: renovate
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: renovate
+    serviceAccount: renovate
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: renovate-gitea-token
+  namespace: renovate
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: renovate
+
+  destination:
+    create: true
+    name: renovate-gitea-token
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: renovate

flake.nix

@@ -19,12 +19,13 @@
                 overlays = [ krew2nix.overlay ];
                 inherit system;
             };
+            python = (pkgs.python313.withPackages (python-pkgs: with python-pkgs; [
+                hvac
+            ]));
         in
             pkgs.mkShell {
                 packages = with pkgs; [
-                    (python313.withPackages (python-pkgs: with python-pkgs; [
-                        hvac
-                    ]))
+                    python
                     vim gnumake
                     talosctl cilium-cli
                     kubectx k9s kubernetes-helm
@@ -53,6 +54,8 @@
 
                 # Add scripts from utils subdir
                 export PATH="$PATH:$(pwd)/utils"
+
+                export PYTHON_BIN=${python}/bin/python
                 '';
             };
     };

infra/configs/ovh-cert-manager-secret.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ovh-credentials
+  namespace: cert-manager
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: cert-manager
+    serviceAccount: ovh-credentials
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: webhook-ovh-credentials
+  namespace: cert-manager
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: ovh-cert-manager
+
+  destination:
+    create: true
+    name: ovh-credentials
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: cert-manager

infra/controllers/cert-manager-webhook-ovh.yaml

@@ -18,7 +18,7 @@ spec:
   chart:
     spec:
       chart: cert-manager-webhook-ovh
-      version: 0.7.3
+      version: 0.7.5
       sourceRef:
         kind: HelmRepository
         name: cert-manager-webhook-ovh

infra/controllers/cert-manager.yaml

@@ -23,7 +23,7 @@ spec:
   chart:
     spec:
       chart: cert-manager
-      version: 1.17.0
+      version: v1.18.1
       sourceRef:
         kind: HelmRepository
         name: cert-manager

infra/controllers/cilium.yaml

@@ -23,7 +23,7 @@ spec:
   chart:
     spec:
       chart: cilium
-      version: 1.17.2
+      version: 1.17.5
       sourceRef:
         kind: HelmRepository
         name: cilium

infra/controllers/cloudnative-pg.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cnpg-system
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cnpg
+  namespace: cnpg-system
+spec:
+  interval: 24h
+  url: https://cloudnative-pg.github.io/charts
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cnpg
+  namespace: cnpg-system
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: cloudnative-pg
+      version: 0.24.0
+      sourceRef:
+        kind: HelmRepository
+        name: cnpg
+        namespace: cnpg-system
+      interval: 12h

infra/controllers/dns-public.yaml

@@ -97,7 +97,7 @@ spec:
           env:
             - name: GOMEMLIMIT
               value: 161MiB
-          image: registry.k8s.io/coredns/coredns:v1.12.0
+          image: registry.k8s.io/coredns/coredns:v1.12.2
           imagePullPolicy: IfNotPresent
           livenessProbe:
             failureThreshold: 5

infra/controllers/external-secrets.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: external-secrets
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: external-secrets
+  namespace: external-secrets
+spec:
+  interval: 24h
+  url: https://charts.external-secrets.io
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: external-secrets
+  namespace: external-secrets
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: external-secrets
+      version: 0.16.2
+      sourceRef:
+        kind: HelmRepository
+        name: external-secrets
+        namespace: external-secrets
+      interval: 12h
+  values:

infra/controllers/k8up.yaml

@@ -23,7 +23,7 @@ spec:
   chart:
     spec:
       chart: k8up
-      version: 4.8.3
+      version: 4.8.4
       sourceRef:
         kind: HelmRepository
         name: k8up-io

infra/controllers/mongodb-operator.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mongodb
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: mongodb
+  namespace: mongodb
+spec:
+  interval: 24h
+  url: https://mongodb.github.io/helm-charts
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: mongodb-operator
+  namespace: mongodb
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: community-operator
+      version: 0.13.0
+      sourceRef:
+        kind: HelmRepository
+        name: mongodb
+        namespace: mongodb
+  values:
+    operator:
+      watchNamespace: "*"

infra/controllers/nginx.yaml

@@ -23,7 +23,7 @@ spec:
   chart:
     spec:
       chart: nginx-ingress
-      version: 2.0.1
+      version: 2.1.0
       sourceRef:
         kind: HelmRepository
         name: nginx
@@ -54,3 +54,6 @@ spec:
           lbipam.cilium.io/sharing-key: gitea
           lbipam.cilium.io/sharing-cross-namespace: gitea
           lbipam.cilium.io/ips: 10.44.0.0,2001:470:61a3:400::1
+      config:
+        entries:
+          proxy-buffering: "false"

infra/controllers/openbao.yaml

@@ -23,7 +23,7 @@ spec:
   chart:
     spec:
       chart: openbao
-      version: 0.8.1
+      version: 0.16.1
       sourceRef:
         kind: HelmRepository
         name: openbao
@@ -77,3 +77,5 @@ spec:
         storageClass: mayastor-single-hdd
     csi:
       enabled: true
+    injector:
+      affinity: ""

infra/controllers/openebs.yaml

@@ -23,7 +23,7 @@ spec:
   chart:
     spec:
       chart: openebs
-      version: 4.1.3
+      version: 4.3.2
       sourceRef:
         kind: HelmRepository
         name: openebs
@@ -63,7 +63,7 @@ spec:
         # Workaround for crashing io-engine
         # https://github.com/openebs/mayastor/issues/1763#issuecomment-2481922234
         envcontext: "iova-mode=pa"
-        coreList: [2, 3]
+        coreList: [1, 7]
         resources:
           limits:
             cpu: 4
@@ -102,6 +102,25 @@ spec:
             requests:
               cpu: 0
 
+      # Remove antiaffinity, breaks when I set it to 1 replica
+      nats:
+        cluster:
+          enable: true
+          replicas: 3
+        affinity:
+          podAntiAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution: []
+
+    loki:
+      loki:
+        commonConfig:
+          replication_factor: 1
+      singleBinary:
+        replicas: 1
+      minio:
+        replicas: 1
+        mode: standalone
+
     engines:
       local:
         lvm:

infra/controllers/vault-secrets-operator.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vault-secrets-operator
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: hashicorp
+  namespace: vault-secrets-operator
+spec:
+  interval: 24h
+  url: https://helm.releases.hashicorp.com
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: vault-secrets-operator
+  namespace: vault-secrets-operator
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: vault-secrets-operator
+      version: 0.10.0
+      sourceRef:
+        kind: HelmRepository
+        name: hashicorp
+        namespace: vault-secrets-operator
+      interval: 12h
+  values:
+    defaultVaultConnection:
+      enabled: true
+      address: "https://openbao.lumpiasty.xyz:8200"

infra/diskpools/anapistula-delrosalae-hdd.yaml

@@ -1,4 +1,4 @@
-apiVersion: "openebs.io/v1beta2"
+apiVersion: "openebs.io/v1beta3"
 kind: DiskPool
 metadata:
   name: anapistula-delrosalae-hdd

infra/kustomization.yaml

@@ -10,9 +10,14 @@ resources:
   - controllers/openebs.yaml
   - controllers/k8up.yaml
   - controllers/openbao.yaml
+  - controllers/external-secrets.yaml
+  - controllers/vault-secrets-operator.yaml
+  - controllers/mongodb-operator.yaml
+  - controllers/cloudnative-pg.yaml
   - diskpools/anapistula-delrosalae-hdd.yaml
   - configs/bgp-cluster-config.yaml
   - configs/loadbalancer-ippool.yaml
   - configs/single-hdd-sc.yaml
   - configs/mayastor-snapshotclass.yaml
   - configs/openbao-cert.yaml
+  - configs/ovh-cert-manager-secret.yaml

monke/gpt-researcher.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tavily
+  namespace: gpt-researcher
+stringData:
+  TAVILY_API_KEY: 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
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: openrouter
+  namespace: gpt-researcher
+stringData:
+  OPENROUTER_API_KEY: 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

pyrightconfig.json

@@ -0,0 +1,3 @@
+{
+  "allowedUntypedLibraries": ["hvac"]
+}

renovate.json

@@ -1,10 +1,14 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "kubernetes": {
-    "fileMatch": ["\\.yaml$"]
+    "fileMatch": ["infra/.+\\.yaml$", "apps/.+\\.yaml$"]
   },
   "flux": {
-    "fileMatch": ["infra/.+\\.yaml$", "apps/.+\\.yaml$"]
+    "fileMatch": [
+      "infra/.+\\.yaml$",
+      "apps/.+\\.yaml$",
+      "gotk-components\\.ya?ml$"
+    ]
   },
   "prHourlyLimit": 9
 }

talos/patches/anapistula-delrosalae.patch

@@ -1,7 +1,7 @@
 machine:
   network:
     interfaces:
-      - interface: enp4s0
+      - interface: eno1
         addresses:
           - 2001:470:61a3:100::3/64
           - 192.168.1.35/24
@@ -20,3 +20,11 @@ machine:
     image: factory.talos.dev/installer/06deebb947b815afa53f04c450d355d3c8bc28927a387c754db1622a0a06349e:v1.9.5
     extraKernelArgs:
       - cpufreq.default_governor=performance
+  sysfs:
+    devices.system.cpu.cpu0.cpufreq.scaling_max_freq: "550000"
+    devices.system.cpu.cpu1.cpufreq.scaling_max_freq: "550000"
+    devices.system.cpu.cpu2.cpufreq.scaling_max_freq: "550000"
+    devices.system.cpu.cpu6.cpufreq.scaling_max_freq: "550000"
+    devices.system.cpu.cpu7.cpufreq.scaling_max_freq: "550000"
+    devices.system.cpu.cpu8.cpufreq.scaling_max_freq: "550000"
+    

talos/patches/ollama.patch

@@ -0,0 +1,11 @@
+# CSI driver requirement
+cluster:
+  apiServer:
+    admissionControl:
+      - name: PodSecurity
+        configuration:
+          apiVersion: pod-security.admission.config.k8s.io/v1beta1
+          kind: PodSecurityConfiguration
+          exemptions:
+            namespaces:
+              - ollama

talos/patches/openebs.patch

@@ -16,7 +16,7 @@ machine:
           - rw
   install:
     extraKernelArgs:
-      - isolcpus=2,3
+      - isolcpus=1,7
 
 cluster:
   apiServer:

utils/synchronize-vault.py

@@ -2,14 +2,15 @@
 
 import argparse
 import os
-from hvac.api.system_backend import mount
-import yaml
+from typing import Any, cast
+
 import hvac
-from hvac.api.auth_methods import Kubernetes, kubernetes
+from hvac.api.auth_methods import Kubernetes
+import yaml
 
 # Read vault/policies dir then write what is there and delete missing
 def synchronize_policies(client: hvac.Client):
-    policies = {}
+    policies: dict[str, str] = {}
     # Read all policies files
     policy_dir = os.path.join(os.path.dirname(__file__), '../vault/policy')
     for filename in os.listdir(policy_dir):
@@ -17,7 +18,7 @@ def synchronize_policies(client: hvac.Client):
             policy_name = os.path.splitext(filename)[0]
             policies[policy_name] = f.read()
     
-    policies_on_vault = client.sys.list_policies()['data']['policies']
+    policies_on_vault: list[str] = cast(list[str], client.sys.list_policies()['data']['policies'])
 
     # Delete policies that should not be there
     for policy in policies_on_vault:
@@ -30,34 +31,41 @@ def synchronize_policies(client: hvac.Client):
         print(f'Updating policy: {policy_name}')
         client.sys.create_or_update_acl_policy(policy_name, policy_content)
 
+# Read vault/kubernetes-config.yaml and write it to kubernetes auth method config
+def synchronize_auth_kubernetes_config(client: hvac.Client):
+    config_file = os.path.join(os.path.dirname(__file__), '../vault/kubernetes-config.yaml')
+    with open(config_file, 'r') as f:
+        config = cast(dict[str, str], yaml.safe_load(f.read()))
+        _ = client.write_data('/auth/kubernetes/config', data=config)
+
 # Read vault/kubernetes-roles dir then write what is there and delete missing 
 def synchronize_kubernetes_roles(client: hvac.Client):
     kubernetes = Kubernetes(client.adapter)
 
     policy_dir = os.path.join(os.path.dirname(__file__), '../vault/kubernetes-roles/')
 
-    roles = {}
+    roles: dict[str, Any] = {} # pyright:ignore[reportExplicitAny]
     for filename in os.listdir(policy_dir):
         with open(os.path.join(policy_dir, filename), 'r') as f:
             role_name = os.path.splitext(filename)[0]
             roles[role_name] = yaml.safe_load(f.read())
     
-    roles_on_vault = []
+    roles_on_vault: list[str] = []
     try:
-        roles_on_vault = kubernetes.list_roles()['keys']
-    except hvac.exceptions.InvalidPath:
+        roles_on_vault = cast(list[str], kubernetes.list_roles()['keys'])
+    except hvac.exceptions.InvalidPath: # pyright:ignore[reportAttributeAccessIssue, reportUnknownMemberType]
         print("No roles found on server!")
 
     
     for role in roles_on_vault:
-        if role not in roles_on_vault:
+        if role not in roles:
             print(f'Deleting role: {role}')
             kubernetes.delete_role(role)
     
-    for role_name, role_content in roles.items():
+    for role_name, role_content in roles.items(): # pyright:ignore[reportAny]
         print(f'Updating role: {role_name}')
         # Using write data instead of kubernetes.create_role, we can pass raw yaml
-        client.write_data(f'/auth/kubernetes/role/{role_name}', data=role_content)
+        _ = client.write_data(f'/auth/kubernetes/role/{role_name}', data=role_content) # pyright:ignore[reportAny]
 
 if __name__ == '__main__':
     parser = argparse.ArgumentParser(
@@ -71,5 +79,8 @@ if __name__ == '__main__':
     print('Synchronizing policies')
     synchronize_policies(client)
 
+    print('Synchronizing kubernetes config')
+    synchronize_auth_kubernetes_config(client)
+
     print('Synchronizing kubernetes roles')
     synchronize_kubernetes_roles(client)

vault/kubernetes-config.yaml

@@ -0,0 +1 @@
+kubernetes_host: https://10.43.0.1:443

vault/kubernetes-roles/backup.yaml

@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - backup
+bound_service_account_namespaces:
+  - gitea
+token_policies:
+  - backup

vault/kubernetes-roles/cert-manager.yaml

@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - ovh-credentials
+bound_service_account_namespaces:
+  - cert-manager
+token_policies:
+  - ovh-credentials

vault/kubernetes-roles/frigate-camera.yaml

@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - camera
+bound_service_account_namespaces:
+  - frigate
+token_policies:
+  - frigate

vault/kubernetes-roles/ollama-proxy.yaml

@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - ollama-proxy
+bound_service_account_namespaces:
+  - ollama
+token_policies:
+  - ollama

vault/kubernetes-roles/renovate.yaml

@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - renovate
+bound_service_account_namespaces:
+  - renovate
+token_policies:
+  - renovate

vault/policy/backup.hcl

@@ -0,0 +1,7 @@
+path "secret/data/restic" {
+    capabilities = ["read"]
+}
+
+path "secret/data/backblaze" {
+    capabilities = ["read"]
+}

vault/policy/frigate.hcl

@@ -0,0 +1,4 @@
+
+path "secret/data/cameras" {
+    capabilities = ["read"]
+}

vault/policy/ollama.hcl

@@ -0,0 +1,3 @@
+path "secret/data/ollama" {
+    capabilities = ["read"]
+}

vault/policy/ovh-credentials.hcl

@@ -0,0 +1,3 @@
+path "secret/data/ovh-cert-manager" {
+    capabilities = ["read"]
+}

vault/policy/renovate.hcl

@@ -0,0 +1,3 @@
+path "secret/data/renovate" {
+    capabilities = ["read"]
+}