chore(deps): update helm-library docker tag to v0.2.3

Install kyverno to the etersoft cluster too
Fix traefik
2025-02-16 01:01:16 +00:00 · 2025-02-11 15:39:19 +01:00 · 2025-02-09 16:41:53 +01:00 · 2025-02-09 11:41:45 +01:00 · 2025-02-09 10:41:00 +00:00 · 2025-02-09 10:40:54 +00:00
33 changed files with 867 additions and 129 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -11,10 +11,10 @@ repos:
          (?x)^(
            .*secrets.*yaml
          )$
-  - repo: https://github.com/codespell-project/codespell
-    rev: v2.2.4
-    hooks:
-      - id: codespell
+          #  - repo: https://github.com/codespell-project/codespell
+          #    rev: v2.2.4
+          #    hooks:
+          #      - id: codespell
  - repo: local
    hooks:
      - id: check-sops-secrets
--- a/charts/tf-ocloud/Chart.yaml
+++ b/charts/tf-ocloud/Chart.yaml
@ -9,7 +9,7 @@ maintainers:
    url: https://badhouseplants.net
 dependencies:
  - name: helm-library
-    version: 0.2.1
+    version: 0.2.3
    repository: oci://ghcr.io/allanger/allangers-helm-library
 annotations:
  allowed_workload_kinds: "Deployment"
--- a/installations/applications/helmfile-badhouseplants.yaml
+++ b/installations/applications/helmfile-badhouseplants.yaml
@ -12,6 +12,8 @@ repositories:
    url: git+https://gitea.badhouseplants.net/badhouseplants/badhouseplants-helm@charts?ref=main
  - name: bedag
    url: https://bedag.github.io/helm-charts/
+  - name: open-strike
+    url: git+https://gitea.badhouseplants.net/badhouseplants/open-strike-2.git@helm?ref=main

 releases:
  - name: gitea
@ -49,14 +51,14 @@ releases:
      - template: env-values
      - template: env-secrets

-  - name: vaultwarden
-    chart: allangers-charts/vaultwarden
-    version: 2.3.0
-    namespace: applications
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-database
+        #- name: vaultwarden
+        #  chart: allangers-charts/vaultwarden
+        #  version: 2.3.0
+        #  namespace: applications
+        #  inherit:
+        #    - template: default-env-values
+        #    - template: default-env-secrets
+        #    - template: ext-database

  - name: stalwart
    chart: allangers-charts/stalwart
@ -131,3 +133,9 @@ releases:
          keel.sh/policy: force
          keel.sh/trigger: poll
          keel.sh/initContainers: 'true'
+
+  - name: app-open-strike-2
+    chart: open-strike/open-strike-2
+    namespace: org-badhouseplants
+    inherit:
+      - template: env-values
--- a/installations/applications/helmfile-etersoft.yaml
+++ b/installations/applications/helmfile-etersoft.yaml
@ -8,6 +8,8 @@ repositories:
  - name: gabe565
    url: ghcr.io/gabe565/charts
    oci: true
+  - name: xray-docs
+    url: git+https://gitea.badhouseplants.net/badhouseplants/xray-docs.git@helm?ref=main
 releases:
  - name: openvpn
    chart: allangers-charts/openvpn
@ -32,12 +34,6 @@ releases:
      - template: default-env-values
      - template: default-env-secrets
      - template: ext-database
-  - name: tf-ocloud
-    chart: ../../charts/tf-ocloud
-    namespace: pipelines
-    installed: false
-    inherit:
-      - template: default-env-secrets

  - name: nrodionov
    chart: bitnami/wordpress
@ -52,3 +48,21 @@ releases:
    chart: ../../kustomizations/external-service-xray
    installed: true
    namespace: public-xray
+
+  - name: server-xray-public
+    chart: allangers-charts/server-xray
+    namespace: public-xray
+    version: 0.5.0
+    inherit:
+      - template: default-env-secrets
+      - template: default-env-values
+      - template: ext-tcp-routes
+      - template: ext-cilium
+      - template: ext-certificate
+
+  - name: xray-docs
+    chart: xray-docs/xray-docs
+    installed: true
+    namespace: public-xray
+    inherit:
+      - template: default-env-values
--- a/installations/games/helmfile.yaml
+++ b/installations/games/helmfile.yaml
@ -13,7 +13,7 @@ releases:
  - name: minecraft
    chart: minecraft/minecraft
    namespace: games
-    version: 4.23.6
+    version: 4.23.7
    inherit:
      - template: ext-tcp-routes
      - template: default-env-values
--- a/installations/monitoring/helmfile.yaml
+++ b/installations/monitoring/helmfile.yaml
@ -12,7 +12,7 @@ releases:
  - name: prometheus
    chart: prometheus-community/kube-prometheus-stack
    namespace: observability
-    version: 67.5.0
+    version: 68.5.0
    inherit:
      - template: default-env-values
      - template: default-env-secrets
@ -20,7 +20,7 @@ releases:
  - name: grafana
    chart: grafana/grafana
    namespace: observability
-    version: 8.8.2
+    version: 8.9.0
    installed: true
    inherit:
      - template: default-env-values
@ -28,7 +28,7 @@ releases:
  - name: loki
    chart: grafana/loki
    namespace: observability
-    version: 6.24.0
+    version: 6.25.1
    inherit:
      - template: default-env-values
      - template: ext-secret
--- a/installations/pipelines/helmfile.yaml
+++ b/installations/pipelines/helmfile.yaml
@ -12,7 +12,7 @@ releases:
  - name: woodpecker-ci
    chart: woodpecker/woodpecker
    namespace: pipelines
-    version: 2.0.3
+    version: 3.0.1
    inherit:
      - template: ext-database
      - template: default-env-values
@ -20,14 +20,14 @@ releases:
  - name: renovate-gitea
    chart: renovate/renovate
    namespace: pipelines
-    version: 39.99.0
+    version: 39.164.0
    inherit:
      - template: default-env-values
      - template: default-env-secrets
  - name: renovate-github
    chart: renovate/renovate
    namespace: pipelines
-    version: 39.99.0
+    version: 39.164.0
    inherit:
      - template: default-env-values
      - template: default-env-secrets
--- a/installations/platform/helmfile.yaml
+++ b/installations/platform/helmfile.yaml
@ -23,6 +23,8 @@ repositories:
    url: https://kubernetes-sigs.github.io/external-dns/
  - name: keel
    url: https://keel-hq.github.io/keel/
+  - name: uptime-kuma
+    url: https://helm.irsigler.cloud

 releases:
  - name: db-operator
@ -42,7 +44,7 @@ releases:

  - name: zot
    chart: zot/zot
-    version: 0.1.65
+    version: 0.1.66
    createNamespace: false
    installed: true
    namespace: platform
@ -53,7 +55,7 @@ releases:

  - name: authentik
    chart: goauthentik/authentik
-    version: 2024.12.2
+    version: 2024.12.3
    namespace: platform
    createNamespace: false
    condition: workload.enabled
@ -75,25 +77,22 @@ releases:
  - name: kyverno
    chart: kyverno/kyverno
    namespace: kyverno
-    condition: workload.enabled
    labels:
      bootstrap: true
-    version: 3.3.4
+    version: 3.3.6

  - name: kyverno-policies
    chart: kyverno/kyverno-policies
    namespace: kyverno
-    condition: workload.enabled
    labels:
      bootstrap: true
-    version: 3.3.2
+    version: 3.3.4
    needs:
      - kyverno/kyverno

  - name: custom-kyverno-policies
-    chart: ../../kustomizations/kyverno/
+    chart: "../../kustomizations/kyverno/{{ .Environment.Name }}"
    namespace: kyverno
-    condition: workload.enabled
    labels:
      bootstrap: true
    needs:
@ -101,7 +100,7 @@ releases:

  - name: external-dns
    chart: external-dns/external-dns
-    version: 1.15.0
+    version: 1.15.1
    namespace: platform
    inherit:
      - template: default-env-values
@ -111,4 +110,10 @@ releases:
    chart: keel/keel
    version: v1.0.5
    namespace: platform
-    condition: workload.enabled
+
+  - name: uptime-kuma
+    chart: uptime-kuma/uptime-kuma
+    version: 2.21.2
+    namespace: platform
+    inherit:
+      - template: default-env-values
--- a/installations/system/helmfile.yaml
+++ b/installations/system/helmfile.yaml
@ -45,14 +45,14 @@ releases:

  - name: coredns
    chart: coredns/coredns
-    version: 1.37.0
+    version: 1.39.0
    namespace: kube-system
    inherit:
      - template: default-common-values

  - name: cilium
    chart: cilium/cilium
-    version: 1.16.5
+    version: 1.17.0
    condition: base.enabled
    namespace: kube-system
    needs:
@ -62,7 +62,7 @@ releases:

  - name: cert-manager
    chart: jetstack/cert-manager
-    version: v1.16.2
+    version: v1.17.0
    namespace: kube-system
    condition: base.enabled
    missingFileHandler: Warn
@ -115,7 +115,7 @@ releases:

  - name: traefik
    chart: traefik/traefik
-    version: 33.2.1
+    version: 34.3.0
    condition: base.enabled
    namespace: kube-system
    needs:
@ -127,7 +127,7 @@ releases:
  - name: velero
    chart: vmware-tanzu/velero
    namespace: velero
-    version: 8.2.0
+    version: 8.3.0
    condition: velero.enabled
    needs:
      - kube-system/cilium
@ -140,7 +140,7 @@ releases:
    chart: openebs/openebs
    condition: openebs.enabled
    namespace: kube-system
-    version: 4.1.1
+    version: 4.1.3
    needs:
      - kube-system/cilium
    inherit:
--- a/kustomizations/kyverno/badhouseplants/pvc-patch.yaml
+++ b/kustomizations/kyverno/badhouseplants/pvc-patch.yaml
--- a/kustomizations/kyverno/etersoft/pvc-patch.yaml
+++ b/kustomizations/kyverno/etersoft/pvc-patch.yaml
@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: replace-storage-class-by-openebs
+spec:
+  rules:
+    - name: replace-storage-class
+      match:
+        any:
+          - resources:
+              kinds:
+                - PersistentVolumeClaim
+              namespaces:
+                - application
+                - platform
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            annotations:
+              volume.kubernetes.io/selected-node: yekaterinburg
--- a/values/badhouseplants/org-badhouseplants/app-linkstack/values.yaml
+++ b/values/badhouseplants/org-badhouseplants/app-linkstack/values.yaml
@ -0,0 +1,15 @@
+shortcuts:
+  hostname: links.badhouseplants.net
+  adminEmail: allanger@badhouseplants.net
+
+ingress:
+  main:
+    class: traefik
+    metadata:
+      annotations:
+        kubernetes.io/ingress.class: traefik
+        traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+        kubernetes.io/tls-acme: "true"
+        kubernetes.io/ingress.allow-http: "false"
+        kubernetes.io/ingress.global-static-ip-name: ""
+        cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
--- a/values/badhouseplants/org-badhouseplants/app-open-strike-2/values.yaml
+++ b/values/badhouseplants/org-badhouseplants/app-open-strike-2/values.yaml
@ -0,0 +1,20 @@
+deployAnnotations:
+  keel.sh/policy: force
+  keel.sh/trigger: poll
+  keel.sh/initContainers: 'true'
+
+extra:
+  templates:
+    - |-
+      apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteUDP
+      metadata:
+        name: "{{ .Release.Name }}-game"
+      spec:
+        entryPoints:
+        - game-udp
+        routes:
+        - services:
+          - name: app-open-strike-2-main
+            nativeLB: true
+            port: 27015
--- a/values/badhouseplants/secrets.server-xray-public-edge.yaml
+++ b/values/badhouseplants/secrets.server-xray-public-edge.yaml
--- a/values/badhouseplants/secrets.server-xray-public.yaml
+++ b/values/badhouseplants/secrets.server-xray-public.yaml
--- a/values/badhouseplants/values.gitea.yaml
+++ b/values/badhouseplants/values.gitea.yaml
@ -40,16 +40,15 @@ replicaCount: 1
 clusterDomain: cluster.local
 resources:
  limits:
-    cpu: 512m
    memory: 1024Mi
  requests:
    cpu: 512m
-    memory: 256Mi
+    memory: 1024Mi
 persistence:
  enabled: true
  size: 15Gi
  accessModes:
-    - ReadWriteMany
+    - ReadWriteOnce
 # ------------------------------------------
 # -- Main Gitea settings
 # ------------------------------------------
--- a/values/badhouseplants/values.server-xray-public-edge.yaml
+++ b/values/badhouseplants/values.server-xray-public-edge.yaml
@ -9,6 +9,13 @@ certificate:
      dnsNames:
        - xray-public-edge.badhouseplants.net
        - 195.201.249.91
+workload:
+  replicas: 1
+  containers:
+    server-xray:
+      ports:
+        shadowsocks-tcp: tcp
+        shadowsocks-udp: udp

 traefik:
  enabled: true
@ -18,6 +25,17 @@ traefik:
      match: HostSNI(`*`)
      entrypoint: xray-edge
      port: 443
+    - name: server-shadowsocks-public-edge-tcp
+      service: server-xray-public-edge-shadowsocks-tcp
+      match: HostSNI(`*`)
+      entrypoint: ssocks-etcp
+      port: 8443
+  udpRoutes:
+    - name: server-shadowsocks-public-edge-udp
+      service: server-xray-public-edge-shadowsocks-udp
+      match: HostSNI(`*`)
+      entrypoint: ssocks-eudp
+      port: 8443
 shortcuts:
  hostname: xray-public-edge.badhouseplants.net
 ingress:
@ -33,8 +51,23 @@ extraVolumes:
  certs:
    secret:
      secretName: xray-public-edge.badhouseplants.net
-workload:
-  replicas: 1
+service:
+  shadowsocks-tcp:
+    enabled: true
+    type: ClusterIP
+    ports:
+      tcp:
+        port: 8443
+        targetPort: 8443
+        protocol: TCP
+  shadowsocks-udp:
+    enabled: true
+    type: ClusterIP
+    ports:
+      udp:
+        port: 8443
+        targetPort: 8443
+        protocol: UDP
 ext-cilium:
  enabled: true
  ciliumNetworkPolicies:
--- a/values/badhouseplants/values.server-xray-public.yaml
+++ b/values/badhouseplants/values.server-xray-public.yaml
@ -9,7 +9,7 @@ certificate:
      dnsNames:
        - xray-public-dyn.badhouseplants.net
        - xray-public.badhouseplants.net
-        - 195.201.249.91
+        #- 195.201.249.91

 traefik:
  enabled: true
--- a/values/badhouseplants/values.team-fortress-2.yaml
+++ b/values/badhouseplants/values.team-fortress-2.yaml
@ -17,7 +17,7 @@ traefik:
  enabled: true
  tcpRoutes:
    - name: team-fortress-2
-      service: team-fortress-2-rcon
+      service: team-fortress-2-tf2-rcon
      match: HostSNI(`*`)
      entrypoint: tf2-rcon
      port: 27015
@ -25,7 +25,7 @@ traefik:
    - name: team-fortress-2
      service: team-fortress-2-tf2
      match: HostSNI(`*`)
-      entrypoint: tf2
+      entrypoint: tf2-main
      port: 27015

 storage:
--- a/values/badhouseplants/values.traefik.yaml
+++ b/values/badhouseplants/values.traefik.yaml
@ -101,27 +101,38 @@ ports:
    proxyProtocol:
      trustedIPs:
        - "192.168.0.0/16"
+
  minecraft:
    port: 25565
    protocol: TCP
    exposedPort: 25565
    expose:
      default: true
-  shadowsocks:
-    port: 8388
-    protocol: TCP
-    exposedPort: 8388
-    expose:
-      default: true
-  tf2:
+
+  game-udp:
    port: 37015
    protocol: UDP
    exposedPort: 37015
    expose:
      default: true
-  tf2-rcon:
-    port: 37015
-    protocol: TCP
-    exposedPort: 37015
-    expose:
-      default: true
+
+      #  tf2-rcon:
+      #    port: 37015
+      #    protocol: TCP
+      #    exposedPort: 37015
+      #    expose:
+      #      default: true
+
+      #  ssocks-etcp:
+      #    port: 8444
+      #    protocol: TCP
+      #    exposedPort: 8443
+      #    expose:
+      #      default: true
+      #
+      #  ssocks-eudp:
+      #    port: 8445
+      #    protocol: UDP
+      #    exposedPort: 8443
+      #    expose:
+      #      default: true
--- a/values/badhouseplants/values.uptime-kuma.yaml
+++ b/values/badhouseplants/values.uptime-kuma.yaml
@ -0,0 +1,20 @@
+ingress:
+  enabled: true
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    kubernetes.io/tls-acme: "true"
+    kubernetes.io/ingress.allow-http: "false"
+    kubernetes.io/ingress.global-static-ip-name: ""
+    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+    external-dns.alpha.kubernetes.io/ingress-hostname-source: defined-hosts-only
+  hosts:
+    - host: uptime.badhouseplants.net
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+
+  tls:
+    - secretName: uptime.badhouseplants.net
+      hosts:
+        - uptime.badhouseplants.net
--- a/values/common/values.traefik.yaml
+++ b/values/common/values.traefik.yaml
@ -3,7 +3,7 @@ globalArguments:
  - "--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik"
 ports:
  web:
-    redirectTo:
+    redirections:
      port: websecure
 deployment:
  replicas: 2
--- a/values/etersoft/secrets.minio-self.yaml
+++ b/values/etersoft/secrets.minio-self.yaml
@ -0,0 +1,38 @@
+rootPassword: ENC[AES256_GCM,data:4rs7judCzIEqSRfGi8HLmzVftOinmHRAGA==,iv:t6bRBgKOQ+kGn9v0tixllqyeyEWuQTzBMLq36rixY8o=,tag:SZuW/gvFFI+nn/vtKSmc0w==,type:str]
+users:
+    - accessKey: ENC[AES256_GCM,data:wJ+sB2Jlt84=,iv:lrhvu5BfIRl6kmmVp/SzDHkS7KlZ/bB8Al5hKUOzmNY=,tag:XuC2cM6Twl/KaOPbEphgWw==,type:str]
+      secretKey: ENC[AES256_GCM,data:n5SSGB1AhxZm2uOrdW5kVLbUid8sACwyQw==,iv:hrMcDAWiXz14Q6Wf+bnxxJxFLL1QJBEr0JjWqTPBLN0=,tag:vekhUJFpIv4QmXFTuupOOA==,type:str]
+      policy: ENC[AES256_GCM,data:javfx3iMs44=,iv:naNJLTEs62JDgUgKWSRcCclsslJZkiazyJ0iyhTO3cM=,tag:7yOHyC0BfV/41zWDd0m4sg==,type:str]
+    - accessKey: ENC[AES256_GCM,data:oRP+H3vA,iv:N6XQ34NYrCfFci5dw6nQroc/tqByz4ilnQCDh4ZKL5A=,tag:2UFZDLdjBUN0HqRLXh87lw==,type:str]
+      secretKey: ENC[AES256_GCM,data:LPzli0O0ePL2vghWNsf07P41G3+aXUdBUQ==,iv:vu/TI1jU9/m30DegKxUAaObUq9FyB1IXUB1vqL5kKoI=,tag:1Ar6MNR5pTCzeBlH7yl2hQ==,type:str]
+      policy: ENC[AES256_GCM,data:gj1EGs4L,iv:N9J+yXcG3fLyg7dPlICi7tdTk6OPLpVpC0IFprfbGaM=,tag:65lRXTg0R76y23QXNLD5pA==,type:str]
+oidc:
+    enabled: ENC[AES256_GCM,data:ar/fBw==,iv:rs1ESCu8noZhU5nKkU6HS+qysYGQfFXo96uliAY+9xw=,tag:MvgSVLelQSlk1Swx47+s6g==,type:bool]
+    configUrl: ENC[AES256_GCM,data:195i1omIYscB5Qo+p+S0LBEI0CAHMaVz8smR7c4l57Yw05R4GfBJR16DswMgoF8FC+UFBlp46/WFYA5f1CZIlaVFipqBTYeEflDGQ59IJWVUo9Apw06Hfw43HrLC7POQL3w=,iv:x9WmZvzI3Gkf+2BMdIVkL/UxK6hIHJPVgOOVyDoPQHk=,tag:euHGWXq5PNLj55XuU3amGQ==,type:str]
+    clientId: ENC[AES256_GCM,data:DGIVa81hjIMmotzffms=,iv:mtuMKY07CKQD7GMyKJkUs3sQdbwnXCm3n78cfyxIvIY=,tag:sRQJXhOY4LPTry6TMtoqcg==,type:str]
+    clientSecret: ENC[AES256_GCM,data:HaRln7Az/+lP/01RFtlTCLSReAQ2OYxRlmQ3LSi9r1tVWZD501RaCif9/68BIOnhGUFGbZPobbRWOfQDULycXHdqK5nms5S0YOFNOwxUCPkttlljZ3fyw157lmFGUrivzMjWpIp5clqoWtIWE71q3UDJ95FoOBjG0HRtFoDo4d4=,iv:73/N0JSCwLd//HHOIjuPkHCY5lKtEuRahx93lG8Bipo=,tag:Tltx2XXeJYGQczCvb7rqBA==,type:str]
+    claimName: ENC[AES256_GCM,data:AnMUWTj8,iv:6tV4XKIT+utrSIbUVGHJVXjPI/i9mJrzki2zC4n+4Dc=,tag:iHnClGYFTHpUry/x/wZuTg==,type:str]
+    redirectUri: ENC[AES256_GCM,data:F30Q9PQvXb+bmkNib2/END1/E/my3kOo8RTvoN+/OJMCz/nDRR6lgoA3LYHXh88=,iv:47dIKSJW/5xQdmASUiPOfHo7193LfAQ/R/F+saAzSWg=,tag:SLREgi2vBl5mvh0J1K3nCw==,type:str]
+    comment: ENC[AES256_GCM,data:t/1OqmIDiudE536CpZUYIgIq9gI=,iv:uwzrEwQUO+eVpCTYYXHjfdnJmKm/mEwre7zTtbwO0Q0=,tag:J/vmOjueOqdUq8Kuq5Ke6Q==,type:str]
+    claimPrefix: ""
+    scopes: ENC[AES256_GCM,data:wqLHN7dmjg4Tly8wOIm/3zZyzx1Mw3NLNqpl,iv:p1iC127avWNcGV8Qj9WLFeAZTrZokF467nAqSwEe43k=,tag:SilNPiK+t2xvgvuTfQwhFQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cWJpMDFLTHZlTlZPMW8r
+            ZFpqM3VnM3dQeThqb1pOdHlVbHkyeVo1ZlFvCmhDV01rZklMME12NVl4YmthWEd4
+            RndOYkgwSkwwaGhMNE1NZVFxaWZnbXcKLS0tIENqa0RwR3B1MEk0cjJhbkIxdW1W
+            bFRMQm9QOFRQaFVpaFpqMmdjRTAvODAKhhEOX3d51JWmAYMZdT2LZpkLkuCOcpEz
+            8sfofHVU+5gCOTZj6fTvIm0wvnVC7lmTaRkZBEKnuPavjTDfXKluGQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-01T18:57:37Z"
+    mac: ENC[AES256_GCM,data:JzgKhfxs3QI6um/3xFlik6B7vgWAcIoswucE0j6h4Z7smHgP+FuuJxXEeqJQaAhSGEQnm7XhJRoJ3HfIaPK87D8cU8g0GeOOQMF2ZZL5gQ3YxWDsI5g9HayoCYqRQHd6uq4x6zGKQ+zodnHBBQnujnDWwOykfyANav6eloW5tnI=,iv:jkxc313m9KCoUjdHfUqpwLzFJe6bmSlM4kGdqEsUbMw=,tag:SDEnSkv8jB/RfUGj4zX+4w==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4
--- a/values/etersoft/secrets.minio.yaml
+++ b/values/etersoft/secrets.minio.yaml
@ -1,21 +1,21 @@
-rootPassword: ENC[AES256_GCM,data:btF9/FtQLpalONXSRhY8/HC4gq8vnuaaHw==,iv:K48dhNKPsqwaqvR0z+7sFdlKt56aa85z7NeSvd5KxVk=,tag:Okg6vpyaxpDFuF0sGuGthA==,type:str]
+rootPassword: ENC[AES256_GCM,data:OjZ/T/pAAotJvTUjkJ1yGooWnz6NfLZR2w==,iv:uG8cnfJJsx8yrAo1PONBPNF4pDC0PQz6LDpb97FRf58=,tag:/1KQ7Zp+UqA7TCloNkI5Xw==,type:str]
 users:
-    - accessKey: ENC[AES256_GCM,data:VU3XYBaFgnM=,iv:f8ph1DPZWHGQtfqgTby/P/ul7esiOaaUao4pjdxbW6w=,tag:MEpgtL5guJLdvELP+dUljQ==,type:str]
-      secretKey: ENC[AES256_GCM,data:rKH1j/NxhMtpPl5ugHftlAim4ZxWK2oCsQ==,iv:Dc3HGHyFzqwwBb2wau0H0Hu1d2cepckdp3O8AEsJ4xo=,tag:MXVe8mP/iAAxHV1yXReb6Q==,type:str]
-      policy: ENC[AES256_GCM,data:MjyZxYF52hw=,iv:xEb55FQfwZGa0ye9kvEqcXRD8lYojprnhiy3yZ+4ldA=,tag:cwo0RUXdS+ECYBHEqPs4tA==,type:str]
-    - accessKey: ENC[AES256_GCM,data:OgGOUoRh,iv:dznjmOZxw2YpCkyjfX61XkpRYk8sRq/vFsm2Vj2NUv4=,tag:3dZTLCRu7tLNfLxuGmuuGw==,type:str]
-      secretKey: ENC[AES256_GCM,data:GlUxSIQMcUNqrj6ucgqnfIzp73DtEN0Ihg==,iv:HpSmvfE0Nml3rlTVtZUnfCNEK9L6yjnwBoxMArZiraQ=,tag:vNJr62ntsRu9muSav0TXug==,type:str]
-      policy: ENC[AES256_GCM,data:aqDFdoy0,iv:nPNxbT0jwpTXDjs0hXgt5clFstAjbgqO6IH+Dnox/+Q=,tag:P/m0PHwZcqaF5QYQrD4oMQ==,type:str]
+    - accessKey: ENC[AES256_GCM,data:xaBSF0dMBQQ=,iv:1q33eR4d4Fw2m2m7d+gdT29/X8HKJAOyNcNO1vlNf+k=,tag:mcMkLEVqP7IgN6DcLjTagw==,type:str]
+      secretKey: ENC[AES256_GCM,data:GSjy0MYT5DAAIN86CATL68kqJGy7RApNLw==,iv:mVjOAzqLFB30plV2ZAHGNrphuwHhVY0gga2SH995NUM=,tag:rPxGHyfJIdzA10I1rhwb/Q==,type:str]
+      policy: ENC[AES256_GCM,data:SRhftF+GquY=,iv:b3kR9lbrz85Ji/9kcOwAtDJXhoSLa/ujiMAUHWrabRQ=,tag:Pg1YnFxUfFZeeda/Hc2OZw==,type:str]
+    - accessKey: ENC[AES256_GCM,data:De9lLs2l,iv:KL2afECLR7M5566v9aUzEr+vzOgld3yMJzjbP4wRpcQ=,tag:wXv33DjN+wm0FCa3/fQYfw==,type:str]
+      secretKey: ENC[AES256_GCM,data:FZDF6R2m0Z/UX9ywn4jgCsj+NcFh9v0aXA==,iv:Vr3icnAhYDZwyQVVHXnmZavP/8VEbIQs4nTOQNb8uyM=,tag:CowIx47b8T+kf/qhpBuqIg==,type:str]
+      policy: ENC[AES256_GCM,data:87m39jSs,iv:H2Yv8c8S13cm+Pi26UNeeS5f76ewskLsnT3aKyIAAT8=,tag:ixKsbZbZyVk5kS/Jqh35Cg==,type:str]
 oidc:
-    enabled: ENC[AES256_GCM,data:nxzzAQ==,iv:HTVeFQPTr0HUPBi9LDfRo5qVUv8XQsBnYqvFt8cKfuQ=,tag:ARZttgS1YwYW1QjIAtbJUQ==,type:bool]
-    configUrl: ENC[AES256_GCM,data:ZgPxRfSLkCtsFTq+MrZqm5ysRkAA8YemJsaxWl6WtRbnLnJZBQqBzx7qy5ZMFP4R4Z0+7JLg243gRS/PCyDWq3NJfmM4PasDe1WxAXWJHrp+lxcN7GOM5VHcsdCi5j6KDBg=,iv:/scg0KqjnngbpqBOPvl/T8wVKTZHcWsaYOi+M9YXsUg=,tag:HdSLxvw6+vGUxgOFUETLDw==,type:str]
-    clientId: ENC[AES256_GCM,data:EORYGlAJ6EFzOQCOKMw=,iv:XVhCaWaN65vFMEcSprkWKcciHbhZoCUz5PfWn4NNwo0=,tag:YDen+LDU8H0M8omnlvk0jw==,type:str]
-    clientSecret: ENC[AES256_GCM,data:O5mJ+uxo18o04LHjY31eVs2wzJePtEXoJxXn81NBcTs0GApVPciDfUPI4mZVXskBScqT9x9ZdgkTjD44gBMzqwBjmwHEeZfPD996uSKSu2soMELLDO+D1Vp/cNjSHnUx5VKgKWxcdSxQ2WN6kxRxgCDLk9B/Cpc+pRDFiR/w46c=,iv:yjg7NUiDxjXkeQu7gpxqaZ2oGOXCpEnN5OUowlbhSPc=,tag:2o80ngR33KLxVAAehON2EQ==,type:str]
-    claimName: ENC[AES256_GCM,data:0uU9ynkc,iv:e+0Bw9bEvr++OU8Gql0m16BRE+FwsiK9vkTjdLQXsGw=,tag:Sm/kP6a+tRHYj2cnvZf3+w==,type:str]
-    redirectUri: ENC[AES256_GCM,data:AMtRfHzCg4pUM2m7enLzMOgV+oVecMarndU99YTjZP1NqTlG6Dmo6beo3/FAQI4=,iv:0SuKeW6SoAuwnGLCWz6yUI7NSxlFz4P+QTA9IP5Dokc=,tag:Vp8pVYr72MfnZYKqD0o9Bg==,type:str]
-    comment: ENC[AES256_GCM,data:QTHyj0dXt/N2ZMyv1rQyN1fUjuc=,iv:hxTK/rs1UL1n7v/2CBkHvEFZzlGZLyDv9nBmVVO+X10=,tag:haa6Hfk7pnhmCNZDWPkt9A==,type:str]
+    enabled: ENC[AES256_GCM,data:P8GEXQ==,iv:qeB8rYpZny+1NX/fLQi3Uu1rwdHHDC2VZSCl2HbbqYU=,tag:N+zfQUX6onM+YCJRUiFImw==,type:bool]
+    configUrl: ENC[AES256_GCM,data:u0u2AxsupS4rC/C3PWZgNNrTyO12T/De81QHRa7NkiC/bb8hKJVutchNBpVr0zNg+Y9aRPo8cSlbepUVhFx5sZtdkaz98GeI5QmUzsi39LM7S9Mmp6fKP4aJTo4/vhXYF/A=,iv:d/g4Yxnpf4KlrAr1WjBNkKiobKHDYqgh7YwmTwpos60=,tag:CiOLeDM74ZOJav6Pmzzunw==,type:str]
+    clientId: ENC[AES256_GCM,data:doeMKUeB2L01bKiOjJw=,iv:Up3TS5W+ksedwN/lZRvSjBQ8QOty/0CCOQGzYZ6R9fE=,tag:vVuoKODoutu+oZPq8klJXw==,type:str]
+    clientSecret: ENC[AES256_GCM,data:YTg+KYc6oioRt5prvHTkA4GIhQgS/Oi3rpwpOSX/ImH9DHLxXcJnPDKzmW8DWTmG1YIkpJEfLWT+SAa3xz6jpd4EB0y5f86j8h0Ih00z5CS6HyfvFdwqSvKpK6B6b7LIE1x1wSbS4+0un1x6/zUKeqgkes3WMXfHzZCTnalWmqY=,iv:oas5s8SZauwoZHGPKQ1Kj0inn403ZSIrfUORBCAuPcw=,tag:+cB21h3D0jmDAO+MN5eU6A==,type:str]
+    claimName: ENC[AES256_GCM,data:GzxNUVk1,iv:SULbiq6jxrILbpVhxxxfUSsCfK2PvQ3cgrwefL4HykM=,tag:9vQ397kbTqP2hRetfCY+OA==,type:str]
+    redirectUri: ENC[AES256_GCM,data:goPjtLTzVlwNcibzNS7ys9MwvyxC0Zod6oI6Ubnh3EQvPMVbV8jqR9VveHmNiLo=,iv:Bk3Ul5icqIi04knqBvTH7osv8GLqmX5YFe0Y8lE03UM=,tag:W2sSoLEe88/r8WRLIdtl1g==,type:str]
+    comment: ENC[AES256_GCM,data:03n7KL8FN+RVac2Q6CDrGExDeXE=,iv:CKkwPr8qRkDKcWaSeSqRMeZCbnI67QKN2yQiVDTjTUs=,tag:A7PwDaoCvuHAdmYYDSYsSw==,type:str]
    claimPrefix: ""
-    scopes: ENC[AES256_GCM,data:AENnoV/sNnYY/94ZTF8sbSowJn4rA1KQ4/NL,iv:+Aj93Y0j/irIfd7HsuM4n40BFwZx7zhIi5ccowLaaBY=,tag:PcT6Ywl/nnCp2bKEwsjUBg==,type:str]
+    scopes: ENC[AES256_GCM,data:06/xU5KnOnzSNksTrJxP31n+yL/uhm6oM6y+,iv:G84tDpX+qzWRYiQHaQDO9kHzK/15XRBLu2BGPmCeh7Y=,tag:kmdsIpB+BgejOxhuOy2XHQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -25,14 +25,14 @@ sops:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBSXNKMVQySmJ5U0VMY09L
-            YklMNC9HZ3Jqb29Qa3Y0d3JJK3pqNHZEempzCkpkTnV4bHB2OU9rUExDNjFqdmkr
-            am1LNG1zdFJBb1VLS0xhR0xwOWN1QXMKLS0tIFFZcXpiTUpZbm1sRUxMYVJva0w4
-            RkhEbVRkLzZnWCtjVDYvNVVaRlpmRlEKQEq0OqdXuW56zNKrA2by3y2JfUnlIAV/
-            dIjedNebsu3E/lIAZdo+gsjrzGIZSgIxjfKoqlVP6J16aJnka8iROw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUkJLbjYrYXAvSDZLeWo3
+            NGdNSDcxSTltd29oWmpiRXZxUE5NSE1jSUNnCjVnK2M5OEtaTjJDdDkwSzlDMHRv
+            b1ZRUDh2UUF5b0xsNjE3V1JpYTJIc3MKLS0tIFVLcXh2c05aNGY1TlNzRy9SVXV2
+            ZFM2eDBOZkdiV2p4d2tXYnZXRWJidjgKAL4Y+39jbNZo8cXZ7vmfxbfnrmOluE3A
+            XWl5Udebr3cJ14UwP59mYFVL6A/0GaYuRqOwN3omJX4NEMKmzvJf4g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-15T18:54:09Z"
-    mac: ENC[AES256_GCM,data:CRYlt6HYTH/HhRT46pME5IJ0xU+oHj84AFGvSn6nPLLKAkh6sTzDqG+6/t3MZ42SUtYa77rc2dVQ47RnkIyqCWNy5PBYCS4MVuOD9nuy1YdLhQn9QCExFO2b3BgW8tRKRuEJw2tcpk6W/aoy8qh3NddMAZAAWhMLoLENnLGiMVk=,iv:JthKqEKMTsZObMQFQYBn1KFTJUmASXWdKV19IoMzvWY=,tag:N+3lEu+8hr3TUwbo5VlFrA==,type:str]
+    lastmodified: "2025-02-08T19:47:27Z"
+    mac: ENC[AES256_GCM,data:hq8mAa0SIALlMh7xCAJ17l1IIHTStP5EAkqri9ueGDjLMDPdO2ewRL70SiNpP3CZgBvvqx2y/iwHrl8TKUGG1oiMK+CpKBZZG5JG53S4cDfvjk9koP0ZKek55MsqFVnhFNjoDhJUCKWnKmm+X4YuntmtNfsmkgWKuVGIDWcJ07Q=,iv:27ITELnJRW1M9XR02q2eEGSdUNWYCtBvameZBVo9iFo=,tag:gAOZsUZmSXcrlNLZVphVqA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.9.4
--- a/values/etersoft/secrets.server-xray-public.yaml
+++ b/values/etersoft/secrets.server-xray-public.yaml
@ -0,0 +1,37 @@
+files:
+    config:
+        enabled: ENC[AES256_GCM,data:QJdNMQ==,iv:m8KcSZ1Qi9lmCUTfJkceKMu1iWMBin2Y8P+6g7pSU4g=,tag:z4N53rRhoTNdlMK5nu8rYw==,type:bool]
+        sensitive: ENC[AES256_GCM,data:8ltdENw=,iv:qeBWpMCAxo0OwRc4B/6CAbkxn7Bal7iDfgidvqtEmpg=,tag:3ipWGmcf1ZjsNTP1zJuXhw==,type:bool]
+        remove: []
+        entries:
+            config.json:
+                data: ENC[AES256_GCM,data:8Lcjs0itPOyEy/ZQJS8KZBwFW5BEC039JJJCVhUjL29+NF31Os5vo8jLoCayW9e8tasVVhP8BQlGFq/ABQajXmLoLCSQI0yAOGdVSvQEXy4HjBxsDnPIvNq1/4dk0FsoQwTJYaVW0QxSUWkipyZD0cbzssJ9Zd+KnIIs4MGreXfibuyZI+HinrYlxP8CXNTn6o2eUSx3zXodD0K2IO7tUOlIbYK2PwIBvhz1JxUhqXIXfoEF2FoVU7ca6YCHA4b8kLLep9gz6z2yHrM6CMk2AUi6H90jGfUPu1dn+H0zBc9JsnVpbGp1KGtx5V6UAk8i4Ed1Iv8zVlvv/i8mmWhY2ue0doFj2cY6QgKc0fqgfkqTgy0k1IeTbxfWDH69KEKMpqk5UotvI31R6ZQlYNgc29IzdMDzXU9UVvDzwwP6bl10VYZp0pwwgV8nqOnr+ZTNR4Hy3Xrmq99SUAq1fc7/CPebj+g9v+PfjKMrOAL9kOVTNK7EJMMp7JQXTrtgifkz21HkfjMVKh3JMFs6gJla21zgYqHqpgU4t1dtA2+Y2OCJV43dZsNNnuEqvBVJhCMta/Lh6xoqtaLoC3TYRrkp1PWGNvP277UJnvS1RekDAl/RjFFOlOLHOrbQpFd5zTWeM6K8iOPcmugPreE8p9FQIFN9tyYW0SryrZ7V6dRb9qrEYbFXMqjLX9voTJyD7K6xX9omgX4OHC9RJA3P0hbsidwooZZBUDGs842LI5hCoEeEOYz1h5ZQV0tLUP8omIwZOvm5B9cXt3GmVvcWYw0Cy5h/1neuzZzQipveQoQkartZuvg+WjjJMOASdMuSqdvw+wCdGCGlNH8ACtFR3pvnXn3NIN5WaQukWpkpSWNGtr/teW/5KtFvICwg95ieNoAOar3T0txR4DQ4oHw8gh7JK/57E0HzC6q6gqCeqQGZYKt/0QVnQCMKHh7rD6nz1aiFgh15vzAU3sjWMlszt5Q6pNQCb9Ib8txJA3gvI2AuMr/614NwyN2WHtuangVBg/nLUQW/0IL0FZWYWAmjvn+e0Ucsx+gNt9XVzvJv8782gnt3LXMz9QqT+NbNW0lzrac5AQ5Ka/uImDFNmzKunk/3yTb9K2q2kzOx0QCBYGcvvCjeX4SP2cDOJkSQV7qB9AqiKJP4h/oDkrNHH+b6n624c9C/IDAqWu5Gr9RUbhADVbRsLJjbzNdQj9Feacvw2UDjE9BNz42RN5K+Nz8Cw72B3iUg/3gcAhhjUvI/liuZCf1Py6nxi1Hl4MpoAinKabIUGvoIt5fBv+iXKXmhe+qulKDuJj+maIAKKmcnVFxcl1waWLrVPLO4gSNVCTp8b7tCwGuLIcynPGCLxSOnis4YJi7ux5oA3pn9pq5jop3kXQTpU8AexU4bmDFF4pzqXogNSDbiy/fKQV2pFnMW3KwOSXCBTzS9RmnGm+X8zQbXxnX1cP/vSmh9Pqs/4FEVlg79P5uEY+0YGmKRqmzBFZEQgXaYhOMWWsIMCzES2wNe5LuHEYiVF0fXK0GsYswPejH2Y8kg4jT5gynzfHuQzNO2P9id/o+q/Ptf9w5fizPZOBeOLMPpDP5LzYA8mPyb3WMryUj6agYk/CnEc07R0Xqk62gh9l0kmmDJneciwUz9bcGQGwfZVDwJeHyI2cS1huU6Ay6s8D1XyZnzWRAk0uAdY1a7oYhs0X0XioG0jsz6NBhUfRMNTqxITmxLnrrC3RbZfHtKizBnBDZ/OsSvMcUDg+wxz84PKM3p+gXUzxXypWCBFxHUoAy5x1V9rVINha9LUdtWiYD3JeoUbmgTIWKGOTXuXGlDdqkVedAtLyqIwAxCRgLWra/NoLJ3ZSVjWB/bpsrDc6suVKTn2LXSk+QSHE/2mzIvO1XBDd2QvG0VnVXNwFFRP8321hERwgNDQgh2AlcPBFJX1VaP6EHqa/VjX3bIrXxZMmq3UKH+wxR1pn+D0x1npIk1lAOW9yvJH/CUpbXJcNzSRTy2OR2MFTJcW432KKdcm7VoWhmUciCfOnvcvJekH/1yjoXRd3D0T/2hdPnxdkcFyoM9QZ7/5T3NXnNxVwaZwqlzg5vKGf8YkqWL2PhsbqxkRk62oPYEAfamyyszn2WT8mxp1MjYmYxAxAxIiVBuZR/Vn/pU/Abpar+7hTUChKSz/hiR0vF6MiblMcyjLA4hZ0SRdkDDaofpvkg4qo4cAjTtIBHj4doPWPdieXYvxLp0SCUe41WnBj3Z4Cmxkc+V9UaFhRxmxCU18Q4eOZ5DMOikB9BbQooHQ/eqrkel8pT1ObtqxAmQmuFyiP5RvByEdyvM4R9hZ+nO/C9m4msoIxr0Zl3VR0oNZEjtIMS+RGfofK4Su611pkRk2nHVG9fJqvNjX30SZts7BZarrj3IZJNx0OGfXOEVAR2AftV0UlEIyjJm9oB/WTLlecUAXZgaVCkebB5R1rSB3Bxu4tFkb3AUdCFz9CpNH2IFVGaTPlQK9cowc+2s1fPVpDiVFU4NBPgPGKD3X7Reu/U0Z13J7gC9zcbPt+39GRomH/XhubjyWps1CQZRQ0XadiimQhlmiM+da9Gpy5VSUNCapr8+rw0SJhHP3oKbpPscBxjcaI5Q1wCMHzSfuF/rvGxeah2M/RHW8nFXWrZGMXHqjRQeDPagkRM782/wx1JBX5o0P1vbjV7pTRtySC9ukQPEoepjcGxR0eso1WHPO+oxaAc56ViORdfEBVMSdgVYJQJeCayIqYcQxFY1As0WT6JgQ9FyITIwJcPW8AQ6vzz6mDaBCpibNqWkv7SRe3vvivIaW+prQS+mujqsbgwtLq71LtGkjAbe5ANyBP9OfhIvYYY/yuENKfTe1pOnzQL1THyrfVTWhqsB9Smu7L3VCaULTLVxL/fELnunWNSWqzhAWLm3YP907phKt84bd/4vI/eN7RO6WpB/J0XpAbBfwVWB5A2fxToe9pfw9zJ//nJZg+iP0kX9aJkENV17YYINsd7QHgwWnAFgxcaQgco9VwugJz2B6mNAmhc3ahi6zdOon/E/mC7hKzKPIsf9Ll87L+1pcYO1yGdzKLl/vx6EcjqzIk/GnUnkr/8h6qNSUBPUzWqMce6DsxvbRYc07C3g/CjcS8SLoxLwHCsQhQev3vtSOT0VC3vuOKOu3f0zHJRyeyG2Ppn5hNtv3J6WWUOL3N8oVbOdH42JQnNxDrbXJNE93jN1YTgTUwhne4ZboqudGoZTnwzZo/1E0GvKA7aXq049isY9UdCU+LGb8pvJL/XjWXWApMiXDRMVAoG6+VxyIaDrrlSWoPdaSwhxNZM8Gzy0Y74=,iv:BdIS18qQNBFdjwlv0IH/t2L/R0FywZiu8+ExA7X2HIc=,tag:AiCzrJzmxzocT/fnshUttA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1OXIrRVJJS2hlZUQ0a3I5
+            SCtVeHFiWExFM1F5K1ZzVENOMGtvOWlJOEF3ClJTRXJ5NCtHT08zWkluL3oydkJR
+            aHd5ZmZKY0ZHcXdhaExiVE9tUVg4S0UKLS0tIEliYkxrck9tc2F2amF1TDVXZlZR
+            eU1ENGZHaUgwSXViNEY2cnhneUEvbDAKW4Ynu3DBBXRGn8l+yIMKTFp1+qnEEwhz
+            ZCX0RkdBusfX9IU+EZjAh6L0t+RKUf5vvC4giHbd4g0Fhui2E/NWpw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17fyzv5mezck364lvyepp9pa3tnjn7jvsgcpykhhz2smnxyq6fdusvl7waf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUVNJN0VQSHlHVzRyem9H
+            a1pDT1lQZGRjRTcwUzFWSEgrdlljZDlnOEN3CktYakY5YWEvTloyaHBPR3hqVUph
+            WXFMb2krZnBWNWJhRWJBOFloNEFPUUUKLS0tIFRjYlNRb21TanF3SDkxRDk0N2k0
+            ZTZBWkxUbVZpYjdUZFZDK1JOREpDcmMKyBU5+qvwshU6LBzSPptQtqIY3X+gKgur
+            nhkMcV6g5z40EwfvuJvfAzqZrsuKOejungXunKV3Q/QyiTn+/RrJoA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-08T20:27:36Z"
+    mac: ENC[AES256_GCM,data:JT/yRb2b+wKSS66ZkqqzbTOQWs1dOjXSEKZeBP6hcaVwmPcFld4bOZgPmJeYl8ZTWJyIjNc5cwBB/VP95DdSBroFy2WCJeVjdSEWxQT37AvwJSXwHeODr5JOI+pwwubqzhorNKip/MDvZw3qnIUuFEaXWlwKMfMR01/M3nGB2HI=,iv:dfWIeGuk7S6jS12OOAzYVmDWFQmaiQP83roR1GxulaA=,tag:ZocnLTP4PO1QAw9F6oK1wQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4
--- a/values/etersoft/values.minio-self.yaml
+++ b/values/etersoft/values.minio-self.yaml
@ -0,0 +1,119 @@
+ingress:
+  enabled: true
+  ingressClassName: traefik
+  annotations:
+    kubernetes.io/tls-acme: "true"
+    kubernetes.io/ingress.allow-http: "false"
+    kubernetes.io/ingress.global-static-ip-name: ""
+    cert-manager.io/issuer: my-ca-issuer
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+  path: /
+  hosts:
+    - s3eself.badhouseplants.net
+  tls:
+    - secretName: s3eself.badhouseplants.net
+      hosts:
+        - s3eself.badhouseplants.net
+consoleIngress:
+  enabled: true
+  ingressClassName: traefik
+  annotations:
+    kubernetes.io/tls-acme: "true"
+    kubernetes.io/ingress.allow-http: "false"
+    kubernetes.io/ingress.global-static-ip-name: ""
+    cert-manager.io/issuer: my-ca-issuer
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+  path: /
+  hosts:
+    - min.self.badhouseplants.net
+  tls:
+    - secretName: min.self.badhouseplants.net
+      hosts:
+        - min.eself.badhouseplants.net
+rootUser: "overlord"
+replicas: 1
+mode: standalone
+environment:
+  MINIO_SERVER_URL: "https://s3eself.badhouseplants.net"
+tls:
+  enabled: false
+  certSecret: ""
+  publicCrt: public.crt
+  privateKey: private.key
+persistence:
+  annotations:
+    volume.kubernetes.io/selected-node: yekaterinburg
+  storageClass: local-path
+  enabled: true
+  accessMode: ReadWriteOnce
+  size: 60Gi
+service:
+  type: ClusterIP
+  clusterIP: ~
+  port: "9000"
+consoleService:
+  type: ClusterIP
+  clusterIP: ~
+  port: "9001"
+resources:
+  requests:
+    memory: 2Gi
+buckets:
+  - name: velero
+    policy: none
+    purge: false
+    versioning: false
+  - name: xray-public
+    policy: download
+    purge: false
+    versioning: false
+metrics:
+  serviceMonitor:
+    enabled: false
+    public: true
+    additionalLabels: {}
+policies:
+  - name: allanger
+    statements:
+      - resources:
+          - "arn:aws:s3:::*"
+        actions:
+          - "s3:*"
+      - resources: []
+        actions:
+          - "admin:*"
+      - resources: []
+        actions:
+          - "kms:*"
+  - name: velero
+    statements:
+      - resources:
+          - "arn:aws:s3:::velero"
+        actions:
+          - "s3:*"
+      - resources:
+          - "arn:aws:s3:::velero/*"
+        actions:
+          - "s3:*"
+  - name: Admins
+    statements:
+      - resources:
+          - "arn:aws:s3:::*"
+        actions:
+          - "s3:*"
+      - resources: []
+        actions:
+          - "admin:*"
+      - resources: []
+        actions:
+          - "kms:*"
+  - name: DevOps
+    statements:
+      - resources:
+          - "arn:aws:s3:::badhouseplants-net"
+        actions:
+          - "s3:*"
+      - resources:
+          - "arn:aws:s3:::badhouseplants-net/*"
+        actions:
+          - "s3:*"
--- a/values/etersoft/values.minio.yaml
+++ b/values/etersoft/values.minio.yaml
@ -30,14 +30,14 @@ consoleIngress:
    - secretName: min.e.badhouseplants.net
      hosts:
        - min.e.badhouseplants.net
-rootUser: 'overlord'
+rootUser: "overlord"
 replicas: 1
 mode: standalone
 environment:
  MINIO_SERVER_URL: "https://s3e.badhouseplants.net"
 tls:
  enabled: false
-  certSecret: ''
+  certSecret: ""
  publicCrt: public.crt
  privateKey: private.key
 persistence:
@ -50,11 +50,11 @@ persistence:
 service:
  type: ClusterIP
  clusterIP: ~
-  port: '9000'
+  port: "9000"
 consoleService:
  type: ClusterIP
  clusterIP: ~
-  port: '9001'
+  port: "9001"
 resources:
  requests:
    memory: 2Gi
@ -63,6 +63,10 @@ buckets:
    policy: none
    purge: false
    versioning: false
+  - name: xray-public
+    policy: download
+    purge: false
+    versioning: false
 metrics:
  serviceMonitor:
    enabled: false
@ -72,7 +76,7 @@ policies:
  - name: allanger
    statements:
      - resources:
-          - 'arn:aws:s3:::*'
+          - "arn:aws:s3:::*"
        actions:
          - "s3:*"
      - resources: []
@ -84,17 +88,17 @@ policies:
  - name: velero
    statements:
      - resources:
-          - 'arn:aws:s3:::velero'
+          - "arn:aws:s3:::velero"
        actions:
          - "s3:*"
      - resources:
-          - 'arn:aws:s3:::velero/*'
+          - "arn:aws:s3:::velero/*"
        actions:
          - "s3:*"
  - name: Admins
    statements:
      - resources:
-          - 'arn:aws:s3:::*'
+          - "arn:aws:s3:::*"
        actions:
          - "s3:*"
      - resources: []
@ -106,10 +110,10 @@ policies:
  - name: DevOps
    statements:
      - resources:
-          - 'arn:aws:s3:::badhouseplants-net'
+          - "arn:aws:s3:::badhouseplants-net"
        actions:
          - "s3:*"
      - resources:
-          - 'arn:aws:s3:::badhouseplants-net/*'
+          - "arn:aws:s3:::badhouseplants-net/*"
        actions:
          - "s3:*"
--- a/values/etersoft/values.server-xray-public.yaml
+++ b/values/etersoft/values.server-xray-public.yaml
@ -0,0 +1,271 @@
+certificate:
+  enabled: true
+  certificate:
+    - name: xray-public-e.badhouseplants.net
+      secretName: xray-public-e.badhouseplants.net
+      issuer:
+        kind: ClusterIssuer
+        name: badhouseplants-issuer-http01
+      dnsNames:
+        - xray-public-e.badhouseplants.net
+
+traefik:
+  enabled: true
+  tcpRoutes:
+    - name: server-xray-public
+      service: server-xray-public-xray-https
+      match: HostSNI(`*`)
+      entrypoint: xray-internal
+      port: 443
+shortcuts:
+  hostname: xray-public-e.badhouseplants.net
+ingress:
+  main:
+    enabled: true
+    annotations:
+      kubernetes.io/ingress.allow-http: "false"
+      kubernetes.io/ingress.class: traefik
+      kubernetes.io/ingress.global-static-ip-name: ""
+      kubernetes.io/tls-acme: "true"
+      meta.helm.sh/release-name: xray
+      meta.helm.sh/release-namespace: xray
+      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+extraVolumes:
+  certs:
+    secret:
+      secretName: xray-public-e.badhouseplants.net
+
+workload:
+  replicas: 2
+
+ext-cilium:
+  enabled: true
+  ciliumNetworkPolicies:
+    - name: xray-public
+      endpointSelectors:
+        app.kubernetes.io/instance: server-xray-public
+        app.kubernetes.io/name: server-xray
+      egress:
+        - toEntities:
+            - cluster
+        - toPorts:
+            - ports:
+                - port: "53"
+                  protocol: ANY
+        - toEntities:
+            - world
+      egressDeny:
+        - toCIDR:
+            - 93.158.213.92/32
+            - 93.158.213.92/32
+            - 185.243.218.213/32
+            - 91.216.110.53/32
+            - 23.157.120.14/32
+            - 94.243.222.100/32
+            - 208.83.20.20/32
+            - 156.234.201.18/32
+            - 209.141.59.16/32
+            - 34.89.51.235/32
+            - 109.201.134.183/32
+            - 83.102.180.21/32
+            - 185.230.4.150/32
+            - 45.9.60.30/32
+            - 5.181.156.41/32
+            - 156.234.201.18/32
+            - 34.89.51.235/32
+            - 83.6.102.25/32
+            - 51.222.82.36/32
+            - 125.227.79.123/32
+            - 193.42.111.57/32
+            - 135.125.202.143/32
+            - 176.56.7.44/32
+            - 185.87.45.163/32
+            - 181.214.58.63/32
+            - 143.198.64.177/32
+            - 5.255.124.190/32
+            - 52.58.128.163/32
+            - 15.204.57.168/32
+            - 34.94.76.146/32
+            - 211.23.142.127/32
+            - 64.23.195.62/32
+            - 23.153.248.83/32
+            - 82.156.24.219/32
+            - 37.235.176.37/32
+            - 176.123.1.180/32
+            - 35.227.59.57/32
+            - 62.210.114.129/32
+            - 185.216.179.62/32
+            - 34.94.76.146/32
+            - 121.199.16.229/32
+            - 23.163.56.66/32
+            - 176.99.7.59/32
+            - 207.241.231.226/32
+            - 207.241.226.111/32
+            - 27.151.84.136/32
+            - 104.244.77.14/32
+            - 5.102.159.190/32
+            - 184.61.17.58/32
+            - 125.227.79.123/32
+            - 181.214.58.63/32
+            - 95.217.167.10/32
+            - 159.148.57.222/32
+            - 15.204.57.168/32
+            - 211.23.142.127/32
+            - 34.94.76.146/32
+            - 187.56.163.73/32
+            - 109.71.253.37/32
+            - 5.182.86.242/32
+            - 104.244.77.14/32
+            - 190.146.242.81/32
+            - 89.110.76.229/32
+            - 138.124.183.78/32
+            - 209.126.11.233/32
+            - 167.99.185.219/32
+            - 37.59.48.81/32
+            - 27.151.84.136/32
+            - 142.132.183.104/32
+            - 193.53.126.151/32
+            - 74.48.17.122/32
+            - 93.158.213.92/32
+            - 156.234.201.18/32
+            - 35.227.59.57/32
+            - 34.89.51.235/32
+            - 34.94.76.146/32
+            - 184.61.17.58/32
+            - 125.227.79.123/32
+            - 104.21.58.176/32
+            - 172.67.162.102/32
+            - 181.214.58.63/32
+            - 93.185.165.29/32
+            - 95.217.167.10/32
+            - 159.148.57.222/32
+            - 15.204.57.168/32
+            - 211.75.210.220/32
+            - 125.227.79.123/32
+            - 211.23.142.127/32
+            - 172.67.165.72/32
+            - 104.21.57.182/32
+            - 35.227.59.57/32
+            - 34.89.51.235/32
+            - 34.94.76.146/32
+            - 187.56.163.73/32
+            - 109.71.253.37/32
+            - 5.182.86.242/32
+            - 104.244.77.14/32
+            - 193.53.126.151/32
+            - 104.19.22.31/32
+            - 104.19.22.22/32
+            - 104.19.22.27/32
+            - 104.19.22.23/32
+            - 104.19.22.30/32
+            - 104.19.22.24/32
+            - 104.19.22.26/32
+            - 104.19.22.29/32
+            - 104.19.22.32/32
+            - 104.19.22.28/32
+            - 104.19.22.25/32
+            - 74.48.17.122/32
+            - 184.61.17.58/32
+            - 104.21.62.230/32
+            - 172.67.139.235/32
+            - 172.67.135.244/32
+            - 104.21.26.114/32
+            - 104.21.72.244/32
+            - 172.67.136.175/32
+            - 172.67.183.130/32
+            - 104.21.64.112/32
+            - 104.26.10.105/32
+            - 104.26.11.105/32
+            - 172.67.70.119/32
+            - 172.67.144.128/32
+            - 104.21.71.114/32
+            - 172.67.161.130/32
+            - 104.21.65.89/32
+            - 172.67.156.75/32
+            - 104.21.40.186/32
+            - 65.21.91.32/32
+            - 184.61.17.58/32
+            - 104.21.82.111/32
+            - 172.67.200.173/32
+            - 104.21.13.129/32
+            - 172.67.200.14/32
+            - 104.21.89.147/32
+            - 172.67.160.224/32
+            - 172.67.139.235/32
+            - 104.21.62.230/32
+            - 93.158.213.92/32
+            - 185.243.218.213/32
+            - 91.216.110.53/32
+            - 23.157.120.14/32
+            - 94.243.222.100/32
+            - 208.83.20.20/32
+            - 156.234.201.18/32
+            - 209.141.59.16/32
+            - 34.94.76.146/32
+            - 35.227.59.57/32
+            - 34.89.51.235/32
+            - 109.201.134.183/32
+            - 83.102.180.21/32
+            - 185.230.4.150/32
+            - 45.9.60.30/32
+            - 5.181.156.41/32
+            - 83.6.102.25/32
+            - 54.39.48.3/32
+            - 51.222.82.36/32
+            - 125.227.79.123/32
+            - 193.42.111.57/32
+            - 135.125.202.143/32
+            - 176.56.7.44/32
+            - 185.87.45.163/32
+            - 93.185.165.29/32
+            - 181.214.58.63/32
+            - 143.198.64.177/32
+            - 5.255.124.190/32
+            - 52.58.128.163/32
+            - 15.204.57.168/32
+            - 35.227.59.57/32
+            - 34.89.51.235/32
+            - 34.94.76.146/32
+            - 211.23.142.127/32
+            - 211.75.210.220/32
+            - 125.227.79.123/32
+            - 64.23.195.62/32
+            - 51.81.222.188/32
+            - 23.153.248.83/32
+            - 82.156.24.219/32
+            - 37.235.176.37/32
+            - 51.15.41.46/32
+            - 176.123.1.180/32
+            - 104.244.77.87/32
+            - 34.94.76.146/32
+            - 34.89.51.235/32
+            - 35.227.59.57/32
+            - 62.210.114.129/32
+            - 185.216.179.62/32
+            - 34.94.76.146/32
+            - 34.89.51.235/32
+            - 35.227.59.57/32
+            - 121.199.16.229/32
+            - 35.227.59.57/32
+            - 34.89.51.235/32
+            - 34.94.76.146/32
+            - 23.163.56.66/32
+            - 176.99.7.59/32
+            - 207.241.231.226/32
+            - 207.241.226.111/32
+            - 27.151.84.136/32
+            - 51.159.54.68/32
+            - 104.244.77.14/32
+            - 5.102.159.190/32
+            - 190.146.242.81/32
+            - 89.110.76.229/32
+            - 89.47.160.50/32
+            - 138.124.183.78/32
+            - 209.126.11.233/32
+            - 167.99.185.219/32
+            - 27.151.84.136/32
+            - 37.59.48.81/32
+            - 27.151.84.136/32
+            - 142.132.183.104/32
+            - 159.148.57.222/32
+            - 159.148.57.222/32
--- a/values/etersoft/values.traefik.yaml
+++ b/values/etersoft/values.traefik.yaml
@ -11,6 +11,12 @@ ports:
      default: true
    exposedPort: 27015
    protocol: TCP
+  xray-internal:
+    port: 27016
+    expose:
+      default: true
+    exposedPort: 27016
+    protocol: TCP
 providers: # @schema additionalProperties: false
  kubernetesCRD:
    enabled: true
--- a/values/etersoft/values.uptime-kuma.yaml
+++ b/values/etersoft/values.uptime-kuma.yaml
@ -0,0 +1,20 @@
+ingress:
+  enabled: true
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    kubernetes.io/tls-acme: "true"
+    kubernetes.io/ingress.allow-http: "false"
+    kubernetes.io/ingress.global-static-ip-name: ""
+    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+    external-dns.alpha.kubernetes.io/ingress-hostname-source: defined-hosts-only
+  hosts:
+    - host: uptime.e.badhouseplants.net
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+
+  tls:
+    - secretName: uptime.e.badhouseplants.net
+      hosts:
+        - uptime.e.badhouseplants.net
--- a/values/etersoft/values.xray-docs.yaml
+++ b/values/etersoft/values.xray-docs.yaml
@ -0,0 +1,38 @@
+workload:
+  metadata:
+    annotations:
+      keel.sh/policy: force
+      keel.sh/trigger: poll
+      keel.sh/initContainers: 'true'
+
+ingress:
+  main:
+    metadata:
+      annotations:
+        kubernetes.io/ingress.class: traefik
+        traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+        kubernetes.io/tls-acme: "true"
+        kubernetes.io/ingress.allow-http: "false"
+        kubernetes.io/ingress.global-static-ip-name: ""
+        cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+        traefik.ingress.kubernetes.io/router.middlewares: public-xray-xraydocsauth@kubernetescrd
+
+extra:
+  templates:
+    - |-
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: xray-docs-auth
+      stringData:
+        users: |
+          ilove:$apr1$N65S3o4r$Yc9pJnHPN4tUE1ZLzJsGI.
+    - |-
+      apiVersion: traefik.io/v1alpha1
+      kind: Middleware
+      metadata:
+        name: xraydocsauth
+      spec:
+        basicAuth:
+          secret: xray-docs-auth
+
--- a/workdir/ingress.yaml
+++ b/workdir/ingress.yaml
@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/issuer: my-ca-issuer
+    kubernetes.io/ingress.allow-http: "false"
+    kubernetes.io/ingress.class: traefik
+    kubernetes.io/ingress.global-static-ip-name: ""
+    kubernetes.io/tls-acme: "true"
+    meta.helm.sh/release-name: minio
+    meta.helm.sh/release-namespace: platform
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+  name: minioself
+  namespace: platform
+spec:
+  rules:
+    - host: s3self.badhouseplants.net
+      http:
+        paths:
+          - backend:
+              service:
+                name: minio
+                port:
+                  number: 9000
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - s3self.badhouseplants.net
+      secretName: s3-tls-secret
--- a/workdir/sandbox.yaml
+++ b/workdir/sandbox.yaml
@ -0,0 +1,30 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: my-selfsigned-ca
+spec:
+  isCA: true
+  commonName: my-selfsigned-ca
+  secretName: root-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: my-ca-issuer
+spec:
+  ca:
+    secretName: root-secret
Author	SHA1	Message	Date
Devops Bot	0cf8dbdbb5	chore(deps): update helm-library docker tag to v0.2.3 Some checks failed renovate/artifacts Artifact file update failure	2025-02-16 01:01:16 +00:00
Nikolai Rodionov	927c06a184	Install kyverno to the etersoft cluster too	2025-02-11 15:39:19 +01:00
Nikolai Rodionov	9a4706a9d3	Fix traefik	2025-02-09 16:41:53 +01:00
Nikolai Rodionov	e845e73de8	Install uptime-kuma	2025-02-09 11:41:45 +01:00
Devops Bot	8aec909237	chore(deps): update helm release woodpecker to v3	2025-02-09 10:41:00 +00:00
Devops Bot	4a2c7a8b8e	chore(deps): update helm release traefik to v34	2025-02-09 10:40:54 +00:00
Devops Bot	f21cad0dff	chore(deps): update helm release velero to v8.3.0	2025-02-09 10:40:40 +00:00
Devops Bot	fd7d48291b	chore(deps): update helm release renovate to v39.164.0	2025-02-09 10:40:33 +00:00
Devops Bot	9e3d8b6468	chore(deps): update helm release loki to v6.25.1	2025-02-09 10:40:25 +00:00
Devops Bot	479401927b	chore(deps): update helm release kube-prometheus-stack to v68.5.0	2025-02-09 10:40:18 +00:00
Devops Bot	d6e5a09d65	chore(deps): update helm release grafana to v8.9.0	2025-02-09 10:40:12 +00:00
Devops Bot	c0e2b45c11	chore(deps): update helm release zot to v0.1.66	2025-02-09 10:40:07 +00:00
Devops Bot	93839914ea	chore(deps): update helm release minecraft to v4.23.7	2025-02-09 10:39:59 +00:00
Devops Bot	73a92ce856	chore(deps): update helm release kyverno-policies to v3.3.4	2025-02-09 10:39:49 +00:00
Devops Bot	2dc3fe3445	chore(deps): update helm release kyverno to v3.3.6	2025-02-08 22:36:39 +00:00
Devops Bot	35e41114f3	chore(deps): update helm release authentik to v2024.12.3	2025-02-08 09:47:35 +00:00
Devops Bot	0bb7a2cf52	chore(deps): update helm release external-dns to v1.15.1	2025-02-08 01:01:11 +00:00
Devops Bot	4382d0b6d2	chore(deps): update helm release openebs to v4.1.3	2025-02-07 13:46:14 +00:00
Devops Bot	7d825ab2d6	chore(deps): update helm release renovate to v39.163.0	2025-02-07 13:46:05 +00:00
Devops Bot	7580508a05	chore(deps): update helm release coredns to v1.39.0	2025-02-07 13:45:56 +00:00
Devops Bot	2a4d253ae8	chore(deps): update helm release cert-manager to v1.17.0	2025-02-07 13:45:50 +00:00
Devops Bot	348431ecc4	chore(deps): update helm release cilium to v1.17.0	2025-02-07 13:45:33 +00:00
Nikolai Rodionov	57465c4fb5	Remove IP from xray cert	2025-02-07 14:44:57 +01:00
Nikolai Rodionov	fe83461ee1	Deploy new apps	2025-02-06 08:49:54 +01:00
Devops Bot	1f923778de	chore(deps): update helm release kube-prometheus-stack to v68	2025-01-25 01:01:15 +00:00
Nikolai Rodionov	48eee21619	Add etersoft xray and increase gitea memory	2025-01-22 22:04:34 +01:00
Nikolai Rodionov	71c6161ad3	Update woodpecker	2025-01-15 16:03:42 +01:00
Nikolai Rodionov	c27a5e1bfd	New ports for xray	2025-01-15 15:43:40 +01:00