WIP: nothing's going on

Issue: #116

.woodpecker/.cdh.yml

@@ -0,0 +1,34 @@
+# ----------------------------------------------
+# -- Check da helm pipeline
+# ----------------------------------------------
+when:
+  - event: cron
+    cron: nightly
+steps:
+  check badhouseplants:
+    image: ghcr.io/allanger/check-da-helm-helmfile-secrets:stable
+    secrets:
+      - sops_age_key
+    environment:
+      RUST_LOG: info
+    commands:
+      - cdh --kind helmfile -p $CI_WORKSPACE/helmfile.yaml --helmfile-environment badhouseplants -o --output html >> result.html
+  notification:
+    image: deblan/woodpecker-email
+    settings:
+      from: woody@badhouseplants.net
+      host: badhouseplants.net
+      skip_verify: true
+      no_starttls: false
+      username:
+        from_secret: smtp_username
+      password:
+        from_secret: smtp_password
+      recipients:
+        - allanger@badhouseplants.net
+      subject: CDH result
+      target: main
+      recipients_only: true
+      attachment: result.html
+    when:
+      - status: [success, failure]

.woodpecker/.helmfile.yml

@@ -0,0 +1,29 @@
+when:
+  event: push
+matrix:
+  ENVIRONMENT:
+    - badhouseplants
+    - etersoft
+steps:
+  diff:
+    image: ghcr.io/helmfile/helmfile:canary
+    secrets: [sops_age_key, kubeconfig_content]
+    when:
+      - branch:
+          exclude:
+            - main
+    commands:
+      - mkdir $HOME/.kube
+      - echo "$KUBECONFIG_CONTENT" > $HOME/.kube/config && chmod 0600 $HOME/.kube/config
+      - helmfile -e $ENVIRONMENT diff --suppress-secrets
+  apply:
+    image: ghcr.io/helmfile/helmfile:canary
+    secrets: [sops_age_key, kubeconfig_content]
+    when:
+      - branch:
+          include:
+            - main
+    commands:
+      - mkdir $HOME/.kube
+      - echo "$KUBECONFIG_CONTENT" > $HOME/.kube/config && chmod 0600 $HOME/.kube/config
+      - helmfile -e $ENVIRONMENT apply

badhouseplants/helmfile.yaml

@@ -48,17 +48,17 @@ releases:
     createNamespace: true
 
   - <<: *loki
-    installed: false
+    installed: true
     namespace: monitoring-system
     createNamespace: false
 
   - <<: *promtail
-    installed: false
+    installed: true
     namespace: monitoring-system
     createNamespace: false
 
   - <<: *bitwarden
-    installed: true
+    installed: false
     namespace: bitwarden-application
     createNamespace: true
 
@@ -67,7 +67,7 @@ releases:
     namespace: database-service
     createNamespace: true
 
-  - <<: *postgres
+  - <<: *postgres16
     installed: true
     namespace: database-service
     createNamespace: true
@@ -83,10 +83,29 @@ releases:
     createNamespace: true
 
   - <<: *mysql
-    installed: true
+    installed: false
     namespace: database-service
     createNamespace: true
 
+  - <<: *docker-mailserver
+    installed: true
+    namespace: mail-service
+    createNamespace: true
+
+  - <<: *istio-gateway-resources
+    installed: true
+    namespace: istio-system
+    createNamespace: false
+
+  - <<: *vaultwarden
+    createNamespace: true
+    installed: true
+    namespace: vaultwarden-application
+
+  - <<: *woodpecker-ci
+    installed: true
+    namespace: woodpecker-ci
+    createNamespace: true
 
 bases:
   - ../environments.yaml

badhouseplants/values/secrets.bitwarden.yaml

@@ -1,5 +1,7 @@
 env:
     ADMIN_TOKEN: ENC[AES256_GCM,data:ea2lgOEYMi8Dsvun00YZR3PCE3ycNC4Mpe+xye9YL5CTtnyrDwV9Tw==,iv:28Tcn1/qIquS4jCNBTtspB9c+5U3Ut1zoY6gIez8fcs=,tag:POmhoUY3t4w+iTJKK2eHVQ==,type:str]
+smtp:
+    password: ENC[AES256_GCM,data:cs+2Ml3YfZCk8z/KmexGMqzFQRM=,iv:mg8e3oHbLT07pZEdDGwlBchPyT83xOdwKJg9CCaicnc=,tag:NPD+8gKERO8uCuwrFnn3bQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -15,8 +17,8 @@ sops:
             dzNYMlRnUDIxK2padTRCSzR4UUpWQjQKxex3RqZGU7ekdNC3qIiqdFs7d7a0Pxa1
             amLsaNnBfJ3OqjuD8atF2iCAXy1Q2BcXunkWi3wbzHb/DgYly3n9OQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-16T18:40:43Z"
+    lastmodified: "2023-10-15T12:20:48Z"
-    mac: ENC[AES256_GCM,data:tbPAgDQGA8MPnG5mIZLfvsOKdSkpOTK1Oy7uIQJ3DsNtBIt9vSO+vYxNjvfjAHyB6vE1cfx8zJkRcUw8kPh485jOxsM9G1ms/sjZKyJwsJbMjiqxs5zs0E4X9sqpJWiIhILBreZ8IopK4hCd2uLvhoV/HPxW8FV/HnHoCQ5p2Do=,iv:FtgTWFdkxCPOsNiJQWWIUmwYgh5rqRcbM/ToShcSODY=,tag:yc54xWHdq4KnSNxT9breOQ==,type:str]
+    mac: ENC[AES256_GCM,data:2yRwdYM32eESPuUz+d7m7pTcluDUeOrLgv7iJmhPEnowcU9WvypAZr73w4y4ewc3yvLmmu5uuFjJJhN1+yjwULGUtU1NPdcvXHsGwtlA7KDyYUqwIc4NrD6BAeR7tRQChNVD++2wB43kiGAWAMmieOMt+xHcaWlM2btuLoiwE34=,iv:ZMxA5eu0IJKTRBtoKhyIJiDe/W3zVjzlz3TbO7gpRnU=,tag:ErYqzleh87+wj0uBRah20g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

badhouseplants/values/secrets.db-instances.yaml

@@ -3,6 +3,10 @@ dbinstances:
         secrets:
             adminUser: ENC[AES256_GCM,data:pKbAQDiOs6k=,iv:yET0mJtdm2baDJHwq1uYEoxye48g2PrMqiOSO3POTBo=,tag:wuIxhHiRzjSRM+uaEo2KNQ==,type:str]
             adminPassword: ENC[AES256_GCM,data:/U3q6RmOYLpxJBAYsJ8f4lV3MB0=,iv:dw7g0E4Gm0YqtgvdcC+bq+YbSRPop3BKLiJfwaz+1io=,tag:NAXnWj4AjgajN94ml/ENsA==,type:str]
+    postgres16:
+        secrets:
+            adminUser: ENC[AES256_GCM,data:1THZrB3Rg+g=,iv:/euSgQUYlJ4HbiqWr3ezwLkds0nwioFHRhXbqTiYR6M=,tag:GSbSxrNrVJKHp9+3+ECVRA==,type:str]
+            adminPassword: ENC[AES256_GCM,data:F+5az4JRH6LMz88duwFp5EDm4AYG,iv:dbsfSSwigBX1cU6XFYu4ZFd15Te0MdGBoq5O9OtqxgM=,tag:uOLhvHSiBEbbos2GzLJZ3g==,type:str]
     mysql:
         secrets:
             adminUser: ENC[AES256_GCM,data:XFEGew==,iv:7aj2J7Qs9mHC5kRZGrg71hwEBP64vEz0qQ+qoPHSgrc=,tag:/Rx5yx7iMU5Gwcmbf5GVSg==,type:str]
@@ -22,8 +26,8 @@ sops:
             Wmh3Z29ZSlBhbmFJNkFQZlE3aXpMMk0K14rSXjSF08xkil+fFJpeMV+6XChTJ2/3
             OQecJtg+0NQPyvC+kR5qKq8roiSzNNJgTVg2wwKMdukKVVTbEGi0gA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-30T15:07:28Z"
+    lastmodified: "2023-10-04T02:28:20Z"
-    mac: ENC[AES256_GCM,data:/q/LG+CgBAm666nwu+QCw9beoC8m11R5OYspnUxdwTfAv4h0yqY0Hk599hy+Yqt0brpUpj8hwqCESkt6gufFAklilSYV8SWvea7FxA4Jdbfpj1kfty9d4qMxHrpggId/jPshVAVsF0Ezh1/XbPWpQnTiaAMu2JTVMR9cFR3xvyc=,iv:37EdIo9QoUemTvpHSKD2kdq1FnJpwNXGr8ym0dPX6w8=,tag:ri2ILtd9FvLJf0O5iKOdyg==,type:str]
+    mac: ENC[AES256_GCM,data:EBNSr29LlLjadOrrk2ZSwH9Ng4YD0pYCrhfupaQPSK5559zUCRIuPuTC5P0sfh5dn7YARrcprAwH68I3Xc3EUWkZabCYcjR+bfbby1s8tjiIIgVcksQJr523CDIXMiezf860M9uyktxWdUQa1TjuEfo0SAkYs0XHEaIQlOloN6c=,iv:v/Al1appBTv7ypplQEz7C2qAnvCDRK3JPCN8+PATeX4=,tag:Ci8eg6xsFyZz35r5p4ie6g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.0

badhouseplants/values/secrets.funkwhale.yaml

@@ -1,7 +1,7 @@
 djangoSecret: ENC[AES256_GCM,data:CxsJVhNxku3pohREaVs=,iv:KDupR8tZlPkPeRwGWzyz+eKtp1tfTdFWqXNuQW20oXo=,tag:lCHqv2CC8cXpnqTr8fGzPg==,type:str]
 postgresql:
     auth:
-        password: ENC[AES256_GCM,data:IKPFpCY0Im2SQquNFM/3umvGfYOt1A==,iv:asWxkKTvez1FxxXto/ulh4CDBvPZ6SovqKnoFEQjG/s=,tag:iqyxZU+jERNgakMcAm+cnQ==,type:str]
+        password: ENC[AES256_GCM,data:RdsyzDU+XesRJkUSllyvfREzbDz68t6RSw==,iv:RpV9BjK9ytpUYJvNGQ5eHXuhNbXSV+Nl9Yib0ac34KM=,tag:Y1K7cfmoyNS6sih0JMjBVQ==,type:str]
 redis:
     auth:
         password: ENC[AES256_GCM,data:fgxZMA13BpFf5FA8JwLUXjlelUgvR4qtg316OALq,iv:numLe3PrsToG0Fbl7+mdbWOBTb7XrgppF09pIVg+rrU=,tag:ivKuF0xFe/s4P1otjLML8g==,type:str]
@@ -20,8 +20,8 @@ sops:
             dWdMUFpOOVJYSXdBbzJiSzhQM0VmbWMKUqdIpfa8i7vASIga8HFurrPf1RgA+WVA
             GZiG+M0i4yc3SooTIwbDzH0orfaEHueKdNTGOXMgxNiRIt2q9BG76g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-29T20:22:20Z"
+    lastmodified: "2023-10-04T18:47:37Z"
-    mac: ENC[AES256_GCM,data:G9+rbTp4AXIr97bl4UUUIMsd47Gmwt5IGFJQMSAtKRkCCcWIVK9ac+3nX5g9gOgziKvPE7moETXPAfFjcfOQFvi8bmU7jZnoLr4rOvP7SX1LZEfs9siCCtC1q9S/VrlWhxx/2Cpz1EegM+o2cQepqGr4IoIpboEowKl2yhpZiko=,iv:aRDq9ptB6GrRAvl5b0yyKVTZwOPdtFvSGEIPhlMrZbg=,tag:PsRUQJrBtu3sfLcIhIJbqw==,type:str]
+    mac: ENC[AES256_GCM,data:Mh6OGkcKMGnmBHIKadpLYfFO3UNLoww4gFW+U7mnu4v87j06h6QHOx4p99TBp8OqK3/ky73FUVLGtm5XFLvMgzM5wpghqwqPa4G9UvgP2zY6GM5HaEw90l9mEtdSw6czs1hi9ChNF3RbIPwowW6KNJoASK08YaSwkRLK3J8T0sM=,iv:9N3hRle1eH5EHEPQeAnKSXSjkhhs1045rgk/WNOP3I8=,tag:bsqCJQE5puKckYMgKZsr3w==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.0

badhouseplants/values/secrets.gitea.yaml

@@ -4,9 +4,9 @@ gitea:
         password: ENC[AES256_GCM,data:TnIUSnX7Lj+2N6mWWOvVVmc96DQ=,iv:vjow//IrtvdmTg4jYenwTyUnuBhq7witfzugbE0uq9c=,tag:L5UPa9UK4aB1wY1ilZntzg==,type:str]
     config:
         mailer:
-            ENABLED: ENC[AES256_GCM,data:C2qWn4E=,iv:APUvrTInDdxf1tJ5eFSgxUej8e085HZalsiHY6/Fryc=,tag:MW3KhfU+25EWDzM/+QOZ5A==,type:bool]
+            PASSWD: ENC[AES256_GCM,data:lb1VwH/Bc2XoyB42UrhgCX5ad70=,iv:Eh4R2deZOMGq4LxZadtt6SgrdoSxcArYC2X+czKtns8=,tag:ZCtQguWQt8ARS2rTWCSoSg==,type:str]
         database:
-            PASSWD: ENC[AES256_GCM,data:EVawxgpBgJ1ZlU4F+KFlJZXHq/4=,iv:ZUC7YBQ+RXNKLFEZzAeXfoGqBv9ilGw6Q5ynspAsc78=,tag:Wpb3awtdRLLBNYmmuTUCrA==,type:str]
+            PASSWD: ENC[AES256_GCM,data:mI1RHEThB0bM1bJ/pBioJjvKT3Q=,iv:WSwV4+UzD8HUtA5ipZNu2IVXa4AuQE9k7hTB++AsTgU=,tag:CtU3ValcNw0RSIQVdaHmtw==,type:str]
         session:
             PROVIDER_CONFIG: ENC[AES256_GCM,data:i/N01zYx1H1D1eFiZKOmf4e1LoDBJE5AoN4eZl3h/QKwOEy5x4LNQoF7CbGguCBMvITtYbzXr12VzQ8pxEf17z6nssQ2nNiz84zuBOY9DQqxZLkxS5AmKKgk7XKF/YYYDaavMdJj54gtXoCrDZ58z5Tw8FM0ScTRp2+4RXGMwg==,iv:dKZhe9cOPDhdtK9sJKzCHmimV1vcuAebY8DfaJMqk2Q=,tag:ZhyEepW4wIM1Dv97xn5xBA==,type:str]
         cache:
@@ -33,8 +33,8 @@ sops:
             Ym5KMWw5ZDBBZzJBcHBXdFZiaDZpU0UKNl/GkGP25D7z5a8mVBmoSTfOM3EzymPN
             WW62zIoBHlwLxF9nwj1xCCtcL1XKgiB8nnn4IrY3ljqFc0VkxD9dnQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-29T20:30:31Z"
+    lastmodified: "2023-10-15T09:58:05Z"
-    mac: ENC[AES256_GCM,data:jd8jrX6GTAsEMydRfjLPW8XKXs4HgNNMqR0UvzVq0qFl/2zisKYLxtc6m4XBjDLeI8te+nNcJ16XYR0tdayM4PjXzurC9bAMdyI4utv1cRUJdWVxbo2oODWjJ9IAHqwkVHfJOrAJ7j0qamzHr/4h7u2DsLxvHm/lQY2g5zDKPD0=,iv:P215bq4q6iv8fSpU2CvfUhR1Pbr6mpYtv868m2F+M44=,tag:oWzMZOyCuxf2JBiGjDdCKg==,type:str]
+    mac: ENC[AES256_GCM,data:W7Ml9O6oA5dG59O7eWUEBdRrOdmoXWdib2tzK2zCFfMbjWczS5I7AM3DFKG6+P/kRiEQpjj0OarFvuJ7e23blx0/43UXqjpRCuGqcWkNXQaYaxlye6SDlLjregTUeqo4gyzyXYVpIGikLNBYoufewpdlboVQk8ZheSLSOttrbcE=,iv:IqrjduR0EhuzCCWCCJOHCL0DlS4B66P1Wlucg9R0gk4=,tag:vmq6+uh9q7avpK5Q56+iJA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

badhouseplants/values/secrets.postgres16.yaml

@@ -0,0 +1,24 @@
+global:
+    postgresql:
+        auth:
+            postgresPassword: ENC[AES256_GCM,data:O5Fvmjipcx7CZ4DKQjRW0isfzoUt,iv:sVl6TFRCKAL5ci+lC4DfX/vZkWwRVg559kq4GU67udY=,tag:dEsoEe1UfvD5rUrI+EYOsg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbENvMm1YQzlSV3UrSEJ4
+            VTZ1RWVKTlpsUDFzQlVjMlJEZmIvaldHVXlFCm9SVzN3Z0dwTGo1Y3dnaHhvSmpi
+            bDIrMlJhbHhKUmRZejdkTmJiSDYvY2MKLS0tIFpRbkwySVh2MDlNWEFNZHVtY2Ns
+            Wmh3Z29ZSlBhbmFJNkFQZlE3aXpMMk0K14rSXjSF08xkil+fFJpeMV+6XChTJ2/3
+            OQecJtg+0NQPyvC+kR5qKq8roiSzNNJgTVg2wwKMdukKVVTbEGi0gA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-10-04T02:27:48Z"
+    mac: ENC[AES256_GCM,data:yyvzDlqm3ZOGAMAWCbA4JBC2xs14dKJ4oGifHCvD6K3cBcLgQLS8MOoQJBVfAfL/lVqYDtQ8qwQl/NbCEAKdqw5mtGRwSGaCExSTfO8PIUZCT69q5lwhAxfSGkhjjup+88MhwdZbe2iqqr0nF/GBYT7exqu6Pj85ZKbeDVBTMUE=,iv:KVuyYWYvtVjFinkY82nPwKI/XX18t4purLInfjSxYlg=,tag:kD0G+keg4veTy+CN7KOo6Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.0

badhouseplants/values/secrets.vaultwarden.yaml

@@ -0,0 +1,27 @@
+vaultwarden:
+    smtp:
+        username: ENC[AES256_GCM,data:6kAu3et5PmRgZ7B/qQQKA/hwsubozpBEcuzA,iv:cqNO3VWKFRWqBRAFTf2AyMQskuZvcDghseT2PWEsCjA=,tag:nkzugvJTJ/KhLuldXxdBrg==,type:str]
+        password:
+            value: ENC[AES256_GCM,data:rTCIH4vU7sfCNu6FxfdfyPKKQ01MQHBM0g==,iv:ZKD98V5W1GH0NZCfYG86AdFhbe8Ig+nCHFdU0NGcQT4=,tag:cL3fSAKntmWZ/QvSPYwbvw==,type:str]
+    adminToken:
+        value: ENC[AES256_GCM,data:PT62LcyiNqW1NVeuZ5+HTj8fzwSwuD1av/Z8S2GnR6j62+F8/aibhW/ATFG92chw++w=,iv:LnaRBem4dsggV4u4IlNjlWY301ajAHot2D259Y383m0=,tag:f24QDtGrtNJFA95Qo6Umqg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDL0RuQitFb0dPajRpSHRo
+            WnhUa3BOazVHSTE5STRNMGQ2eWUxaXhvNEJVCmtpMjE2Q3hyQzhDSTBObUgwQXV3
+            dmhvYmUvL05QUGd6Umx5QjRhMVFmcHMKLS0tIEtkTDc1ZVcxOWRqRzlzdTM1WG5a
+            U25tMkxQS1gzcyt6R2NkZnVLRVVoOWMKZSaIZxzTlYim2kmiHrQcgRu9XmWelRkT
+            HZZmSa0L9yEdksUCK3+iqjCZhQBYc/6qJHRYvuAaJ+/hs5RxuLUr8g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-25T19:33:37Z"
+    mac: ENC[AES256_GCM,data:Fl9x8f4YlhAciCdRNRWukK4lj/OqP+TJ8+xEXUSb+1FqUAv/aHocy/f3IuzEhgq/+i9RSKORy2+glYBdK+tL50FzaPQCXz9YgYMtshsIkfkVIw2j9R7sqs5Uo5fQ6g5V3ir5/czb8FSqoS7S+2onyHxZawuG1XCWYPPLATVrKa8=,iv:7K6NABns5rzYIJgthRxqkGD5bQXKPhgIxoCs2ZS0JGY=,tag:FvTTObosyFZom45xuVABog==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

badhouseplants/values/secrets.woodpecker-agent.yaml

@@ -0,0 +1,23 @@
+env:
+    WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:cJoxJw6c6FYZ337i5P6dGUzLmgUn9Z+/Ed9aUK76WYnB8m0D9h5IlAlOfCQ=,iv:1BgxKsaI3dhhPNkZbpHKBn6GXadn1RD+3Q4RwKLfmcU=,tag:y8qLWwpVAwKrOWN1cC2ulw==,type:str]
+    WOODPECKER_GITEA_SECRET: ENC[AES256_GCM,data:VdWASwxPurzmfSjb2h8wBw3XbZSfG9UG0jmXSbTBPreZ+l7UQblI/wqr8Tw=,iv:APNuiqimA/ofCWsvywj+SJedQBMgRoCd65Gd3Ps2/fw=,tag:ATLGT4ACZ2GR46qD9ABUng==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTRFNvdnBsSHFBcjlGcGl1
+            RnU1NEpZekpucTNCZHBGcXdBakhkU1drb2dZClVYZ2xMVUJiOXV2enlBbm1TS2Mz
+            ZnZ0UHpsVHVUU2ZkSGtwUXNMM0R6VjQKLS0tIFR4NEdTTGRIY3QycTFhRzJNSEY0
+            SEs0Z3VjaTN2Y3Z0QmtEUEdQdmtwYnMKxQ3z1p2GulSOklUEolWeH20JeFwNpZqY
+            870x5UtCJNVTMrIDgwMQK3hn+yywxPdgSRhkW3bqH4PJDxi78UUpXw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-10-05T08:06:51Z"
+    mac: ENC[AES256_GCM,data:pc4n/3MEP0GhmZ+wdbOiK2gj7ah/9IJ2hoXRtM1sAGy3UPNBrF5VE7hxnAi393YpWBank7crDTvg2aJjhVt7XqB8zcjiHtNMlcpxL6fJ+uWxeH4uVj/NBfSvoO410oYbtPuKMjZpPU7KACmTJ9tzVIZdZOScXx7fLQxNUq01Hu8=,iv:18MqueG9MHrTcXmu14Q8LPnMFT9lolDkCbXjjA2P1qg=,tag:6ETPd8vZ0CCGEUP5u8ZxNA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.0

badhouseplants/values/secrets.woodpecker-ci.yaml

@@ -0,0 +1,27 @@
+server:
+    env:
+        WOODPECKER_GITEA_SECRET: ENC[AES256_GCM,data:mGYEvlIeQC3mg+kxy3ZX6gAVf88DXLVdeSdgpQa8wixsb2rDoj4+l2ET2saquK+lVhjvv8ZKdvg=,iv:VlPgDYPj1xpxnpWnEHj+slBi0H2nWKeScclPItUaG9A=,tag:ox/Ur5vsOARXRT3g0hCgsg==,type:str]
+        WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:WXwsmLmb37clb5xgv+2DeKfhk7cwaIJpaCW8/Kq/CmgfwCmrarPDDQGXZoLwOjGj3mh/ciDj7V5WgHfyxuIDhA==,iv:NhGlPyPrTrTbz1DjOZEieWAfOQHqSqhdLiqMspex1j0=,tag:vOfo+XiCUW6MhtJemkZPMA==,type:str]
+agent:
+    env:
+        WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:4lTZ16jbrorU4B9gTAoWmgiGggrMWD7K5O/5R47OIDMdRInwXtaWviofFD8WJQMduiGvANxMVNs0J1DLvFKi9Q==,iv:Y0AsW63vdVEwKvpVYeMVLFmwYlsQSwnz602QjDgj/ZQ=,tag:aO9xh3psy/bRCCQEFUp75A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlQjZqNE9iMDl6MlhnSUp5
+            QTBSOG83WFBqZFZIU2dEMzlpengrUFg4alZFCld4MkI4WW8xMUZnMm1SU2hmMCtn
+            bTZSVTIxTk5aZmo3OEJJdlJwL2xhV3MKLS0tIGJraERVZTNyMWFCVE1TbEhRR3J4
+            WXh3NGd4UG9OODhHNEp0cDVoQkM5dWMKcz4h0O4J2WlB+L9+/U8Rl+zzd87hsJo8
+            ThPZgnUNDGpdRrU2IYiXo03fZOhBoqBJe1ZG+Ol8z9bvTeyeMZxRIg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-18T17:43:53Z"
+    mac: ENC[AES256_GCM,data:u8iu+Ia1u5c5AkdyKbGT//G/Zp+yDNv3TQIElSBA6qCTBu0lKAii3ywXrqdpQ1kYtytjazcwkOa7vKmVy1UoCNda+8wGGHfhfOIQlll+TKBNvgUO73lF5P7X5q6CcgFMvTazXKElESEC3G04uVLEOdG1W6d0ArVRnh8gFOY6Jgg=,iv:VT0pFoOcLPK14I1doJi+52wtCfUuqh2nxdSVu0ufVOY=,tag:SwAOYLxOYaouteqXdgP2Hg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

badhouseplants/values/values.argocd.yaml

@@ -7,7 +7,7 @@ istio:
   enabled: true
   istio:
     - name: argocd-http
-      gateway: badhouseplants-net
+      gateway: istio-system/badhouseplants-net
       kind: http
       hostname: argo.badhouseplants.net
       service: argocd-server

badhouseplants/values/values.bitwarden.yaml

@@ -7,7 +7,7 @@ istio:
   enabled: true
   istio:
     - name: bitwarden-http
-      gateway: badhouseplants-net
+      gateway: istio-system/badhouseplants-net
       kind: http
       hostname: bitwarden.badhouseplants.net
       service: bitwarden-vaultwarden
@@ -17,17 +17,8 @@ istio:
   pathType: Prefix
 
 env:
-
   SIGNUPS_ALLOWED: false
   DOMAIN: "https://bitwarden.badhouseplants.net"
-  # YUBICO_CLIENT_ID
-  # YUBICO_SECRET_KEY
-  # DATA_FOLDER
-  # DATABASE_URL
-  # ATTACHMENTS_FOLDER
-  # ICON_CACHE_FOLDER
-  # ROCKET_LIMITS
-  # ROCKET_WORKERS
   WEB_VAULT_ENABLED: true
 
 persistence:
@@ -35,3 +26,15 @@ persistence:
   accessMode: ReadWriteOnce
   size: 800Mi
   storageClass: longhorn
+
+smtp:
+  host: badhouseplants.net
+  security: "starttls"
+  port: 587
+  from: bitwarden@badhouseplants.net
+  fromName: bitwarden
+  username:
+    value: overlord@badhouseplants.net
+  authMechanism: "Plain"
+  acceptInvalidHostnames: "false"
+  acceptInvalidCerts: "false"

badhouseplants/values/values.db-instances.yaml

@@ -10,6 +10,16 @@ dbinstances:
     generic:
       host: postgres-postgresql
       port: 5432
+  postgres16:
+    monitoring:
+      enabled: false
+    adminSecretRef:
+      Name: postgres16-secret
+      Namespace: database-service
+    engine: postgres
+    generic:
+      host: postgres16-postgresql.database-service.svc.cluster.local
+      port: 5432
   mysql:
     monitoring:
       enabled: false

badhouseplants/values/values.docker-mailserver.yaml

@@ -0,0 +1,129 @@
+istio-gateway:
+  enabled: true
+  gateways:
+    - name: badhouseplants-email
+      servers:
+        - hosts:
+            - "*"
+          port:
+            name: smtp
+            number: 25
+            protocol: TCP
+        - hosts:
+            - "*"
+          port:
+            name: pop3
+            number: 110
+            protocol: TCP
+        - hosts:
+            - "*"
+          port:
+            name: imap
+            number: 143
+            protocol: TCP
+        - hosts:
+            - "*"
+          port:
+            name: smtps
+            number: 465
+            protocol: TCP
+        - hosts:
+            - "*"
+          port:
+            name: submission
+            number: 587
+            protocol: TCP
+        - hosts:
+            - "*"
+          port:
+            name: imaps
+            number: 993
+            protocol: TCP
+        - hosts:
+            - "*"
+          port:
+            name: pop3s
+            number: 995
+            protocol: TCP
+istio:
+  enabled: true
+  istio:
+    - name: docker-mailserver-smpt
+      kind: tcp
+      gateway: badhouseplants-email
+      service: docker-mailserver
+      hostname: badhouseplants.net
+      port_match: 25
+      port: 25
+    - name: docker-mailserver-smpts
+      kind: tcp
+      gateway: badhouseplants-email
+      port_match: 465
+      hostname: badhouseplants.net
+      service: docker-mailserver
+      port: 465
+    - name: docker-mailserver-smpt-startls
+      kind: tcp
+      gateway: badhouseplants-email
+      hostname: badhouseplants.net
+      port_match: 587
+      service: docker-mailserver
+      port: 587
+    - name: docker-mailserver-imap
+      kind: tcp
+      hostname: badhouseplants.net
+      gateway: badhouseplants-email
+      port_match: 143
+      service: docker-mailserver
+      port: 143
+    - name: docker-mailserver-imaps
+      kind: tcp
+      gateway: badhouseplants-email
+      hostname: badhouseplants.net
+      port_match: 993
+      service: docker-mailserver
+      port: 993
+    - name: docker-mailserver-pop3
+      kind: tcp
+      gateway: badhouseplants-email
+      port_match: 110
+      hostname: badhouseplants.net
+      service: docker-mailserver
+      port: 110
+    - name: docker-mailserver-pop3s
+      kind: tcp
+      gateway: badhouseplants-email
+      port_match: 993
+      hostname: badhouseplants.net
+      service: docker-mailserver
+      port: 993
+    - name: docker-mailserver-rainloop
+      kind: http
+      gateway: istio-system/badhouseplants-net
+      hostname: mail.badhouseplants.net
+      service: docker-mailserver-rainloop
+      port: 80
+
+rainloop:
+  enabled: true
+  ingress:
+    enabled: false
+demoMode:
+  enabled: false
+domains:
+  - badhouseplants.net
+  - mail.badhouseplants.net
+ssl:
+  issuer:
+    name: badhouseplants-issuer
+    kind: ClusterIssuer
+  dnsname: badhouseplants.net
+  dns01provider: cloudflare
+  useExisting: false
+pod:
+  dockermailserver:
+    enable_fail2ban: "0"
+    ssl_type: manual
+service:
+  type: ClusterIP
+spfTestsDisabled: true

badhouseplants/values/values.drone.yaml

@@ -6,7 +6,7 @@ istio:
   enabled: true
   istio:
     - name: drone-http
-      gateway: badhouseplants-net
+      gateway: istio-system/badhouseplants-net
       kind: http
       hostname: drone.badhouseplants.net
       service: drone

badhouseplants/values/values.funkwhale.yaml

@@ -7,7 +7,7 @@ istio:
   enabled: true
   istio:
     - name: funkwhale-http
-      gateway: badhouseplants-net
+      gateway: istio-system/badhouseplants-net
       kind: http
       hostname: funkwhale.badhouseplants.net
       service: funkwhale
@@ -15,8 +15,8 @@ istio:
 
 ext-database:
   enabled: true
-  name: funkwhale-postgres
+  name: funkwhale-postgres16
-  instance: postgres
+  instance: postgres16
 
 replicaCount: 1
 celery:
@@ -43,10 +43,10 @@ ingress:
   enabled: false
 postgresql:
   enabled: false
-  host: postgres-postgresql.database-service.svc.cluster.local
+  host: postgres16-postgresql.database-service.svc.cluster.local
   auth:
-    username: funkwhale-application-funkwhale-postgres
+    username: funkwhale-application-funkwhale-postgres16
-    database: funkwhale-application-funkwhale-postgres
+    database: funkwhale-application-funkwhale-postgres16
 
 redis:
   enabled: false

badhouseplants/values/values.gitea.yaml

@@ -8,13 +8,13 @@ istio:
   istio:
     - name: gitea-http
       kind: http
-      gateway: badhouseplants-net
+      gateway: istio-system/badhouseplants-net
       hostname: git.badhouseplants.net
       service: gitea-http
       port: 3000
     - name: gitea-ssh
       kind: tcp
-      gateway: badhouseplants-ssh
+      gateway: istio-system/badhouseplants-ssh
       hostname: "*"
       port_match: 22
       service: gitea-ssh
@@ -25,8 +25,8 @@ istio:
 # ------------------------------------------
 ext-database:
   enabled: true
-  name: gitea-postgres
+  name: gitea-postgres16
-  instance: postgres
+  instance: postgres16
 # ------------------------------------------
 # -- Kubernetes related values
 # ------------------------------------------
@@ -43,7 +43,7 @@ resources:
 
 persistence:
   enabled: true
-  size: 6Gi
+  size: 10Gi
   accessModes:
     - ReadWriteOnce
 
@@ -61,9 +61,9 @@ gitea:
   config:
     database:
       DB_TYPE: postgres
-      HOST: postgres-postgresql.database-service.svc.cluster.local
+      HOST: postgres16-postgresql.database-service.svc.cluster.local
-      NAME: gitea-service-gitea-postgres
+      NAME: gitea-service-gitea-postgres16
-      USER: gitea-service-gitea-postgres
+      USER: gitea-service-gitea-postgres16
     APP_NAME: Bad Houseplants Gitea
     ui:
       meta:
@@ -101,6 +101,18 @@ gitea:
       ADAPTER: redis
     queue:
       TYPE: redis
+    mailer:
+      ENABLED: true
+      FROM: gitea@badhouseplants.net
+      PROTOCOL: smtp+startls
+      SMTP_ADDR: badhouseplants.net
+      SMTP_PORT: 587
+      USER: overlord@badhouseplants.net
+    indexer:
+      REPO_INDEXER_ENABLED: true
+      REPO_INDEXER_PATH: indexers/repos.bleve
+      MAX_FILE_SIZE: 1048576
+      REPO_INDEXER_EXCLUDE: resources/bin/**
 service:
   ssh:
     type: ClusterIP

badhouseplants/values/values.istio-gateway-resources.yaml

@@ -0,0 +1,88 @@
+certificate:
+  enabled: true
+  certificate: 
+    - name: nrodionov-wildcard
+      secretName: nrodionov-wildcard-tls
+      issuer:
+        kind: ClusterIssuer
+        name: badhouseplants-issuer
+      dnsNames:
+        - nrodionov.info
+        - "*.nrodionov.info"
+    - name: badhouseplants-wildcard
+      secretName: badhouseplants-wildcard-tls
+      issuer:
+        kind: ClusterIssuer
+        name: badhouseplants-issuer
+      dnsNames:
+        - badhouseplants.net
+        - "*.badhouseplants.net"
+istio-gateway:
+  enabled: true
+  gateways:
+    - name: badhouseplants-net
+      servers:
+        - hosts:
+          - badhouseplants.net
+          - '*.badhouseplants.net'
+          port:
+            name: http
+            number: 80
+            protocol: HTTP2
+          tls:
+            httpsRedirect: true
+        - hosts:
+          - badhouseplants.net
+          - '*.badhouseplants.net'
+          port:
+            name: https
+            number: 443
+            protocol: HTTPS
+          tls:
+            credentialName: badhouseplants-wildcard-tls
+            mode: SIMPLE
+    - name: nrodionov-info
+      servers:
+        - hosts:
+          - nrodionov.info
+          - dev.nrodionov.info
+          port:
+            name: http
+            number: 80
+            protocol: HTTP2
+          tls:
+            httpsRedirect: true
+        - hosts:
+          - nrodionov.info
+          - dev.nrodionov.info
+          port:
+            name: https
+            number: 443
+            protocol: HTTPS
+          tls:
+            credentialName: nrodionov-wildcard-tls
+            mode: SIMPLE
+    - name: badhouseplants-vpn
+      servers:
+        - hosts:
+          - '*'
+          port:
+            name: tcp
+            number: 1194
+            protocol: TCP
+    - name: badhouseplants-ssh
+      servers:
+        - hosts:
+          - '*'
+          port:
+            name: ssh
+            number: 22
+            protocol: TCP
+    - name: badhouseplants-minecraft
+      servers:
+        - hosts:
+          - '*'
+          port:
+            name: minecraft
+            number: 25565
+            protocol: TCP

badhouseplants/values/values.istio-ingressgateway.yaml

@@ -1,4 +1,3 @@
----
 service:
   type: LoadBalancer
   ports:

badhouseplants/values/values.loki.yaml

@@ -1,11 +1,22 @@
 ---
 singleBinary:
   replicas: 1
+  persistence:
+    size: 5Gi
 loki:
   auth_enabled: false
   commonConfig:
     replication_factor: 1
+  storage:
+    type: 'filesystem'
+monitoring:
+  selfMonitoring:
+    enabled: false
+  lokiCanary:
+    enabled: false
+test:
+  enabled: false
 compactor:
   retention_enabled: true
 limits_config:
-  retention_period: 2d
+  retention_period: 14d

badhouseplants/values/values.minecraft.yaml

@@ -18,7 +18,7 @@ istio:
   enabled: true
   istio:
     - name: minecraft-tcp
-      gateway: badhouseplants-minecraft
+      gateway: istio-system/badhouseplants-minecraft
       kind: tcp
       port_match: 25565
       hostname: "*"
@@ -88,7 +88,7 @@ persistence:
     enabled: true
     Size: 15Gi
 mcbackup:
-  enabled: true
+  enabled: false
   backupInterval: 2h
   pauseIfNoPlayers: "false"
   pruneBackupsDays: 2
@@ -110,7 +110,7 @@ mcbackup:
 # -- Install Plugins
 # ---------------------------------------------
 initContainers:
-  - name: install-prometheus-exporter
+  - name: 0-install-prometheus-exporter
     image: alpine/curl
     command:
       - curl
@@ -122,7 +122,7 @@ initContainers:
       - name: plugins
         mountPath: /data/plugins
         readOnly: false
-  - name: install-password-plugin
+  - name: 0-install-password-plugin
     image: alpine/curl
     command:
       - curl
@@ -134,7 +134,7 @@ initContainers:
       - name: plugins
         mountPath: /data/plugins
         readOnly: false
-  - name: install-gravity-control-plugin
+  - name: 0-install-gravity-control-plugin
     image: alpine/curl
     command:
       - curl
@@ -146,6 +146,29 @@ initContainers:
       - name: plugins
         mountPath: /data/plugins
         readOnly: false
+  - name: 0-install-fast-minecart-plugin
+    image: alpine/curl
+    command:
+      - curl
+      - -L
+      - https://github.com/certainly1182/FastMinecarts/releases/download/v1.0.1/FastMinecarts.jar
+      - -o
+      - /data/plugins/FastMinecarts.jar
+    volumeMounts:
+      - name: plugins
+        mountPath: /data/plugins
+  - name: 1-add-plugins-to-minecraft
+    image: alpine/curl
+    command:
+      - sh 
+      - -c 
+      - cp -r /in /out/plugins
+    volumeMounts:
+      - name: plugins
+        mountPath: /in
+        readOnly: false
+      - name: datadir
+        mountPath: /out
 extraVolumes:
   - volumeMounts:
       - name: plugins

badhouseplants/values/values.minio.yaml

@@ -7,13 +7,13 @@ istio:
   enabled: true
   istio:
     - name: minio-http
-      gateway: badhouseplants-net
+      gateway: istio-system/badhouseplants-net
       kind: http
       hostname: minio.badhouseplants.net
       service: minio-console
       port: 9001
     - name: s3-http
-      gateway: badhouseplants-net
+      gateway: istio-system/badhouseplants-net
       kind: http
       hostname: s3.badhouseplants.net
       service: minio
@@ -64,11 +64,6 @@ buckets:
   - name: allanger-music
     policy: download
     purge: false
-    versioning: false
-  - name: badhouseplants-brew
-    policy: download
-    purge: false
-    versioning: false
 metrics:
   serviceMonitor:
     enabled: false

badhouseplants/values/values.nrodionov.yaml

@@ -7,7 +7,7 @@ istio:
   enabled: true
   istio:
     - name: nrodionov-http
-      gateway: nrodionov-info
+      gateway: istio-system/nrodionov-info
       kind: http
       hostname: dev.nrodionov.info
       service: nrodionov-wordpress

badhouseplants/values/values.openvpn.yaml

@@ -7,19 +7,12 @@ istio:
   enabled: true
   istio:
     - name: openvpn-tcp
-      gateway: badhouseplants-vpn
+      gateway: istio-system/badhouseplants-vpn
       kind: tcp
       port_match: 1194
       hostname: "*"
       service: openvpn
       port: 1194
-    - name: openvpn-tcp-fake-port
-      gateway: badhouseplants-vpn
-      kind: tcp
-      port_match: 25
-      hostname: "*"
-      service: openvpn
-      port: 1194
 # ------------------------------------------
 image:
   tag: v2.6.5-xor-4.0.0beta08

badhouseplants/values/values.postgres16.yaml

@@ -0,0 +1,10 @@
+architecture: standalone
+
+auth:
+  database: postgres
+
+persistence:
+  size: 1Gi
+
+metrics:
+  enabled: false

badhouseplants/values/values.prometheus.yaml

@@ -7,7 +7,7 @@ istio:
   enabled: true
   istio:
     - name: grafana-https
-      gateway: badhouseplants-net
+      gateway: istio-system/badhouseplants-net
       kind: http
       hostname: "grafana.badhouseplants.net"
       service: prometheus-grafana
@@ -64,7 +64,8 @@ defaultRules:
 prometheus:
   prometheusSpec:
     enableAdminAPI: true
-    retentionSize: 10GB
+    retentionSize: 7GB
+    retention: 20d
     podMonitorNamespaceSelector:
       any: true
     podMonitorSelector: {}
@@ -83,7 +84,7 @@ prometheus:
           accessModes: ["ReadWriteOnce"]
           resources:
             requests:
-              storage: 10Gi
+              storage: 12Gi
 
 grafana:
   persistence:

badhouseplants/values/values.promtail.yaml

@@ -3,3 +3,9 @@ config:
   clients:
     #    - url: http://loki.monitoring-system:3100
     - url: http://loki-gateway/loki/api/v1/push
+  snippets:
+    pipelineStages:
+      - match:
+          pipeline_name: "drop-all"
+          selector: '{namespace!~"mail-service|woodpecker"}'
+          action: drop

badhouseplants/values/values.redis.yaml

@@ -1,6 +1,10 @@
 metrics:
   enabled: false
 
+secretAnnotations:
+  reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+  reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+  reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "gitea-service,funkwhale-application"
 architecture: standalone
 master:
   persistence:

badhouseplants/values/values.vaultwarden.yaml

@@ -0,0 +1,63 @@
+---
+# ------------------------------------------
+# -- Istio extenstion. Just because I'm
+# --  not using ingress nginx
+# ------------------------------------------
+istio:
+  enabled: true
+  istio:
+    - name: vaultwarden-http
+      kind: http
+      gateway: istio-system/badhouseplants-net
+      hostname: vault.badhouseplants.net
+      service: vaultwarden
+      port: 8080
+# ------------------------------------------
+# -- Database extension is used to manage
+# --  database with db-operator
+# ------------------------------------------
+ext-database:
+  enabled: true
+  name: vaultwarden-postgres16
+  instance: postgres16
+service: 
+  port: 8080
+vaultwarden:
+  smtp:
+    host: badhouseplants.net
+    security: "starttls"
+    port: 587
+    from: vaultwarden@badhouseplants.net
+    fromName: Vault Warden
+    authMechanism: "Plain"
+    acceptInvalidHostnames: "false"
+    acceptInvalidCerts: "false"
+    debug: false
+  domain: https://vault.badhouseplants.net
+  websocket:
+    enabled: true
+    address: "0.0.0.0"
+    port: 3012
+  rocket:
+    port: "8080"
+    workers: "10"
+  webVaultEnabled: "true"
+  signupsAllowed: false
+  invitationsAllowed: true
+  signupDomains: "https://vault.badhouseplants.com"
+  signupsVerify: "true"
+  showPassHint: "false"
+  database:
+    existingSecret: vaultwarden-postgres16-creds
+    existingSecretKey: CONNECTION_STRING
+    connectionRetries: 15
+    maxConnections: 10
+  storage:
+    enabled: false
+    size: 1Gi
+    class: default
+    dataDir: /data
+  logging:
+    enabled: false
+    logfile: "/data/vaultwarden.log"
+    loglevel: "warn"

badhouseplants/values/values.woodpecker-ci.yaml

@@ -0,0 +1,56 @@
+# ------------------------------------------
+# -- Istio extenstion. Just because I'm
+# --  not using ingress nginx
+# ------------------------------------------
+istio:
+  enabled: true
+  istio:
+    - name: woodpecker-server-http
+      gateway: istio-system/badhouseplants-net
+      kind: http
+      hostname: ci.badhouseplants.net
+      service: woodpecker-ci-server
+      port: 80
+ext-database:
+  enabled: true
+  name: woodpecker-postgres16
+  instance: postgres16
+  credentials:
+    WOODPECKER_DATABASE_DATASOURCE: "postgres://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}?sslmode=disable"
+server:
+  #image:
+  #  registry: git.badhouseplants.net
+  #  repository: allanger/woodpecker-server
+  #  pullPolicy: Always
+  #  tag: icon
+  enabled: true
+  env:
+    WOODPECKER_GITEA: true
+    WOODPECKER_GITEA_URL: https://git.badhouseplants.net
+    WOODPECKER_DATABASE_DRIVER: postgres
+    WOODPECKER_GITEA_CLIENT: ab5e4687-a476-4668-9fbc-288d54095634
+    WOODPECKER_OPEN: true
+    WOODPECKER_ADMIN: "woodpecker,allanger"
+    WOODPECKER_HOST: "https://ci.badhouseplants.net"
+    WOODPECKER_ESCALATE: true
+    WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker-ci
+    WOODPECKER_BACKEND_K8S_STORAGE_CLASS: microk8s-hostpath
+  extraSecretNamesForEnvFrom: 
+    - woodpecker-postgres16-creds
+agent:
+  image: 
+    registry: git.badhouseplants.net
+    repository: allanger/woodpecker-agent
+    pullPolicy: Always
+    tag: dev
+  enabled: true
+  extraSecretNamesForEnvFrom: []
+  env:
+    WOODPECKER_SERVER: woodpecker-ci-server:9000
+    WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 3Gi
+    WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker-ci
+    WOODPECKER_BACKEND_K8S_STORAGE_CLASS: microk8s-hostpath
+  serviceAccount:
+    create: true
+  rbac:
+    create: true

common/values.database.yaml

@@ -14,3 +14,12 @@ ext-database:
           backup:
             enable: false
             cron: 0 0 * * *
+          {{- if .Values.credentials }}
+          credentials:
+            templates:
+              {{- range $key, $value := .Values.credentials }}
+              - name: {{ $key }}
+                template: {{ $value }}
+                secret: true
+              {{- end }}
+          {{- end }}

common/values.istio-gateway.yaml

@@ -0,0 +1,16 @@
+---
+istio-gateway:
+  templates:
+    - |
+        {{ range .Values.gateways }}
+        ---
+        apiVersion: networking.istio.io/v1beta1
+        kind: Gateway
+        metadata:
+          name: {{ .name }}
+        spec:
+          selector: 
+            istio: ingressgateway
+          servers:
+        {{ toYaml .servers | indent 4 }}
+        {{ end }}

common/values.istio.yaml

@@ -10,7 +10,7 @@ istio:
           name: {{ .name }}
         spec:
           gateways:
-          - "istio-system/{{ .gateway }}"
+          - "{{ .gateway }}"
           hosts:
           -  {{ .hostname | quote }}
           {{- if eq  .kind "http" }}

etersoft/values/secrets.minio.yaml

@@ -9,8 +9,8 @@ users:
 oidc:
     enabled: ENC[AES256_GCM,data:AJwlxQ==,iv:e8Y4xI9VW7R64o5y2TYrMRnL92+RCzFaoF9v4wHDTlc=,tag:T0iZj9cCBxaF444+xuvKuA==,type:bool]
     configUrl: ENC[AES256_GCM,data:UHLEsZwSGwNEV9r6wpiw4lLsMOLxJ6QfHKrrP2oduJE+YG7hImEljrO+/kPSUOgWMGgtXIjT/VLYw7xhW+TL,iv:v6bXPeKMho108y+kErL71RvqlfL0YEUtAaexITN6arY=,tag:r/oglMJVU2J2s3mEgjP+dA==,type:str]
-    clientId: ENC[AES256_GCM,data:39mFCS47/yw1lGxvDs7nLkk941qPaHUMgGBgtcqmJukGMfJK,iv:rfE/1ukQAO8geJVIJQOQaXmn37DfhDMR/t7Ghwd093A=,tag:SDz4TVKiMY+bXAtfrm17/Q==,type:str]
+    clientId: ENC[AES256_GCM,data:6vU3UzdsBjCoxa+H3V87UeNyGt7IYsYMkjEZGFhMfCVWVxxB,iv:4J21E9eskroCTmUFbnt4K4v4tgD+Bjq5j2wT+1q1NE0=,tag:bBDqviaFjnQNDSwTzmpCtw==,type:str]
-    clientSecret: ENC[AES256_GCM,data:KcamhnHBTErbSS6dR7W+suwV5q13yXqZAUBYhKJ5Kj3t14dp6VDHoYc1Dwyt+hebFz0BYYbRA9g=,iv:hOhGu/lRjsEsEz4f6Wnkds6HNq3DnvM+GsJOAz1fOds=,tag:aQ4+xPDgg/2op+NQl7jhSg==,type:str]
+    clientSecret: ENC[AES256_GCM,data:G0OChA212NVb7utdsx4kJRS8BQ0V6igeteOo3Q+PvFTd0U7IVt27YB2u0BUGkt4/Go+wByf8joI=,iv:7khUct7Iln7pi7ET7FBLI51Zc+aFTjLpj92EV5q4Sjc=,tag:vMZtRxTDpphKRW4dN3OVfA==,type:str]
     claimName: ENC[AES256_GCM,data:UUrHhIFP,iv:dKg4zBykxhEKeG40a1eSWRYTyzpb5kBmzhEaULFgSII=,tag:3vfbgsoKkNF2Tmwx3Wi56w==,type:str]
     redirectUri: ENC[AES256_GCM,data:evZK5yq5syKOsTqeqICTWLTq96AXTKftwDdbPYP9Na67N7I12P+jK8k1zKswHQY=,iv:L5AmYGkO2lyU4ytjyMOmuWDg4GtbeoTzcEdZF7WP+es=,tag:BF8AZUJ39+xICfrdNsY9iQ==,type:str]
     comment: ENC[AES256_GCM,data:4h455QlIXewffU2bSKihkg==,iv:p5WRTZfAUgqbF/XpIlaLuUIhQhMWxgs0MW6cqNOiOtg=,tag:yk6CHXx7E8XBY3dath9ezQ==,type:str]
@@ -31,8 +31,8 @@ sops:
             UmdLL0NqWVpuNXBYRENEeTltdFVLREUKrwPN2daokcqABFVXjYCbNyCA0zdMCYh6
             vzTTtNV718OAPQKgl3Ho2c5nhhQcWy5YlWPfGMUklZhocXsAvMXS/g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-03-26T11:56:18Z"
+    lastmodified: "2023-11-04T19:00:41Z"
-    mac: ENC[AES256_GCM,data:oiaqwWDTTSvdGZxcLqAJrLkF+jNL2PfOOrTFtO2Arry1LehiGeXqNiqlHTd5IvnB/LrU9vGv5SjDrq+FRycfceai8O5hW8aGBXqCSZANIx7cpCJqtm1ErNAm8yw+K5rq/WeRKEySszNx7QtSZiM9ufo/GIAZMZgcd/bqFdm6oXE=,iv:s+uHg40NPT3kjwHnRIu3udkbm3gE36JMzPFhM6NdT/4=,tag:Q97lA8fRcPr5kGZEUbmhxQ==,type:str]
+    mac: ENC[AES256_GCM,data:jhZqJDZuHXpb50aI4f9Otj5y7lHzb1JadZqccju0No2PGUVO1Le3X/Zc51YIm3di+UV8bZSDUosYA7mWz4zNsyMwK0ikB0zUb12Wv1M0ESe4sJQR3mlQSa6fBe1EUGSAtjtmo/HlKaWvprEo3knTZJrxN8pZdTaPOTSA/Akr8m0=,iv:oUbuW1FL1qFbByt5DKqgCWVv/0D2ByWXs2dyUSuB3Uc=,tag:19MFSo0Y1AfB+kFk0sfW2g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

etersoft/values/values.minio.yaml

@@ -73,6 +73,8 @@ policies:
         - 'arn:aws:s3:::longhorn'
         - 'arn:aws:s3:::restic/*'
         - 'arn:aws:s3:::restic'
+        - 'arn:aws:s3:::etcd/*'
+        - 'arn:aws:s3:::etcd'
       actions:
         - "s3:DeleteObject"
         - "s3:GetObject"
@@ -87,6 +89,10 @@ buckets:
     policy: none
     purge: false
     versioning: false
+  - name: etcd
+    policy: none
+    versioning: false
+    purge: false
 metrics:
   serviceMonitor:
     enabled: false

etersoft/values/values.openvpn.yaml

@@ -14,6 +14,8 @@ istio:
       service: openvpn
       port: 1194
 
+image:
+  tag: v2.6.5-xor-4.0.0beta08
 storage:
   class: microk8s-hostpath
   size: 5Gi

helmfile.yaml

@@ -8,13 +8,9 @@ bases:
 releases:
   - <<: *metrics-server
     installed: true
-    namespace: kube-system
-    createNamespace: false
 
   - <<: *istio-base
     installed: true
-    namespace: istio-system
-    createNamespace: false
   
   - <<: *istio-gateway
     installed: true
@@ -28,8 +24,6 @@ releases:
 
   - <<: *cert-manager
     installed: true
-    namespace: cert-manager
-    createNamespace: false
 
   - <<: *minio
     installed: true
@@ -43,7 +37,10 @@ releases:
   
   - <<: *metallb
     installed: true
-    namespace: metallb-system
+
+  - <<: *reflector
+    installed: true
+    namespace: reflector-system
     createNamespace: true
 
 helmfiles:

manifests/badhouseplants/namespace-creator-binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: namespace-manager
+subjects:
+  - kind: User
+    name: badhousplants
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: namespace-manager
+  apiGroup: rbac.authorization.k8s.io

manifests/badhouseplants/namespace-creator-role.yaml

@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: namespace-manager
+rules:
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "watch", "list", "create", "delete"]

releases.yaml

@@ -41,6 +41,14 @@ templates:
   # ----------------------------
   # -- Extensions
   # ----------------------------
+  ext-istio-gateway:
+    dependencies:
+      - chart: bedag/raw
+        version: 2.0.0
+        alias: istio-gateway
+    values:
+      - '{{ requiredEnv "PWD" }}/common/values.istio-gateway.yaml'
+
   ext-istio-resource:
     dependencies:
       - chart: bedag/raw
@@ -88,37 +96,46 @@ templates:
     name: metrics-server
     chart: metrics-server/metrics-server
     version: 3.11.0
+    namespace: kube-system
+    createNamespace: true
     values:
       - common/values.{{ .Release.Name }}.yaml
 
   metallb: &metallb
     name: metallb
     chart: metallb/metallb
-    version: 0.13.11
+    version: 0.13.12
+    namespace: metallb-system
+    createNamespace: true
 
   cert-manager: &cert-manager
     name: cert-manager
     chart: jetstack/cert-manager
-    version: 1.12.4
+    version: 1.13.3
+    namespace: cert-manager
+    createNamespace: true
     set:
       - name: installCRDs
         value: true
+
   longhorn: &longhorn
     name: longhorn
     chart: longhorn/longhorn
-    version: 1.5.1
+    version: 1.5.3
     inherit:
       - template: default-env-values
 
   argocd: &argocd
     name: argocd
     chart: argo/argo-cd
-    version: 5.46.2
+    version: 5.51.6
     inherit:
       - template: default-env-values
       - template: default-env-secrets
       - template: ext-istio-resource
-
+  # -------------------------------------------------------------------
+  # -- Monitoring
+  # -------------------------------------------------------------------
   monitoring-common:
     labels:
       bundle: monitoring
@@ -126,7 +143,7 @@ templates:
   prometheus: &prometheus
     name: prometheus
     chart: prometheus-community/kube-prometheus-stack
-    version: 51.0.0
+    version: 55.3.1
     inherit:
       - template: monitoring-common
       - template: default-env-values
@@ -137,7 +154,7 @@ templates:
   loki: &loki
     name: loki
     chart: grafana/loki
-    version: 5.20.0
+    version: 5.41.1
     inherit:
       - template: monitoring-common
       - template: default-env-values
@@ -145,7 +162,7 @@ templates:
   promtail: &promtail
     name: promtail
     chart: grafana/promtail
-    version: 6.15.1
+    version: 6.15.3
     inherit:
       - template: monitoring-common
       - template: default-env-values
@@ -153,9 +170,11 @@ templates:
   # -- Istio
   # ----------------------------
   istio-common:
+    version: 1.20.1
     labels:
       bundle: istio
-    version: 1.19.0
+    namespace: istio-system
+    createNamespace: true
 
   istio-base: &istio-base
     name: istio-base
@@ -167,13 +186,26 @@ templates:
   istio-gateway: &istio-gateway
     name: istio-ingressgateway
     chart: istio/gateway
+    needs:
+      - istio-system/istio-base
     inherit:
       - template: istio-common
       - template: default-env-values
 
+  istio-gateway-resources: &istio-gateway-resources
+    name: istio-gateway-resources
+    chart: bedag/raw
+    version: 2.0.0
+    inherit:
+      - template: ext-istio-gateway
+      - template: ext-certificate
+      - template: default-env-values
+
   istiod: &istiod
     name: istiod
     chart: istio/istiod
+    needs:
+      - istio-system/istio-base
     inherit:
       - template: istio-common
       - template: default-env-values
@@ -184,7 +216,7 @@ templates:
   openvpn: &openvpn
     name: openvpn
     chart: allanger-gitea/openvpn
-    version: 1.0.6
+    version: 1.0.7
     inherit:
       - template: default-env-values
       - template: ext-istio-resource
@@ -207,16 +239,26 @@ templates:
   drone-runner-docker: &drone-runner-docker
     name: drone-runner-docker
     chart: drone/drone-runner-docker
-    version: 0.6.1
+    version: 0.6.2
     inherit:
       - template: default-env-values
       - template: default-env-secrets
       - template: drone-common
 
+  woodpecker-ci: &woodpecker-ci
+    name: woodpecker-ci
+    chart: woodpecker/woodpecker
+    version: 1.0.1
+    inherit:
+      - template: ext-database
+      - template: default-env-values
+      - template: default-env-secrets
+      - template: ext-istio-resource
+
   nrodionov: &nrodionov
     name: nrodionov
     chart: bitnami/wordpress
-    version: 17.1.7
+    version: 18.1.24
     inherit:
       - template: default-env-values
       - template: default-env-secrets
@@ -226,7 +268,7 @@ templates:
   minio: &minio
     name: minio
     chart: minio/minio
-    version: 5.0.13
+    version: 5.0.14
     inherit:
       - template: default-env-values
       - template: default-env-secrets
@@ -235,7 +277,7 @@ templates:
   minecraft: &minecraft
     name: minecraft
     chart: minecraft-server-charts/minecraft
-    version: 4.9.6
+    version: 4.12.0
     inherit:
       - template: default-env-values
       - template: default-env-secrets
@@ -244,7 +286,7 @@ templates:
   gitea: &gitea
     name: gitea
     chart: gitea/gitea
-    version: 9.4.0
+    version: 9.6.1
     inherit:
       - template: default-env-values
       - template: default-env-secrets
@@ -254,23 +296,13 @@ templates:
   funkwhale: &funkwhale
     name: funkwhale
     chart: ananace-charts/funkwhale
-    version: 2.0.3
+    version: 2.0.5
     inherit:
       - template: default-env-values
       - template: default-env-secrets
       - template: ext-istio-resource
       - template: ext-database
 
-  mailu: &mailu
-    name: mailu
-    chart: mailu/mailu
-    version: 1.2.0
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-istio-resource
-      - template: ext-certificate
-
   bitwarden: &bitwarden
     name: bitwarden
     chart: bitwarden/vaultwarden
@@ -283,15 +315,15 @@ templates:
   redis: &redis
     name: redis
     chart: bitnami/redis
-    version: 18.0.4
+    version: 18.5.0
     inherit:
       - template: default-env-values
       - template: default-env-secrets
 
-  postgres: &postgres
+  postgres16: &postgres16
-    name: postgres
+    name: postgres16
     chart: bitnami/postgresql
-    version: 12.11.1
+    version: 13.2.24
     inherit:
       - template: default-env-values
       - template: default-env-secrets
@@ -299,12 +331,12 @@ templates:
   db-operator: &db-operator
     name: db-operator
     chart: db-operator/db-operator
-    version: 1.10.1
+    version: 1.14.1
 
   db-instances: &db-instances
     name: db-instances
     chart: db-operator/db-instances
-    version: 1.4.2
+    version: 2.1.1
     inherit:
       - template: default-env-values
       - template: default-env-secrets
@@ -312,7 +344,31 @@ templates:
   mysql: &mysql
     name: mysql
     chart: bitnami/mysql
-    version: 9.12.2
+    version: 9.14.4
     inherit:
       - template: default-env-values
       - template: default-env-secrets
+
+  docker-mailserver: &docker-mailserver
+    name: docker-mailserver
+    chart: allanger-gitea/docker-mailserver
+    version: 2.2.0
+    inherit:
+      - template: default-env-values
+      - template: ext-istio-gateway
+      - template: ext-istio-resource
+
+  vaultwarden: &vaultwarden
+    name: vaultwarden
+    chart: badhouseplants/vaultwarden
+    version: 1.0.0
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets
+      - template: ext-istio-resource
+      - template: ext-database
+
+  reflector: &reflector
+    name: reflector
+    chart: emberstack/reflector
+    version: 7.1.216

repositories.yaml

@@ -1,4 +1,3 @@
----
 repositories:
   - name: metrics-server
     url: https://kubernetes-sigs.github.io/metrics-server/
@@ -36,3 +35,11 @@ repositories:
     url: https://db-operator.github.io/charts
   - name: allanger-gitea
     url: https://git.badhouseplants.net/api/packages/allanger/helm
+  - name: badhouseplants
+    url: https://badhouseplants.github.io/helm-charts/
+  - name: woodpecker
+    url: https://woodpecker-ci.org
+  - name: firefly-iii
+    url: https://firefly-iii.github.io/kubernetes/
+  - name: emberstack
+    url: https://emberstack.github.io/helm-charts

scripts/migrate_postgres.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+export PGHOST=$OLD_PGHOST
+export PGPASSWORD=$OLD_PGPASSWORD
+export PGDATABASE=$OLD_PGDATABASE
+DUMP_FILE=/tmp/$PGDATABASE.dump
+pg_dump $PGDATABASE --no-owner --no-privileges -Fc -f $DUMP_FILE -vvv
+
+export PGHOST=$NEW_PGHOST
+export PGPASSWORD=$NEW_PGPASSWORD
+export PGDATABASE=$NEW_PGDATABASE
+pg_restore --no-owner --no-privileges -d $PGDATABASE -Fc $DUMP_FILE -vvv
+
+psql -c "GRANT ALL PRIVILEGES ON DATABASE \"${PGDATABASE}\" to \"${PGDATABASE}\""
+psql -c "GRANT ALL ON SCHEMA public to \"${PGDATABASE}\""
+psql -c "GRANT ALL ON ALL TABLES IN SCHEMA public TO \"${PGDATABASE}\""
+
+rm -f /tmp/output
+
+psql -c "\
+SELECT format(\
+  'ALTER TABLE %I.%I.%I OWNER TO %I;',\
+  table_catalog,\
+  table_schema,\
+  table_name,\
+  '${PGDATABASE}')\
+FROM information_schema.tables \
+WHERE table_schema='public'" | grep ALTER > /tmp/output
+
+psql -c "\
+SELECT format(\
+  'ALTER SEQUENCE %I.%I.%I OWNER TO %I;',\
+  sequence_catalog,\
+  sequence_schema,\
+  sequence_name,\
+  '${PGDATABASE}')\
+FROM information_schema.sequences \
+WHERE sequence_schema='public'" | grep ALTER >> /tmp/output
+
+psql -c "$(cat /tmp/output)"