Update memos lib

Signed-off-by: Nikolai Rodionov <allanger@badhouseplants.net>

.pre-commit-config.yaml

@@ -0,0 +1,32 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0 # Use the ref you want to point at
+    hooks:
+      - id: trailing-whitespace
+  - repo: https://github.com/google/yamlfmt
+    rev: v0.13.0
+    hooks:
+      - id: yamlfmt
+        exclude: |
+          (?x)(
+            ^charts/|
+            ^.*secrets.*yaml|
+          )
+          #  - repo: https://github.com/codespell-project/codespell
+          #    rev: v2.2.4
+          #    hooks:
+          #      - id: codespell
+  - repo: local
+    hooks:
+      - id: check-sops-secrets
+        name: check sops secrets
+        entry: ./scripts/sops_check.sh
+        language: script
+        #      - name: check unused values (disable by setting DISABLE_ADDITIONAL_CHECKS=1)
+        #        id: check-unused-values
+        #        entry: ./scripts/find_unused_values.sh
+        #        language: script
+        #      - name: lint helmfiles (it might take a while, disable by setting DISABLE_ADDITIONAL_CHECKS=1)
+        #        id: lint-all-envs
+        #        entry: ./scripts/lint_all_envs.sh
+        #        language: script

.sops.yaml

@@ -1,6 +1,10 @@
 creation_rules:
+  - path_regex: values/.*/secrets.server-xray-public./*
+    key_groups:
+      - age:
+          - age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          - age17fyzv5mezck364lvyepp9pa3tnjn7jvsgcpykhhz2smnxyq6fdusvl7waf
   - path_regex: values/.*/secrets.*
     key_groups:
       - age:
           - age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
-

.yamlfmt

@@ -0,0 +1,2 @@
+formatter:
+  retain_line_breaks_single: true

README.md

@@ -0,0 +1,9 @@
+<<<<<<< Updated upstream
+k8s-deployemnt
+=======
+# Helmfile deployments for Bad Houseplants
+
+## Project structure
+
+
+>>>>>>> Stashed changes

charts/issuer/templates/issuer.yaml

@@ -1,10 +1,23 @@
+{{- range $name, $issuer := .Values.clusterIssuers }}
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
   labels:
-    {{- include "issuer.labels" . | nindent 4 }}
-  name: "{{ .Values.name }}"
+    {{- include "issuer.labels" $ | nindent 4 }}
+  name: "{{ $name }}"
 spec:
-  acme:
-{{ .Values.spec | toYaml | indent 2 }}
+{{ $issuer.spec | toYaml | indent 2 }}
+{{- end }}
+{{- range $name, $issuer := .Values.issuers }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    {{- include "issuer.labels" $ | nindent 4 }}
+  name: "{{ $name }}"
+  namespace: {{ $issuer.namespace }}
+spec:
+{{ $issuer.spec | toYaml | indent 2 }}
+{{- end }}

charts/metallb-resources/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: metallb-resources
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"

charts/metallb-resources/templates/_helpers.tpl

@@ -1,7 +1,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "root.name" -}}
+{{- define "metallb-resources.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
@@ -10,7 +10,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "root.fullname" -}}
+{{- define "metallb-resources.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "root.chart" -}}
+{{- define "metallb-resources.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Common labels
 */}}
-{{- define "root.labels" -}}
-helm.sh/chart: {{ include "root.chart" . }}
-{{ include "root.selectorLabels" . }}
+{{- define "metallb-resources.labels" -}}
+helm.sh/chart: {{ include "metallb-resources.chart" . }}
+{{ include "metallb-resources.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -45,17 +45,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "root.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "root.name" . }}
+{{- define "metallb-resources.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "metallb-resources.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
 Create the name of the service account to use
 */}}
-{{- define "root.serviceAccountName" -}}
+{{- define "metallb-resources.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
-{{- default (include "root.fullname" .) .Values.serviceAccount.name }}
+{{- default (include "metallb-resources.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}

charts/metallb-resources/templates/ip_address_pool.tpl

@@ -0,0 +1,7 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: {{ include "metallb-resources.fullname" . }}
+spec:
+  addresses:
+  - {{ .Values.addresses}}

charts/metallb-resources/values.yaml

@@ -0,0 +1 @@
+addresses: 1.1.1.1-1.1.1.1

charts/namespaces/kustomize/flux-system.yml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: flux-system
-  labels:
-    name: flux-system

charts/namespaces/kustomize/giantswarm-flux.yml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: giantswarm-flux
-  labels:
-    name: giantswarm-flux

charts/namespaces/kustomize/giantswarm.yml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: giantswarm
-  labels:
-    name: giantswarm

charts/namespaces/kustomize/kustomization.yaml

@@ -1,5 +0,0 @@
-resources:
-  - ./giantswarm-flux.yml
-  - ./giantswarm.yml
-  - ./monitoring.yml
-  - ./org-giantswarm.yml

charts/namespaces/kustomize/monitoring.yml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring
-  labels:
-    name: monitoring

charts/namespaces/kustomize/org-giantswarm.yml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: org-giantswarm
-  labels:
-    name: org-giantswarm

charts/namespaces/templates/namespaces.yaml

@@ -15,5 +15,16 @@ metadata:
     {{- with $ns.annotations}}
     {{- toYaml . | nindent 4 }}
   {{- end }}
+{{- if $ns.defaultRegcred }}
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+  name: regcred
+  namespace: {{ $ns.name }}
+data:
+  .dockerconfigjson: {{ $.Values.defaultRegcred }}
+{{- end }}
 {{- end }}
 {{- end }}

charts/roles/templates/rolebindings.yaml

@@ -0,0 +1,27 @@
+{{- if .Values.bindings }}
+{{- range $bindings := .Values.bindings }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ $bindings.kind }}
+metadata:
+  name: {{ $bindings.name }}
+  namespace: {{ $bindings.namespace }}
+  labels:
+    {{- include "roles.labels" $ | nindent 4 }}
+    {{- with $bindings.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with $bindings.annotations}}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+subjects:
+{{- with $bindings.subjects }}
+{{- toYaml . | nindent 4 }}
+{{- end }}
+roleRef:
+{{- with $bindings.roleRef }}
+{{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/roles/templates/sa.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.sa }}
+{{- range $sa := .Values.sa }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $sa.name }}
+  namespace: {{ $sa.namespace }}
+  labels:
+    {{- include "roles.labels" $ | nindent 4 }}
+    {{- with $sa.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with $sa.annotations}}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: true
+{{- end }}
+{{- end }}

charts/root/Chart.yaml

@@ -1,6 +0,0 @@
-apiVersion: v2
-name: root
-description: A Helm chart for Kubernetes
-type: application
-version: 0.1.5
-appVersion: "1.16.0"

charts/root/templates/root.yaml

@@ -1,25 +0,0 @@
-{{ if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: GitRepository
-metadata:
-  name: root
-spec:
-  interval: 30s
-  url: {{ .Values.url }}
-  ref:
-    branch: {{ .Values.branch }}
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: root
-spec:
-  interval: 30s
-  targetNamespace: flux-system
-  sourceRef:
-    kind: GitRepository
-    name: root
-  path: "."
-  prune: false
-  timeout: 1m
-{{- end }}

charts/root/templates/self.yaml

@@ -1,25 +0,0 @@
-{{ if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: GitRepository
-metadata:
-  name: root-self
-spec:
-  interval: 30s
-  url: {{ .Values.self.url }}
-  ref:
-    branch: {{ .Values.self.branch }}
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: root-self
-spec:
-  interval: 30s
-  targetNamespace: flux-system
-  sourceRef:
-    kind: GitRepository
-    name: root-self
-  path: "."
-  prune: false
-  timeout: 1m
-{{- end }}

charts/root/values.yaml

@@ -1,5 +0,0 @@
-url: https://git.badhouseplants.net/giantswarm/cluster-example.git
-branch: main
-self:
-  url: git@git.badhouseplants.net:giantswarm/root-config.git
-  branch: master

common/environments.yaml

@@ -1,5 +1,49 @@
 environments:
   badhouseplants:
     kubeContext: badhouseplants
+    values:
+      #- ./common/values/values.badhouseplants.yaml
+      - base:
+          enabled: true
+      - velero:
+          enabled: true
+      - workload:
+          enabled: true
+      - backups:
+          enabled: false
+      - localpath:
+          enabled: false
+      - openebs:
+          enabled: true
+      - postgres17:
+          enabled: true
+      - postgres16:
+          enabled: true
+      - redis:
+          enabled: true
+      - istio:
+          enabled: true
   etersoft:
     kubeContext: etersoft
+    values:
+      - ./common/values/values.etersoft.yaml
+      - base:
+          enabled: true
+      - velero:
+          enabled: false
+      - workload:
+          enabled: false
+      - backups:
+          enabled: true
+      - openebs:
+          enabled: false
+      - localpath:
+          enabled: true
+      - postgres17:
+          enabled: false
+      - redis:
+          enabled: false
+      - postgres16:
+          enabled: false
+      - istio:
+          enabled: false

common/extensions/metallb.yaml

@@ -0,0 +1,14 @@
+metallb:
+  templates:
+    - |
+      {{ range .Values.ippools }}
+      ---
+      apiVersion: metallb.io/v1beta1
+      kind: IPAddressPool
+      metadata:
+        name: {{ .name }}
+      spec:
+        addresses:
+        - {{ .addresses }}
+      {{ end }}
+

common/extensions/self-signed-cert.yaml

@@ -0,0 +1,13 @@
+ext-self-signed-cert:
+  templates:
+    - |
+      ---
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: {{ .Values.name }}
+      data:
+        {{- $ca := genCA .Values.domain 365 -}}
+        {{- $cert := genSignedCert .Values.domain nil (list .Values.domain ) 365 $ca }}
+        tls.crt: {{ $cert.Cert | b64enc }}
+        tls.key: {{ $cert.Key | b64enc }}

common/extensions/values.certificate.yaml

@@ -0,0 +1,19 @@
+certificate:
+  templates:
+    - |
+      {{ range .Values.certificate }}
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: {{ .name }}
+      spec:
+        dnsNames:
+          {{- range .dnsNames }}
+          - {{ . | quote }}
+          {{- end }}
+        issuerRef:
+          kind: {{ .issuer.kind }}
+          name: {{ .issuer.name }}
+        secretName: {{ .secretName }}
+        {{ end }}

common/extensions/values.istio-gateway.yaml

@@ -0,0 +1,15 @@
+istio-gateway:
+  templates:
+    - |
+      {{ range .Values.gateways }}
+      ---
+      apiVersion: networking.istio.io/v1beta1
+      kind: Gateway
+      metadata:
+        name: {{ .name }}
+      spec:
+        selector:
+          istio: ingressgateway
+        servers:
+      {{ toYaml .servers | indent 4 }}
+      {{ end }}

common/templates.yaml

@@ -10,33 +10,48 @@ templates:
         args:
           - -c
           - |
-            helm show crds {{ .Release.Chart }} --version {{ .Release.Version }} | kubectl replace -f  - \
-            || helm show crds {{ .Release.Chart }} --version {{ .Release.Version }} | kubectl create -f  - \
+            helm show crds {{ `{{ .Release.Chart }}` }} --version {{ `{{ .Release.Version }}` }} | kubectl replace -f  - \
+            || helm show crds {{ `{{ .Release.Chart }}` }} --version {{ `{{ .Release.Version }}` }} | kubectl create -f  - \
             || true
       - events: ["prepare"]
         showlogs: true
         command: "sh"
         args:
           - -c
-          - "helm show crds {{ .Release.Chart }} --version {{ .Release.Version }} | kubectl diff -f - || true"
+          - "helm show crds {{ `{{ .Release.Chart }}` }} --version {{ `{{ .Release.Version }}` }} | kubectl diff -f - || true"
       - events: ["postuninstall"]
         showlogs: true
         command: "sh"
         args:
           - -c
-          - "helm show crds {{ .Release.Chart }} --version {{ .Release.Version }} | kubectl delete -f - || true"
+          - "helm show crds {{ `{{ .Release.Chart }}` }} --version {{ `{{ .Release.Version }}` }} | kubectl delete -f - || true"
   # ----------------------------
   # -- Configs
   # ----------------------------
   default-common-values:
     values:
-      - '{{ requiredEnv "PWD" }}/values/common/values.{{ .Release.Name }}.yaml'
+      - '{{ requiredEnv "PWD" }}/values/common/values.{{ `{{ .Release.Name }}` }}.yaml'
   default-env-values:
     values:
-      - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/values.{{ .Release.Name }}.yaml'
+      - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/values.{{ `{{ .Release.Name }}` }}.yaml'
   default-env-secrets:
     secrets:
-      - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/secrets.{{ .Release.Name }}.yaml'
+      - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/secrets.{{ `{{ .Release.Name }}` }}.yaml'
+  common-values:
+    values:
+      - '{{ requiredEnv "PWD" }}/values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
+  common-values-tpl:
+    values:
+      - '{{ requiredEnv "PWD" }}/values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
+  env-values:
+    values:
+      - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
+  env-values-tpl:
+    values:
+      - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
+  env-secrets:
+    secrets:
+      - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/secrets.yaml'
   # ----------------------------
   # -- Extensions
   # ----------------------------
@@ -47,7 +62,6 @@ templates:
         alias: istio-gateway
     values:
       - '{{ requiredEnv "PWD" }}/values/common/values.istio-gateway.yaml'
-
   ext-tcp-routes:
     dependencies:
       - chart: bedag/raw
@@ -55,7 +69,20 @@ templates:
         alias: traefik
     values:
       - '{{ requiredEnv "PWD" }}/values/common/values.tcp-route.yaml'
-
+  ext-udp-routes:
+    dependencies:
+      - chart: bedag/raw
+        version: 2.0.0
+        alias: traefik-udp
+    values:
+      - '{{ requiredEnv "PWD" }}/values/common/values.udp-route.yaml'
+  ext-traefik-middleware:
+    dependencies:
+      - chart: bedag/raw
+        version: 2.0.0
+        alias: middleware
+    values:
+      - '{{ requiredEnv "PWD" }}/values/common/values.middleware.yaml'
   ext-istio-resource:
     dependencies:
       - chart: bedag/raw
@@ -63,7 +90,6 @@ templates:
         alias: istio
     values:
       - '{{ requiredEnv "PWD" }}/values/common/values.istio.yaml'
-
   ext-certificate:
     dependencies:
       - chart: bedag/raw
@@ -77,7 +103,7 @@ templates:
         version: 2.0.0
         alias: metallb
     values:
-      - '{{ requiredEnv "PWD" }}/values/common/values.metallb.yaml'
+      - '{{ requiredEnv "PWD" }}/common/extensions/metallb.yaml'
   service-monitor:
     dependencies:
       - chart: bedag/raw
@@ -93,7 +119,6 @@ templates:
     inherit:
       - template: default-values/common-values
       - template: default-env-values
-
   ext-database:
     dependencies:
       - chart: bedag/raw
@@ -101,7 +126,6 @@ templates:
         alias: ext-database
     values:
       - '{{ requiredEnv "PWD" }}/values/common/values.database.yaml'
-  
   ext-secret:
     dependencies:
       - chart: bedag/raw
@@ -109,3 +133,17 @@ templates:
         alias: ext-secret
     values:
       - '{{ requiredEnv "PWD" }}/values/common/values.secret.yaml'
+  ext-cilium:
+    dependencies:
+      - chart: bedag/raw
+        version: 2.0.0
+        alias: ext-cilium
+    values:
+      - '{{ requiredEnv "PWD" }}/values/common/values.ext-cilium.yaml'
+  ext-self-signed-cert:
+    dependencies:
+      - chart: bedag/raw
+        version: 2.0.0
+        alias: ext-self-signed-cert
+    values:
+      - '{{ requiredEnv "PWD" }}/common/extensions/self-signed-cert.yaml'

common/values/values.badhouseplants.yaml

@@ -0,0 +1,6 @@
+registry: registry.badhouseplants.net/containers
+registry_url: registry.badhouseplants.net
+main_ip: 195.201.249.91
+tools:
+  openebs:
+    enabled: true

common/values/values.etersoft.yaml

@@ -0,0 +1,6 @@
+registry: registry.ru.badhouseplants.net/containers
+registry_url: registry.ru.badhouseplants.net
+main_ip: 91.232.225.63
+tools:
+  openebs:
+    enabled: false

common/values/values.general.yaml

@@ -0,0 +1,5 @@
+namespaces:
+  kubePublic: kube-public
+  kubeSystem: kube-system
+  traefikSystem: traefik-system
+

helmfile.yaml

@@ -0,0 +1,6 @@
+bases:
+  - ./common/environments.yaml
+  - ./common/templates.yaml
+  - ./helmfiles/base.yaml
+  - ./helmfiles/system.yaml
+  - ./helmfiles/platform.yaml

helmfiles/base.yaml

@@ -0,0 +1,18 @@
+releases:
+  # -- This one must be executed with --take-ownership at least once
+  - name: namespaces
+    chart: ./charts/namespaces
+    namespace: kube-system
+    createNamespace: false
+    inherit:
+      - template: env-values
+      - template: env-secrets
+
+  - name: roles
+    chart: ./charts/roles
+    namespace: kube-system
+    createNamespace: false
+    needs:
+      - kube-system/namespaces
+    inherit:
+      - template: env-values

helmfiles/platform.yaml

@@ -0,0 +1,50 @@
+repositories:
+  - name: keel
+    url: https://keel-hq.github.io/keel/
+  - name: uptime-kuma
+    url: https://helm.irsigler.cloud
+  - name: external-dns
+    url: https://kubernetes-sigs.github.io/external-dns/
+  - name: minio-standalone
+    url: https://charts.min.io/
+releases:
+  - name: external-dns
+    chart: external-dns/external-dns
+    labels:
+      layer: platform
+    version: 1.15.2
+    namespace: platform
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+      - template: env-secrets
+
+  - name: keel
+    chart: keel/keel
+    version: v1.0.5
+    labels:
+      layer: platform
+    namespace: platform
+    inherit:
+      - template: common-values-tpl
+
+  - name: uptime-kuma
+    chart: uptime-kuma/uptime-kuma
+    version: 2.21.2
+    namespace: platform
+    labels:
+      layer: platform
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+
+  - name: minio
+    chart: minio-standalone/minio
+    version: 5.4.0
+    namespace: platform
+    labels:
+      layer: platform
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+      - template: env-secrets

helmfiles/system.yaml

@@ -0,0 +1,180 @@
+repositories:
+  - name: coredns
+    url: https://coredns.github.io/helm
+  - name: zot
+    url: https://zotregistry.dev/helm-charts/
+  - name: cilium
+    url: https://helm.cilium.io/
+  - name: metrics-server
+    url: https://kubernetes-sigs.github.io/metrics-server/
+  - name: jetstack
+    url: https://charts.jetstack.io
+  - name: metallb
+    url: https://metallb.github.io/metallb
+  - name: traefik
+    url: https://traefik.github.io/charts
+  - name: local-path-provisioner
+    url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master
+  - name: kyverno
+    url: https://kyverno.github.io/kyverno/
+  - name: vmware-tanzu
+    url: https://vmware-tanzu.github.io/helm-charts/
+  - name: openebs
+    url: https://openebs.github.io/openebs
+  - name: istio
+    url: https://istio-release.storage.googleapis.com/charts
+
+releases:
+  - name: coredns
+    chart: coredns/coredns
+    version: 1.39.1
+    namespace: kube-system
+    inherit:
+      - template: common-values-tpl
+
+  - name: cilium
+    chart: cilium/cilium
+    version: 1.17.2
+    namespace: kube-system
+    needs:
+      - kube-system/coredns
+    inherit:
+      - template: common-values
+      - template: common-values-tpl
+
+  - name: cert-manager
+    chart: jetstack/cert-manager
+    version: v1.17.1
+    namespace: kube-system
+    missingFileHandler: Warn
+    needs:
+      - kube-system/cilium
+    inherit:
+      - template: common-values
+      - template: common-values-tpl
+
+  - name: issuer
+    chart: ./charts/issuer
+    namespace: kube-system
+    missingFileHandler: Warn
+    needs:
+      - kube-system/cert-manager
+    inherit:
+      - template: common-values
+
+  - name: local-path-provisioner
+    chart: local-path-provisioner/local-path-provisioner
+    namespace: kube-system
+    inherit:
+      - template: common-values-tpl
+
+  - name: kyverno
+    chart: kyverno/kyverno
+    namespace: kyverno
+    version: 3.3.7
+    needs:
+      - kube-system/cilium
+    inherit:
+      - template: common-values-tpl
+
+  - name: kyverno-policies
+    chart: kyverno/kyverno-policies
+    namespace: kyverno
+    version: 3.3.4
+    needs:
+      - kyverno/kyverno
+
+  - name: custom-kyverno-policies
+    chart: ./kustomizations/kyverno/{{ .Environment.Name }}
+    namespace: kyverno
+    needs:
+      - kyverno/kyverno
+
+  - name: metallb
+    chart: metallb/metallb
+    namespace: kube-system
+    condition: base.enabled
+    version: 0.14.9
+    needs:
+      - registry/cluster-mirror
+    inherit:
+      - template: common-values
+      - template: common-values-tpl
+
+  - name: metallb-resources
+    chart: ./charts/metallb-resources
+    version: 2.0.0
+    condition: base.enabled
+    namespace: kube-system
+    needs:
+      - kube-system/metallb
+    inherit:
+      - template: common-values-tpl
+
+  - name: traefik
+    chart: traefik/traefik
+    version: 34.4.1
+    condition: base.enabled
+    namespace: kube-system
+    inherit:
+      - template: common-values-tpl
+      - template: common-values
+      - template: env-values
+
+  - name: cluster-mirror
+    chart: zot/zot
+    version: 0.1.67
+    createNamespace: false
+    installed: true
+    namespace: registry
+    needs:
+      - kube-system/cilium
+    inherit:
+      - template: common-values-tpl
+      - template: env-secrets
+
+  - name: metrics-server
+    chart: metrics-server/metrics-server
+    version: 3.12.2
+    namespace: kube-system
+    needs:
+      - registry/cluster-mirror
+    inherit:
+      - template: common-values-tpl
+
+  - name: openebs
+    chart: openebs/openebs
+    condition: tools.openebs.enabled
+    namespace: kube-system
+    version: 4.2.0
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+
+  - name: velero
+    chart: vmware-tanzu/velero
+    namespace: velero
+    version: 8.5.0
+    condition: velero.enabled
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+      - template: env-secrets
+
+  - name: istio-base
+    chart: istio/base
+    condition: istio.enabled
+    namespace: istio-system
+    version: 1.25.1
+    inherit:
+      - template: common-values
+
+  - name: istiod
+    chart: istio/istiod
+    condition: istio.enabled
+    namespace: istio-system
+    version: 1.25.1
+    inherit:
+      - template: common-values-tpl
+    needs:
+      - istio-system/istio-base

installations/applications/helmfile-badhouseplants.yaml

@@ -0,0 +1,127 @@
+bases:
+  - ../../common/environments.yaml
+  - ../../common/templates.yaml
+
+repositories:
+  - name: gitea
+    url: https://dl.gitea.io/charts/
+  - name: allangers-charts
+    url: ghcr.io/allanger/allangers-charts
+    oci: true
+  - name: badhouseplants-helm
+    url: git+https://gitea.badhouseplants.net/badhouseplants/badhouseplants-helm@charts?ref=main
+  - name: bedag
+    url: https://bedag.github.io/helm-charts/
+    #- name: open-strike
+    #  url: git+https://gitea.badhouseplants.net/badhouseplants/open-strike-2.git@helm?ref=main
+
+releases:
+  - name: gitea
+    chart: gitea/gitea
+    version: 11.0.0
+    namespace: applications
+    installed: false
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets
+      - template: ext-database
+      - template: ext-tcp-routes
+
+  - name: app-vaultwarden
+    chart: allangers-charts/vaultwarden
+    version: 3.1.1
+    namespace: org-badhouseplants
+    inherit:
+      - template: env-values
+      - template: env-secrets
+
+  - name: app-stalwart
+    chart: allangers-charts/stalwart
+    version: 1.0.1
+    namespace: org-badhouseplants
+    inherit:
+      - template: env-values
+      - template: env-secrets
+
+  - name: app-tandoor-recipes
+    installed: false
+    chart: allangers-charts/tandoor-recipes
+    version: 0.2.0
+    namespace: org-badhouseplants
+    inherit:
+      - template: env-values
+      - template: env-secrets
+      - template: ext-database
+
+  - name: app-tandoor-recipes
+    chart: allangers-charts/tandoor-recipes
+    version: 0.2.0
+    namespace: org-allanger
+    inherit:
+      - template: env-values
+      - template: env-secrets
+      - template: ext-database
+
+  - name: app-navidrome
+    chart: allangers-charts/navidrome
+    namespace: org-badhouseplants
+    version: 0.5.0
+    inherit:
+      - template: env-values
+      - template: ext-traefik-middleware
+
+  - name: app-navidrome-private
+    chart: allangers-charts/navidrome
+    namespace: org-badhouseplants
+    version: 0.5.0
+    inherit:
+      - template: env-values
+      - template: env-secrets
+
+  - name: app-gitea
+    chart: gitea/gitea
+    version: 11.0.0
+    namespace: org-badhouseplants
+    inherit:
+      - template: env-values
+      - template: env-secrets
+
+  - name: server-xray-public
+    chart: allangers-charts/server-xray
+    namespace: public-xray
+    version: 0.6.0
+    inherit:
+      - template: default-env-secrets
+      - template: default-env-values
+      - template: ext-tcp-routes
+      - template: ext-cilium
+      - template: ext-certificate
+
+  - name: server-xray-public-edge
+    chart: allangers-charts/server-xray
+    installed: true
+    namespace: public-xray
+    version: 0.6.0
+    inherit:
+      - template: default-env-secrets
+      - template: default-env-values
+      - template: ext-tcp-routes
+      - template: ext-cilium
+      - template: ext-certificate
+
+  - name: memos
+    chart: allangers-charts/memos
+    version: 0.3.0
+    namespace: applications
+    inherit:
+      - template: default-env-values
+      - template: ext-database
+
+  - name: badhouseplants-net
+    chart: badhouseplants-helm/badhouseplants-net
+    namespace: production
+    values:
+      - deployAnnotations:
+          keel.sh/policy: force
+          keel.sh/trigger: poll
+          keel.sh/initContainers: 'true'

installations/applications/helmfile-etersoft.yaml

@@ -0,0 +1,51 @@
+bases:
+  - ../../common/environments.yaml
+  - ../../common/templates.yaml
+repositories:
+  - name: allangers-charts
+    url: ghcr.io/allanger/allangers-charts
+    oci: true
+  - name: gabe565
+    url: ghcr.io/gabe565/charts
+    oci: true
+  - name: xray-docs
+    url: git+https://gitea.badhouseplants.net/badhouseplants/xray-docs.git@helm?ref=main
+releases:
+  - name: qbittorrent
+    chart: gabe565/qbittorrent
+    version: 0.4.1
+    namespace: applications
+    inherit:
+      - template: default-env-values
+      - template: ext-secret
+      - template: ext-traefik-middleware
+  - name: vaultwardentest
+    chart: allangers-charts/vaultwarden
+    version: 3.1.1
+    namespace: applications
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets
+
+  - name: external-service-xray
+    chart: ../../kustomizations/external-service-xray
+    installed: true
+    namespace: public-xray
+
+  - name: server-xray-public
+    chart: allangers-charts/server-xray
+    namespace: public-xray
+    version: 0.6.0
+    inherit:
+      - template: default-env-secrets
+      - template: default-env-values
+      - template: ext-tcp-routes
+      - template: ext-cilium
+      - template: ext-certificate
+
+  - name: xray-docs
+    chart: xray-docs/xray-docs
+    installed: true
+    namespace: public-xray
+    inherit:
+      - template: default-env-values

installations/applications/helmfile-xray-1.yaml

@@ -0,0 +1,23 @@
+bases:
+  - ../../common/environments.yaml
+  - ../../common/templates.yaml
+repositories:
+  - name: allangers-charts
+    url: ghcr.io/allanger/allangers-charts
+    oci: true
+releases:
+  - name: server-xray-public
+    chart: allangers-charts/server-xray
+    namespace: public-xray
+    version: 0.6.0
+    inherit:
+      - template: default-env-secrets
+      - template: default-env-values
+      - template: ext-self-signed-cert
+  - name: promtail
+    chart: grafana/promtail
+    namespace: promtail
+    version: 6.16.6
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets

installations/applications/helmfile-xray-2.yaml

@@ -0,0 +1,16 @@
+bases:
+  - ../../common/environments.yaml
+  - ../../common/templates.yaml
+repositories:
+  - name: allangers-charts
+    url: ghcr.io/allanger/allangers-charts
+    oci: true
+releases:
+  - name: server-xray-public
+    chart: allangers-charts/server-xray
+    namespace: public-xray
+    version: 0.6.0
+    inherit:
+      - template: default-env-secrets
+      - template: default-env-values
+      - template: ext-self-signed-cert

installations/applications/helmfile.yaml

@@ -1,154 +1,6 @@
-{{ readFile "../../common/templates.yaml" }}
-
 bases:
   - ../../common/environments.yaml
+  - ../../common/templates.yaml
 
-repositories:
-  - name: softplayer-oci
-    url: registry.badhouseplants.net/softplayer/helm
-    oci: true
-  - name: requarks
-    url: https://charts.js.wiki
-  - name: goauthentik
-    url: https://charts.goauthentik.io/
-  - name: ananace-charts
-    url: https://ananace.gitlab.io/charts
-  - name: gitea
-    url: https://dl.gitea.io/charts/
-  - name: mailu
-    url: https://mailu.github.io/helm-charts/
-  - name: minio
-    url: https://charts.min.io/
-  - name: bedag
-    url: https://bedag.github.io/helm-charts/
-  - name: grafana 
-    url: https://grafana.github.io/helm-charts
-  - name: bitnami
-    url: https://charts.bitnami.com/bitnami
-  - name: allangers-charts
-    url: ghcr.io/allanger/allangers-charts
-    oci: true
-
-releases:
-  - name: authentik
-    chart: goauthentik/authentik
-    version: 2024.6.1
-    namespace: applications
-    createNamespace: false
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-database
-
-  - name: funkwhale
-    chart: ananace-charts/funkwhale
-    namespace: applications
-    version: 2.0.5
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-database
-    
-  - name: gitea
-    chart: gitea/gitea
-    version: 10.4.0
-    namespace: applications
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-database
-      - template: ext-tcp-routes
-    
-  - name: mailu
-    chart: mailu/mailu
-    namespace: applications
-    version: 2.0.0
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-certificate
-      - template: ext-tcp-routes
-      - template: ext-database
-    
-  - name: minio
-    chart: minio/minio
-    version: 5.2.0
-    namespace: applications
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-    
-  - name: nrodionov
-    chart: bitnami/wordpress
-    version: 22.4.20
-    namespace: applications
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-database
-    
-  - name: openvpn-xor
-    chart: softplayer-oci/openvpn-xor
-    version: 1.2.0
-    namespace: applications
-    inherit:
-      - template: default-env-values
-      - template: ext-tcp-routes
-    
-  - name: vaultwarden
-    chart: allangers-charts/vaultwarden
-    version: 2.1.0
-    namespace: applications
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-database
-  
-  - name: stalwart
-    chart: allangers-charts/stalwart
-    version: 0.1.0
-    namespace: applications
-    inherit:
-      - template: default-env-values
-      - template: ext-tcp-routes
-
-  #- name: vaultwardentest
-  #  chart: allangers-charts/vaultwarden
-  #  version: 2.1.0
-  #  namespace: applications
-  #  inherit:
-  #    - template: default-env-values
-  #    - template: default-env-secrets
-  
-  - name: shadowsocks-libev
-    chart: softplayer-oci/shadowsocks-libev
-    namespace: applications
-    version: 0.3.1
-    inherit:
-      - template: default-env-secrets
-  
-  - name: wikijs
-    chart: requarks/wiki
-    namespace: applications
-    installed: false
-    version: 2.2.21
-    inherit:
-      - template: default-env-values
-      - template: ext-database
-
-  - name: mealie
-    chart: softplayer-oci/mealie
-    namespace: applications
-    version: 0.3.0
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-database
-  
-  - name: grafana
-    chart: grafana/grafana
-    namespace: applications
-    version: 8.3.6
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
+helmfiles:
+  - ./helmfile-{{ `{{ .Environment.Name }}` }}.yaml

installations/databases/helmfile.yaml

@@ -1,47 +1,38 @@
-{{ readFile "../../common/templates.yaml" }}
-
 bases:
   - ../../common/environments.yaml
-
+  - ../../common/templates.yaml
 repositories:
   - name: bitnami
-    url: https://charts.bitnami.com/bitnami
+    url: registry-1.docker.io/bitnamicharts
+    oci: true
   - name: bedag
     url: https://bedag.github.io/helm-charts/
-
 releases:
-  - name: mariadb
-    chart: bitnami/mariadb
-    namespace: databases
-    version: 19.0.2
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-
   - name: redis
     chart: bitnami/redis
     namespace: databases
-    version: 19.6.3
+    condition: redis.enabled
+    version: 20.11.3
     inherit:
       - template: default-env-values
       - template: default-env-secrets
-
   - name: postgres16
     labels:
       bundle: postgres
     namespace: databases
     chart: bitnami/postgresql
-    version: 15.5.19
+    condition: postgres16.enabled
+    version: 15.5.38
     inherit:
       - template: default-env-values
       - template: default-env-secrets
-
-  - name: postgres16-gitea
+  - name: postgres17
     labels:
       bundle: postgres
     namespace: databases
     chart: bitnami/postgresql
-    version: 15.5.19
+    condition: postgres17.enabled
+    version: 16.3.4
     inherit:
       - template: default-env-values
       - template: default-env-secrets

installations/development/helmfile.yaml

@@ -1,12 +1,9 @@
-{{ readFile "../../common/templates.yaml" }}
-
 bases:
   - ../../common/environments.yaml
-
+  - ../../common/templates.yaml
 repositories:
   - name: argo
     url: https://argoproj.github.io/argo-helm
-
 releases:
   - name: badhouseplants
     namespace: platform

installations/games/helmfile.yaml

@@ -1,20 +1,28 @@
----
-{{ readFile "../../common/templates.yaml" }}
-
 bases:
   - ../../common/environments.yaml
-  
+  - ../../common/templates.yaml
 repositories:
   - name: bedag
     url: https://bedag.github.io/helm-charts/
   - name: minecraft
     url: https://itzg.github.io/minecraft-server-charts/
-
+  - name: allangers-charts
+    url: ghcr.io/allanger/allangers-charts
+    oci: true
 releases:
   - name: minecraft
     chart: minecraft/minecraft
     namespace: games
-    version: 4.20.0
+    version: 4.25.1
+    inherit:
+      - template: ext-tcp-routes
+      - template: default-env-values
+      - template: default-env-secrets
+
+  - name: team-fortress-2
+    chart: allangers-charts/team-fortress-2
+    namespace: team-fortress-2
+    version: 0.1.2
     inherit:
       - template: ext-tcp-routes
       - template: default-env-values

installations/monitoring/helmfile.yaml

@@ -1,21 +1,41 @@
-{{ readFile "../../common/templates.yaml" }}
-
 bases:
   - ../../common/environments.yaml
-
+  - ../../common/templates.yaml
 repositories:
   - name: bedag
     url: https://bedag.github.io/helm-charts/
   - name: prometheus-community
     url: https://prometheus-community.github.io/helm-charts
-
-
+  - name: grafana
+    url: https://grafana.github.io/helm-charts
 releases:
   - name: prometheus
     chart: prometheus-community/kube-prometheus-stack
-    namespace: monitoring
-    version: 61.3.2
+    namespace: observability
+    version: 70.1.1
     inherit:
       - template: default-env-values
       - template: default-env-secrets
       - template: crd-management-hook
+  - name: grafana
+    chart: grafana/grafana
+    namespace: observability
+    version: 8.10.4
+    installed: true
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets
+  - name: loki
+    chart: grafana/loki
+    namespace: observability
+    version: 6.28.0
+    inherit:
+      - template: default-env-values
+      - template: ext-secret
+      - template: ext-traefik-middleware
+  - name: promtail
+    chart: grafana/promtail
+    namespace: observability
+    version: 6.16.6
+    inherit:
+      - template: default-env-values

installations/pipelines/helmfile.yaml

@@ -1,20 +1,34 @@
-{{ readFile "../../common/templates.yaml" }}
-
 bases:
   - ../../common/environments.yaml
-
+  - ../../common/templates.yaml
 repositories:
   - name: woodpecker
     url: https://woodpecker-ci.org
+  - name: renovate
+    url: https://docs.renovatebot.com/helm-charts
   - name: bedag
     url: https://bedag.github.io/helm-charts/
-
 releases:
   - name: woodpecker-ci
     chart: woodpecker/woodpecker
     namespace: pipelines
-    version: 1.5.0
+    version: 3.0.6
     inherit:
       - template: ext-database
       - template: default-env-values
       - template: default-env-secrets
+  - name: renovate-gitea
+    chart: renovate/renovate
+    namespace: pipelines
+    version: 39.208.1
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets
+  - name: renovate-github
+    chart: renovate/renovate
+    installed: false
+    namespace: pipelines
+    version: 39.208.1
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets

installations/platform/helmfile.yaml

@@ -1,7 +1,6 @@
-{{ readFile "../../common/templates.yaml" }}
-
 bases:
   - ../../common/environments.yaml
+  - ../../common/templates.yaml
 
 repositories:
   - name: argo
@@ -12,45 +11,109 @@ repositories:
     url: https://zotregistry.dev/helm-charts/
   - name: bedag
     url: https://bedag.github.io/helm-charts/
-  - name: percona 
-    url: https://percona.github.io/percona-helm-charts/
+  - name: crossplane-stable
+    url: https://charts.crossplane.io/stable
+  - name: goauthentik
+    url: https://charts.goauthentik.io/
+  - name: minio-standalone
+    url: https://charts.min.io/
+  - name: kyverno
+    url: https://kyverno.github.io/kyverno/
+  - name: external-dns
+    url: https://kubernetes-sigs.github.io/external-dns/
+  - name: keel
+    url: https://keel-hq.github.io/keel/
+  - name: uptime-kuma
+    url: https://helm.irsigler.cloud
 
 releases:
-  - name: argocd
-    chart: argo/argo-cd
-    namespace: platform
-    version: 7.3.6
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-
   - name: db-operator
     namespace: platform
     chart: db-operator/db-operator
-    version: 1.27.2
+    version: 1.34.0
 
   - name: db-instances
     chart: db-operator/db-instances
     namespace: platform
     needs:
       - platform/db-operator
-    version: 2.3.4
+    version: 2.4.0
     inherit:
       - template: default-env-values
       - template: default-env-secrets
-  
+
   - name: zot
     chart: zot/zot
-    version: 0.1.57
+    version: 0.1.67
     createNamespace: false
+    installed: true
+    namespace: platform
+    condition: workload.enabled
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets
+
+  - name: authentik
+    chart: goauthentik/authentik
+    version: 2025.2.2
+    namespace: platform
+    createNamespace: false
+    condition: workload.enabled
+    needs:
+      - platform/db-operator
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets
+      - template: ext-database
+
+  - name: minio
+    chart: minio-standalone/minio
+    version: 5.4.0
     namespace: platform
     inherit:
       - template: default-env-values
       - template: default-env-secrets
 
-  - name: pg-operator
-    chart: percona/pg-operator
-    installed: false
-    version: 2.4.0
-    createNamespace: false
+  - name: kyverno
+    chart: kyverno/kyverno
+    namespace: kyverno
+    labels:
+      bootstrap: true
+    version: 3.3.7
+
+  - name: kyverno-policies
+    chart: kyverno/kyverno-policies
+    namespace: kyverno
+    labels:
+      bootstrap: true
+    version: 3.3.4
+    needs:
+      - kyverno/kyverno
+
+  - name: custom-kyverno-policies
+    chart: "../../kustomizations/kyverno/{{ .Environment.Name }}"
+    namespace: kyverno
+    labels:
+      bootstrap: true
+    needs:
+      - kyverno/kyverno
+
+  - name: external-dns
+    chart: external-dns/external-dns
+    version: 1.15.2
     namespace: platform
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets
+
+  - name: keel
+    chart: keel/keel
+    version: v1.0.5
+    namespace: platform
+
+  - name: uptime-kuma
+    chart: uptime-kuma/uptime-kuma
+    version: 2.21.2
+    namespace: platform
+    inherit:
+      - template: default-env-values

installations/storage/helmfile.yaml

@@ -1,49 +0,0 @@
-{{ readFile "../../common/templates.yaml" }}
-
-bases:
-  - ../../common/environments.yaml
-
-repositories:
-  - name: longhorn
-    url: https://charts.longhorn.io
-  - name: rook-release 
-    url: https://charts.rook.io/release
-  - name: local-path-provisioner
-    url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=v0.0.28
-
-releases:
-  - name: rook-ceph
-    chart: rook-release/rook-ceph
-    installed: true
-    namespace: rook-ceph
-    version: v1.14.9
-    inherit:
-      - template: default-env-values
-  
-  - name: rook-ceph-cluster
-    chart: rook-release/rook-ceph-cluster
-    installed: true
-    namespace: rook-ceph
-    version: v1.14.9
-    needs:
-      - rook-ceph/rook-ceph
-    inherit:
-      - template: default-env-values
-
-  - name: longhorn
-    chart: longhorn/longhorn
-    namespace: longhorn-system
-    installed: false
-    version: 1.6.2
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-secret
-
-  - name: local-path-provisioner
-    chart: local-path-provisioner/local-path-provisioner
-    installed: false
-    createNamespace: false
-    namespace: kube-system
-    inherit:
-      - template: default-env-values

installations/system/helmfile.yaml

@@ -1,15 +1,14 @@
-{{ readFile "../../common/templates.yaml" }}
-
 bases:
   - ../../common/environments.yaml
+  - ../../common/templates.yaml
 
 repositories:
+  - name: bedag
+    url: https://bedag.github.io/helm-charts/
   - name: metrics-server
     url: https://kubernetes-sigs.github.io/metrics-server/
   - name: jetstack
     url: https://charts.jetstack.io
-  - name: bedag
-    url: https://bedag.github.io/helm-charts/
   - name: metallb
     url: https://metallb.github.io/metallb
   - name: traefik
@@ -18,111 +17,36 @@ repositories:
     url: https://coredns.github.io/helm
   - name: cilium
     url: https://helm.cilium.io/
-  - name: bedag
-    url: https://bedag.github.io/helm-charts/
-  - name: piraeus-charts 
-    url: https://piraeus.io/helm-charts/
-  - name: vmware-tanzu 
-    url: https://vmware-tanzu.github.io/helm-charts/
+  - name: local-path-provisioner
+    url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master
+  - name: istio
+    url: https://istio-release.storage.googleapis.com/charts
+  - name: zot
+    url: https://zotregistry.dev/helm-charts/
 
 releases:
-  - name: namespaces
-    chart: '{{ requiredEnv "PWD" }}/charts/namespaces/chart'
-    namespace: kube-public
-    createNamespace: false
-    inherit:
-      - template: default-env-values
-  
-  - name: roles
-    chart: '{{ requiredEnv "PWD" }}/charts/roles'
-    namespace: kube-public
-    createNamespace: false
-    needs:
-      - kube-public/namespaces
-    inherit:
-      - template: default-env-values
-
-  - name: coredns
-    chart: coredns/coredns
-    version: 1.31.0
-    namespace: kube-system
-    inherit:
-      - template: default-env-values
-  
-  - name: snapshot-controller
-    chart: piraeus-charts/snapshot-controller
-    version: 3.0.5
-    namespace: kube-system
+  - name: istio-base
+    chart: istio/base
+    condition: istio.enabled
+    namespace: istio-system
     inherit:
       - template: crd-management-hook
 
-  - name: cilium
-    chart: cilium/cilium
-    version: 1.16.0
-    namespace: kube-system
+  - name: istio-ingressgateway
+    chart: istio/gateway
+    condition: istio.enabled
+    installed: false
+    namespace: istio-system
     needs:
-      - kube-system/coredns
+      - istio-system/istio-base
     inherit:
       - template: default-env-values
 
-  - name: cert-manager
-    chart: jetstack/cert-manager
-    version: 1.15.2
-    namespace: kube-system
+  - name: istiod
+    chart: istio/istiod
+    condition: istio.enabled
+    namespace: istio-system
+    inherit:
+      - template: default-env-values
     needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-env-values
-
-  - name: issuer
-    chart: '{{ requiredEnv "PWD" }}/charts/issuer'
-    namespace: kube-public
-    needs: 
-      - kube-system/cert-manager
-    inherit:
-      - template: default-env-values
-
-  - name: metrics-server
-    chart: metrics-server/metrics-server
-    version: 3.12.1
-    namespace: kube-system
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-common-values
-
-  - name: metallb
-    chart: metallb/metallb
-    namespace: kube-system
-    version: 0.14.8
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-env-values
-
-  - name: metallb-resources
-    chart: bedag/raw
-    version: 2.0.0
-    namespace: kube-system
-    needs:
-      - kube-system/metallb
-    inherit:
-      - template: ext-metallb
-      - template: default-env-values
-
-  - name: traefik
-    chart: traefik/traefik
-    version: 30.0.2
-    namespace: kube-system
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-env-values
-
-  - name: velero
-    chart: vmware-tanzu/velero
-    namespace: kube-system
-    version: 7.1.4
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
+      - istio-system/istio-base

kustomizations/external-service-xray/service.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: xray-external-proxy
+spec:
+  externalName: xray-public.badhouseplants.net
+  sessionAffinity: None
+  type: ExternalName
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: xray-external-proxy
+spec:
+  entryPoints:
+    - xray-public
+  routes:
+    - match: HostSNI(`*`)
+      services:
+        - name: xray-external-proxy
+          nativeLB: true
+          port: 27015
+

kustomizations/kyverno/add-applied-by.yaml

@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-applied-by
+spec:
+  background: false
+  rules:
+    - name: add-applied-by
+      match:
+        any:
+          - resources:
+              kinds:
+                - '*'
+              namespaces:
+                - org-*
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            annotations:
+              applied-by: "{{ request.userInfo.username }}"

kustomizations/kyverno/badhouseplants/pvc-patch.yaml

@@ -0,0 +1,58 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: replace-storage-class-by-openebs
+spec:
+  rules:
+    - name: local-path-fix
+      match:
+        any:
+          - resources:
+              kinds:
+                - PersistentVolumeClaim
+              namespaces:
+                - registry
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            annotations:
+              volume.kubernetes.io/selected-node: bordeaux
+    - name: replace-storage-class
+      match:
+        any:
+          - resources:
+              kinds:
+                - PersistentVolumeClaim
+              namespaces:
+                - games
+                - application
+                - platform
+                - pipelines
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            annotations:
+              volume.beta.kubernetes.io/storage-class: openebs-hostpath
+          spec:
+            storageClassName: openebs-hostpath
+            accessModes:
+              - ReadWriteOnce
+    - name: remove-unwanted-annotations
+      match:
+        any:
+          - resources:
+              kinds:
+                - PersistentVolumeClaim
+              namespaces:
+                - games
+      mutate:
+        patchesJson6902: |-
+          - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-class"
+            op: replace
+            value: openebs-hostpath
+          - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-provisioner"
+            op: replace
+            value: openebs.io/local
+          - path: "/metadata/annotations/volume.kubernetes.io~1storage-provisioner"
+            op: replace
+            value: openebs.io/local

kustomizations/kyverno/etersoft/pvc-patch.yaml

@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: append-node-name-to-pvc
+spec:
+  rules:
+    - name: replace-storage-class
+      match:
+        any:
+          - resources:
+              kinds:
+                - PersistentVolumeClaim
+              namespaces:
+                - applications
+                - platform
+                - registry
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            annotations:
+              volume.kubernetes.io/selected-node: yekaterinburg

manifests/app.yaml

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: test-apps
+  namespace: platform
+spec:
+  destination:
+    namespace: default
+    server: https://kubernetes.default.svc
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+  source:
+    path: manifests/postgresql-15.5.21.tgz
+    repoURL: https://gitea.badhouseplants.net/allanger/k8s-deployment.git
+    targetRevision: main
+    helm: {}

manifests/bucket.yaml

@@ -0,0 +1,12 @@
+apiVersion: minio.crossplane.io/v1
+kind: Bucket
+metadata:
+  creationTimestamp: null
+  name: bucket-local-dev
+spec:
+  forProvider:
+    region: us-east-1
+  providerConfigRef:
+    name: provider-config
+status:
+  atProvider: {}

manifests/cilium/cilium-allow-google.yaml

@@ -0,0 +1,263 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: "cilium-policy-allow-google"
+  namespace: public-xray
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: server-xray-public
+      app.kubernetes.io/name: server-xray
+  egress:
+    - toPorts:
+        - ports:
+            - port: "53"
+              protocol: ANY
+    - toPorts:
+        - ports:
+            - port: "80"
+              protocol: ANY
+            - port: "8080"
+              protocol: ANY
+            - port: "443"
+              protocol: ANY
+            - port: "27015"
+              protocol: ANY
+            - port: "45000"
+              endPort: 60000
+              protocol: UDP
+            - port: "6672"
+              protocol: UDP
+            - port: "61455"
+              protocol: UDP
+            - port: "61457"
+              protocol: UDP
+            - port: "61456"
+              protocol: UDP
+            - port: "61458"
+              protocol: UDP
+      toEntities:
+        - world
+        #- host
+        #- remote-node
+      icmps:
+        - fields:
+            - type: EchoRequest
+              family: IPv4
+            - type: EchoReply
+              family: IPv4
+  egressDeny:
+    - toCIDR:
+        - 93.158.213.92/32
+        - 93.158.213.92/32
+        - 185.243.218.213/32
+        - 91.216.110.53/32
+        - 23.157.120.14/32
+        - 94.243.222.100/32
+        - 208.83.20.20/32
+        - 156.234.201.18/32
+        - 209.141.59.16/32
+        - 34.89.51.235/32
+        - 109.201.134.183/32
+        - 83.102.180.21/32
+        - 185.230.4.150/32
+        - 45.9.60.30/32
+        - 5.181.156.41/32
+        - 156.234.201.18/32
+        - 34.89.51.235/32
+        - 83.6.102.25/32
+        - 51.222.82.36/32
+        - 125.227.79.123/32
+        - 193.42.111.57/32
+        - 135.125.202.143/32
+        - 176.56.7.44/32
+        - 185.87.45.163/32
+        - 181.214.58.63/32
+        - 143.198.64.177/32
+        - 5.255.124.190/32
+        - 52.58.128.163/32
+        - 15.204.57.168/32
+        - 34.94.76.146/32
+        - 211.23.142.127/32
+        - 64.23.195.62/32
+        - 23.153.248.83/32
+        - 82.156.24.219/32
+        - 37.235.176.37/32
+        - 176.123.1.180/32
+        - 35.227.59.57/32
+        - 62.210.114.129/32
+        - 185.216.179.62/32
+        - 34.94.76.146/32
+        - 121.199.16.229/32
+        - 23.163.56.66/32
+        - 176.99.7.59/32
+        - 207.241.231.226/32
+        - 207.241.226.111/32
+        - 27.151.84.136/32
+        - 104.244.77.14/32
+        - 5.102.159.190/32
+        - 184.61.17.58/32
+        - 125.227.79.123/32
+        - 181.214.58.63/32
+        - 95.217.167.10/32
+        - 159.148.57.222/32
+        - 15.204.57.168/32
+        - 211.23.142.127/32
+        - 34.94.76.146/32
+        - 187.56.163.73/32
+        - 109.71.253.37/32
+        - 5.182.86.242/32
+        - 104.244.77.14/32
+        - 190.146.242.81/32
+        - 89.110.76.229/32
+        - 138.124.183.78/32
+        - 209.126.11.233/32
+        - 167.99.185.219/32
+        - 37.59.48.81/32
+        - 27.151.84.136/32
+        - 142.132.183.104/32
+        - 193.53.126.151/32
+        - 74.48.17.122/32
+        - 93.158.213.92/32
+        - 156.234.201.18/32
+        - 35.227.59.57/32
+        - 34.89.51.235/32
+        - 34.94.76.146/32
+        - 184.61.17.58/32
+        - 125.227.79.123/32
+        - 104.21.58.176/32
+        - 172.67.162.102/32
+        - 181.214.58.63/32
+        - 93.185.165.29/32
+        - 95.217.167.10/32
+        - 159.148.57.222/32
+        - 15.204.57.168/32
+        - 211.75.210.220/32
+        - 125.227.79.123/32
+        - 211.23.142.127/32
+        - 172.67.165.72/32
+        - 104.21.57.182/32
+        - 35.227.59.57/32
+        - 34.89.51.235/32
+        - 34.94.76.146/32
+        - 187.56.163.73/32
+        - 109.71.253.37/32
+        - 5.182.86.242/32
+        - 104.244.77.14/32
+        - 193.53.126.151/32
+        - 104.19.22.31/32
+        - 104.19.22.22/32
+        - 104.19.22.27/32
+        - 104.19.22.23/32
+        - 104.19.22.30/32
+        - 104.19.22.24/32
+        - 104.19.22.26/32
+        - 104.19.22.29/32
+        - 104.19.22.32/32
+        - 104.19.22.28/32
+        - 104.19.22.25/32
+        - 74.48.17.122/32
+        - 184.61.17.58/32
+        - 104.21.62.230/32
+        - 172.67.139.235/32
+        - 172.67.135.244/32
+        - 104.21.26.114/32
+        - 104.21.72.244/32
+        - 172.67.136.175/32
+        - 172.67.183.130/32
+        - 104.21.64.112/32
+        - 104.26.10.105/32
+        - 104.26.11.105/32
+        - 172.67.70.119/32
+        - 172.67.144.128/32
+        - 104.21.71.114/32
+        - 172.67.161.130/32
+        - 104.21.65.89/32
+        - 172.67.156.75/32
+        - 104.21.40.186/32
+        - 65.21.91.32/32
+        - 184.61.17.58/32
+        - 104.21.82.111/32
+        - 172.67.200.173/32
+        - 104.21.13.129/32
+        - 172.67.200.14/32
+        - 104.21.89.147/32
+        - 172.67.160.224/32
+        - 172.67.139.235/32
+        - 104.21.62.230/32
+        - 93.158.213.92/32
+        - 185.243.218.213/32
+        - 91.216.110.53/32
+        - 23.157.120.14/32
+        - 94.243.222.100/32
+        - 208.83.20.20/32
+        - 156.234.201.18/32
+        - 209.141.59.16/32
+        - 34.94.76.146/32
+        - 35.227.59.57/32
+        - 34.89.51.235/32
+        - 109.201.134.183/32
+        - 83.102.180.21/32
+        - 185.230.4.150/32
+        - 45.9.60.30/32
+        - 5.181.156.41/32
+        - 83.6.102.25/32
+        - 54.39.48.3/32
+        - 51.222.82.36/32
+        - 125.227.79.123/32
+        - 193.42.111.57/32
+        - 135.125.202.143/32
+        - 176.56.7.44/32
+        - 185.87.45.163/32
+        - 93.185.165.29/32
+        - 181.214.58.63/32
+        - 143.198.64.177/32
+        - 5.255.124.190/32
+        - 52.58.128.163/32
+        - 15.204.57.168/32
+        - 35.227.59.57/32
+        - 34.89.51.235/32
+        - 34.94.76.146/32
+        - 211.23.142.127/32
+        - 211.75.210.220/32
+        - 125.227.79.123/32
+        - 64.23.195.62/32
+        - 51.81.222.188/32
+        - 23.153.248.83/32
+        - 82.156.24.219/32
+        - 37.235.176.37/32
+        - 51.15.41.46/32
+        - 176.123.1.180/32
+        - 104.244.77.87/32
+        - 34.94.76.146/32
+        - 34.89.51.235/32
+        - 35.227.59.57/32
+        - 62.210.114.129/32
+        - 185.216.179.62/32
+        - 34.94.76.146/32
+        - 34.89.51.235/32
+        - 35.227.59.57/32
+        - 121.199.16.229/32
+        - 35.227.59.57/32
+        - 34.89.51.235/32
+        - 34.94.76.146/32
+        - 23.163.56.66/32
+        - 176.99.7.59/32
+        - 207.241.231.226/32
+        - 207.241.226.111/32
+        - 27.151.84.136/32
+        - 51.159.54.68/32
+        - 104.244.77.14/32
+        - 5.102.159.190/32
+        - 190.146.242.81/32
+        - 89.110.76.229/32
+        - 89.47.160.50/32
+        - 138.124.183.78/32
+        - 209.126.11.233/32
+        - 167.99.185.219/32
+        - 27.151.84.136/32
+        - 37.59.48.81/32
+        - 27.151.84.136/32
+        - 142.132.183.104/32
+        - 159.148.57.222/32
+        - 159.148.57.222/32

manifests/cilium/cilium-policy.yaml

@@ -0,0 +1,17 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: "cilium-policy-allow-dns"
+  namespace: public-xray
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: server-xray-public
+      app.kubernetes.io/name: server-xray
+  egress:
+    - toPorts:
+        - ports:
+            - port: "53"
+              protocol: ANY
+    - toCIDR:
+      - 1.1.1.1/32

manifests/debug.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: debug
+spec:
+  containers:
+    - args:
+        - -c
+        - sleep 1000
+      command:
+        - sh
+      image: ubuntu:latest
+      imagePullPolicy: Always
+      name: server-xray
+  dnsPolicy: ClusterFirst

manifests/longhorn-snapshot-class.yaml

@@ -0,0 +1,10 @@
+kind: VolumeSnapshotClass
+apiVersion: snapshot.storage.k8s.io/v1
+metadata:
+  name: longhorn-snapshot-vsc
+  labels:
+    velero.io/csi-volumesnapshot-class: "true"
+driver: driver.longhorn.io
+deletionPolicy: Delete
+parameters:
+  type: bak

manifests/minio-secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+stringData:
+  AWS_ACCESS_KEY_ID: minio
+  AWS_SECRET_ACCESS_KEY: minio123
+kind: Secret
+metadata:
+  name: minio-secret

manifests/minio-tf-workspace.yaml

@@ -0,0 +1,166 @@
+apiVersion: tf.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: minio
+spec:
+  configuration: |
+    provider minio {
+      // required
+      minio_server   = "s3-new.badhouseplants.net:443"
+      minio_region   = "us-east-1"
+      minio_ssl      = "true"
+    }
+
+    terraform {
+      backend "kubernetes" {
+        secret_suffix     = "minio-tf-state"
+        namespace         = "platform"
+        in_cluster_config = true
+      }
+      required_providers {
+         minio = {
+           source = "aminueza/minio"
+           version = "2.4.3"
+         }
+      }
+    }
+---
+apiVersion: tf.upbound.io/v1beta1
+kind: Workspace
+metadata:
+  name: example-bucket-creation
+spec:
+  providerConfigRef:
+    name: minio
+  writeConnectionSecretToRef:
+    namespace: platform
+    name: tf-minio-state-output
+  forProvider:
+    source: Inline
+    env:
+      - name: MINIO_PASSWORD
+        secretKeyRef:
+          namespace: platform
+          name: minio-secret
+          key: AWS_SECRET_ACCESS_KEY
+      - name: MINIO_USER
+        secretKeyRef:
+          namespace: platform
+          name: minio-secret
+          key: AWS_ACCESS_KEY_ID
+    module: |
+      resource "minio_s3_bucket" "states" {
+        bucket = "states"
+      }
+
+      resource "minio_iam_user" "terraform" {
+         name = "terraform"
+         force_destroy = true
+         tags = {
+          service = "terraform"
+        }
+      }
+      resource "minio_iam_policy" "terraform" {
+        name = "state-terraform"
+        policy= <<EOF
+      {
+        "Version":"2012-10-17",
+        "Statement": [
+          {
+            "Sid":"terraform",
+            "Effect": "Allow",
+            "Action": ["s3:PutObject"],
+            "Resource": "arn:aws:s3:::state-terraform-s3/*"
+          }
+        ]
+      }
+      EOF
+      }
+      
+      resource "minio_iam_user_policy_attachment" "terraform" {
+        user_name   = minio_iam_user.terraform.id
+        policy_name = minio_iam_policy.terraform.id
+      }
+    
+      output "MINIO_USERNAME" {
+        value       = minio_iam_user.terraform.id
+      }
+
+      output "MINIO_PASSWORD" {
+        value       = minio_iam_user.terraform.secret
+        sensitive   = true
+      }
+---
+apiVersion: tf.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: minio-backend
+spec:
+  configuration: |
+    provider minio {
+      // required
+      minio_server   = "s3-new.badhouseplants.net:443"
+      minio_region   = "us-east-1"
+      minio_ssl      = "true"
+    }
+
+    terraform {
+      backend "s3" {
+        bucket = "states"
+        key    = "test"
+        region = "us-east-1"
+        endpoint = "https://s3-new.badhouseplants.net"
+        use_path_style = true
+
+        skip_credentials_validation = true
+
+        skip_metadata_api_check     = true
+        skip_region_validation      = true
+      }
+
+      required_providers {
+         minio = {
+           source = "aminueza/minio"
+           version = "2.4.3"
+         }
+      }
+    }
+---
+apiVersion: tf.upbound.io/v1beta1
+kind: Workspace
+metadata:
+  name: try-backend
+spec:
+  providerConfigRef:
+    name: minio-backend
+  writeConnectionSecretToRef:
+    namespace: platform
+    name: tf-minio-state-output
+  forProvider:
+    source: Inline
+    env:
+      - name: MINIO_PASSWORD
+        secretKeyRef:
+          namespace: platform
+          name: tf-minio-state-output
+          key: MINIO_PASSWORD
+      - name: MINIO_USER
+        secretKeyRef:
+          namespace: platform
+          name: tf-minio-state-output
+          key: MINIO_USERNAME
+      - name: AWS_ACCESS_KEY_ID
+        secretKeyRef:
+          namespace: platform
+          name: minio-secret
+          key: AWS_ACCESS_KEY_ID
+      - name: AWS_SECRET_ACCESS_KEY
+        secretKeyRef:
+          namespace: platform
+          name: minio-secret
+          key: AWS_SECRET_ACCESS_KEY
+    module: |
+      resource "minio_s3_bucket" "states" {
+        bucket = "states-test"
+      }
+

manifests/network-policy.yaml

@@ -0,0 +1,32 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: default-deny-all
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-internet-only
+spec:
+  podSelector: {}
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+      ports:
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+            except:
+              - 10.0.0.0/8
+              - 192.168.0.0/16
+              - 172.16.0.0/20

manifests/peerauth.yaml

@@ -0,0 +1,8 @@
+apiVersion: security.istio.io/v1
+kind: PeerAuthentication
+metadata:
+  name: default
+  namespace: public-xray
+spec:
+  mtls:
+    mode: STRICT

manifests/values.yaml

@@ -0,0 +1,4 @@
+rsync:
+  nodeName: copenhagen
+sshd: 
+  nodeName: copenhagen

renovate.json

@@ -0,0 +1,11 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ],
+  "helmfile": {
+    "fileMatch": [
+      "(^|/)helmfile.*\\.ya?ml(?:\\.gotmpl)?$"
+    ]
+  }
+}

scripts/add_xray_user.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+set -e
+
+CONFIG=$(sops -d ./values/badhouseplants/secrets.server-xray-public.yaml | yq '.files.config.entries."config.json".data' | jq)
+
+read -p "Enter fullname (Ivan Ivanov): " FULLNAME
+read -p "Enter email (ivan@fakemail.net): " EMAIL
+PASS=$(openssl rand -base64 10)
+
+CONFIG_ENTRY=$(cat <<-EndOfMessage
+[
+{
+  "id": "${FULLNAME} ${PASS}",
+  "flow": "xtls-rprx-vision",
+  "level": 0,
+  "email": "${EMAIL}"
+}
+]
+EndOfMessage
+)
+
+echo "You're about to add a following entry to the config, is it correct?"
+echo "${CONFIG_ENTRY}"
+read -p "Type 'YES' to continue " AGREE
+
+if [ "${AGREE}" != "YES" ]; then echo "Alright, goodbye" && exit 1; fi
+
+NEW_CONFIG=$(jq '.inbounds[].settings.clients += '"${CONFIG_ENTRY}"'' <<< "${CONFIG}" | jq)
+echo $NEW_CONFIG
+echo "Does the diff looks correct?"
+diff <(echo $CONFIG) <(echo $NEW_CONFIG) || true
+read -p "Type 'YES' to continue " AGREE
+if [ "${AGREE}" != "YES" ]; then echo "Alright, goodbye" && exit 1; fi
+
+WORKDIR=$(mktemp -d)
+export NEW_CONFIG
+sops -d ./values/badhouseplants/secrets.server-xray-public.yaml | yq '.files.config.entries."config.json".data = strenv(NEW_CONFIG)' > ./values/badhouseplants/secrets.server-xray-public.yaml && sops -e ./values/badhouseplants/secrets.server-xray-public.yaml
+
+helmfile -e badhouseplants -f ./installations/applications -l name=server-xray-public diff
+

scripts/find_unused_values.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+if ! [ -z $DISABLE_ADDITIONAL_CHECKS ]; then
+    echo "Check is disabled"
+    exit 0
+fi
+# -- Get all the envs from the current helmfile installation
+ENVS=$(yq '.environments | keys | .[]' ./common/environments.yaml)
+
+ALL_VALUES=$(find ./values -type f)
+
+USED_VALUES=""
+for ENV in $ENVS; do
+    USED_VALUES="$(helmfile --log-level error -e  $ENV build | yq '.releases[].values[]'):$USED_VALUES"
+    USED_VALUES="$(helmfile --log-level error -e $ENV build| yq '.releases[].secrets[]'):$USED_VALUES"
+done
+
+UNUSED_VALUES=""
+for FILE in $ALL_VALUES; do
+    if [[ ${USED_VALUES} != *"$FILE"* ]]; then
+        UNUSED_VALUES="${FILE}\n${UNUSED_VALUES}"
+    fi
+done
+
+if [ -z "${UNUSED_VALUES}" ]; then
+    exit 0;
+fi
+
+printf "\n ** There are unused values in the repo ** \n"
+printf "${UNUSED_VALUES}\n"
+printf "Please remove them from the repo to keep it clean"
+exit 1

scripts/get_public_trackers.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+curl https://raw.githubusercontent.com/ngosang/trackerslist/refs/heads/master/trackers_all_ip.txt | sed -e 's/.*:\/\/\(.*\):.*/\1/' | sed -e '/^[[:space:]]*$/d'
+
+for http in $(curl https://raw.githubusercontent.com/ngosang/trackerslist/refs/heads/master/trackers_all_http.txt| sed -e 's/.*:\/\/\(.*\):.*/\1/' | sed -e '/^[[:space:]]*$/d'); do
+    RES=$(dig +short $http)
+    if [[ "${RES}" =~ [a-z] ]]; then
+        RES=$(dig +short $RES)
+    fi
+    for res in $RES; do
+        echo $res;
+    done
+done
+
+for http in $(curl https://raw.githubusercontent.com/ngosang/trackerslist/refs/heads/master/trackers_all_https.txt| sed -e 's/.*:\/\/\(.*\):.*/\1/' | sed -e '/^[[:space:]]*$/d'); do
+    RES=$(dig +short $http)
+    if [[ "${RES}" =~ [a-z] ]]; then
+        RES=$(dig +short $RES)
+    fi
+    for res in $RES; do
+        echo $res;
+    done
+done
+
+for http in $(curl https://raw.githubusercontent.com/ngosang/trackerslist/refs/heads/master/trackers_all_udp.txt| sed -e 's/.*:\/\/\(.*\):.*/\1/' | sed -e '/^[[:space:]]*$/d'); do
+    RES=$(dig +short $http)
+    if [[ "${RES}" =~ [a-z] ]]; then
+        RES=$(dig +short $RES)
+    fi
+    for res in $RES; do
+        echo $res;
+    done
+done
+
+for http in $(curl https://raw.githubusercontent.com/ngosang/trackerslist/refs/heads/master/trackers_all_ws.txt| sed -e 's/.*:\/\/\(.*\):.*/\1/' | sed -e '/^[[:space:]]*$/d'); do
+    RES=$(dig +short $http)
+    if [[ "${RES}" =~ [a-z] ]]; then
+        RES=$(dig +short $RES)
+    fi
+    for res in $RES; do
+        echo $res;
+    done
+done

scripts/lint_all_envs.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+if ! [ -z $DISABLE_ADDITIONAL_CHECKS ]; then
+    echo "Check is disabled"
+    exit 0
+fi
+# -- Get all the envs from the current helmfile installation
+ENVS=$(yq '.environments | keys | .[]' ./common/environments.yaml)
+
+
+FAILED_LINTERS=""
+for ENV in $ENVS; do
+    if ! helmfile -e $ENV lint; then FAILED_LINTERS="$ENV\n$FAILED_LINTERS"; fi
+done
+if ! [ -z $FAILED_LINTERS ]; then
+    printf "\n\nSome env can't pass the linter:\n $FAILED_LINTERS"
+    exit 1
+fi
+
+echo "The linter is happy"

scripts/sops_check.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -e
+
+# -- Default exit status, that should be thrown
+# -- when all the secrets are encrypted
+EXIT_STATUS=0
+
+for secrets in $(find . -type 'f' -name 'secrets.*'); do
+    echo "Checking ${secrets}"
+    STATUS=$(sops filestatus $secrets)
+    if [[ "${STATUS}" == *"false"* ]]; then
+        echo "ERROR: Found an unencrypted secret: $secrets"
+        EXIT_STATUS=1
+        sops encrypt -i $secrets;
+    fi;
+done
+
+exit "${EXIT_STATUS}"

scripts/sops_dec_enc.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+for file in $(find values -type f -depth 2 -name "secrets.*"); do
+  echo $file
+  sops decrypt -i $file
+  sops encrypt -i $file
+done

scripts/sops_rotate.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+
+for file in $(find values -type f -depth 2 -name "secrets.*"); do sops updatekeys $file; done
+for file in $(find values -type f -depth 2 -name "secrets.*"); do sops rotate -i $file; done

values/badhouseplants/kube-system/namespaces/secrets.yaml

@@ -0,0 +1,21 @@
+defaultRegcred: ENC[AES256_GCM,data:lsqr2fBEosOQqYLBwps1hmgFs90zkzbdHpO8UwJWcMl1/CGkyzroACqHkL8taaOnnvwWwadIL8FU3382jamw0Xk5O51bFSBbCxTs3xd4ibwe39ha5YI6YQDHADDb/u1Yw4TctJ/h9xykXHDOL4foE5Z860e16vtMiVvniLD9OGfR6utb9gvZHE2QqZTlHR9U4PY2vLWWQMN3VRvipT7hulmOUzXMVcuBswmyDF39PvTba6Ea7A83V9h6HpqNeSA1ewKREIDOFqjhl7tIit8aQnuee58bJCTVIdg6gyR6yfu6sF22wdUlsJ7CAHtd41sbhEhWGyzJIqg=,iv:J1CfAJmNpI7lgQalYJlXs+JX5I0e6COGrsenMhvDGLA=,tag:nHkq8VF47I/9FS8uGcEyuw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwWHpPUkZqbC9LaEtJYzhF
+            L0hIZUtOa3E4KzJDOFlwaFRVWDdJRnBtR1ZjCnVLNzhyQkdxS2dtK2lFaWRJUkJq
+            dThURHRTRG5GT1BqaTZRbzlUbXYzWHMKLS0tIFRSa1lkSGQrN1RGdklzYzZNU3BH
+            ZE0wMk1sRGg1M1lrNVFMTityK3cwK00Kbhugumz27RVo1SJjaljEbklHY6CW7xGD
+            UCbN0LGh5PPpN6eCbZW8dB1+/lLR9AnyYr6okrGM2iztaJQdlwRvww==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-27T10:24:56Z"
+    mac: ENC[AES256_GCM,data:xGqmh1TPg0OJLSycbnjsF4Ai844ZzlCzawQXmROpORJEiSL/3R1W+2PsBT5KcAfG7y2+Ovyk+l1FeorIPuqnbcezX9zUxMOaFXJylmwvNYXCwoihU6Yx2hg9SuFhnwINAhCLqOaRKIh8xPUaK8nRVqwJJa0jW6eCyZ5lsLtpz90=,iv:pmPfpSv3VfVz/MvTGTWoMxzkF3BvCMhK+HxEeN5pzNI=,tag:WkLcTz/WlLXmq8EojHfdlA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

values/badhouseplants/kube-system/namespaces/values.yaml

@@ -0,0 +1,26 @@
+namespaces:
+  - name: registry
+  - name: kube-system
+    defaultRegcred: true
+  - name: kyverno
+    defaultRegcred: true
+  - name: velero
+    defaultRegcred: true
+  - name: observability
+  - name: databases
+  - name: istio-system
+    defaultRegcred: true
+  - name: applications
+    defaultRegcred: true
+    labels:
+      istio-injection: enabled
+  - name: platform
+    defaultRegcred: true
+  - name: games
+  - name: team-fortress-2
+  - name: pipelines
+  - name: public-xray
+    labels:
+      istio-injection: disabled
+  - name: org-badhouseplants
+  - name: org-allanger

values/badhouseplants/kube-system/openebs/values.yaml

@@ -0,0 +1,37 @@
+localpv-provisioner:
+  hostpathClass:
+    isDefaultClass: true
+
+zfs-localpv:
+  crds:
+    zfsLocalPv:
+      enabled: false
+lvm-localpv:
+  crds:
+    lvmLocalPv:
+      enabled: false
+mayastor:
+  csi:
+    node:
+      initContainers:
+        enabled: false
+  etcd:
+    # -- Kubernetes Cluster Domain
+    clusterDomain: cluster.local
+  localpv-provisioner:
+  crds:
+    enabled: false
+openebs-crds:
+  csi:
+    volumeSnapshots:
+      enabled: false
+      keep: true
+engines:
+  local:
+    lvm:
+      enabled: false
+    zfs:
+      enabled: false
+  replicated:
+    mayastor:
+      enabled: false

values/badhouseplants/kube-system/roles/values.yaml

@@ -0,0 +1,24 @@
+roles:
+  - name: xray-admin
+    namespace: public-xray
+    kind: Role
+    rules:
+      - apiGroups: ["*"]
+        resources: ["*"]
+        verbs: ["*"]
+        namespace: ["public-xray"]
+bindings:
+  - name: woodpecker-ci
+    namespace: pipelines
+    kind: ClusterRoleBinding
+    subjects:
+      - kind: ServiceAccount
+        namespace: pipelines
+        name: woodpecker-ci
+    roleRef:
+      kind: ClusterRole
+      name: cluster-admin
+      apiGroup: rbac.authorization.k8s.io
+sa:
+  - name: woodpecker-ci
+    namespace: pipelines

values/badhouseplants/kube-system/traefik/values.yaml

@@ -0,0 +1,137 @@
+service:
+  annotations:
+    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
+  spec:
+    externalTrafficPolicy: Local
+ports:
+  websecure:
+    transport:
+      respondingTimeouts:
+        readTimeout: 0
+        idleTimeout: 0
+        writeTimeout: 0
+        forwardedHeaders:
+          trustedIPs:
+            - "192.168.0.0/16"
+        proxyProtocol:
+          trustedIPs:
+            - "192.168.0.0/16"
+  ssh:
+    port: 22
+    expose:
+      default: true
+    exposedPort: 22
+    protocol: TCP
+  openvpn:
+    port: 1194
+    expose:
+      default: true
+    exposedPort: 1194
+    protocol: TCP
+  xray-public:
+    port: 27015
+    expose:
+      default: true
+    exposedPort: 27015
+    protocol: TCP
+  xray-edge:
+    port: 27016
+    expose:
+      default: true
+    exposedPort: 27016
+    protocol: TCP
+  smtp:
+    port: 25
+    protocol: TCP
+    exposedPort: 25
+    expose:
+      default: true
+      proxyProtocol:
+        trustedIPs:
+          - "192.168.0.0/16"
+  smtps:
+    port: 465
+    protocol: TCP
+    exposedPort: 465
+    expose:
+      default: true
+    proxyProtocol:
+      trustedIPs:
+        - "192.168.0.0/16"
+  smtp-startls:
+    port: 587
+    protocol: TCP
+    exposedPort: 587
+    expose:
+      default: true
+    proxyProtocol:
+      trustedIPs:
+        - "192.168.0.0/16"
+  imap:
+    port: 143
+    protocol: TCP
+    exposedPort: 143
+    expose:
+      default: true
+    proxyProtocol:
+      trustedIPs:
+        - "192.168.0.0/16"
+  imaps:
+    port: 993
+    protocol: TCP
+    exposedPort: 993
+    expose:
+      default: true
+    proxyProtocol:
+      trustedIPs:
+        - "192.168.0.0/16"
+  pop3:
+    port: 110
+    protocol: TCP
+    exposedPort: 110
+    expose:
+      default: true
+  pop3s:
+    port: 995
+    protocol: TCP
+    exposedPort: 995
+    expose:
+      default: true
+    proxyProtocol:
+      trustedIPs:
+        - "192.168.0.0/16"
+
+  minecraft:
+    port: 25565
+    protocol: TCP
+    exposedPort: 25565
+    expose:
+      default: true
+
+  game-udp:
+    port: 37015
+    protocol: UDP
+    exposedPort: 37015
+    expose:
+      default: true
+
+      #  tf2-rcon:
+      #    port: 37015
+      #    protocol: TCP
+      #    exposedPort: 37015
+      #    expose:
+      #      default: true
+
+      #  ssocks-etcp:
+      #    port: 8444
+      #    protocol: TCP
+      #    exposedPort: 8443
+      #    expose:
+      #      default: true
+      #
+      #  ssocks-eudp:
+      #    port: 8445
+      #    protocol: UDP
+      #    exposedPort: 8443
+      #    expose:
+      #      default: true

values/badhouseplants/org-allanger/app-tandoor-recipes/secrets.yaml

@@ -0,0 +1,25 @@
+env:
+    secrets:
+        data:
+            SECRET_KEY: ENC[AES256_GCM,data:bLecWaJafPbXT2/dvKt3R2KNfuxxgQ6yLxviYbOf,iv:liuexfgYScH+eg/qSO23SQxE7hKpudgkOH3JRDkaa+A=,tag:DEcAbY6rg7mQnhsnukWtFA==,type:str]
+            SOCIALACCOUNT_PROVIDERS: ENC[AES256_GCM,data:kx9ziZhxWcWTu1UG7BPi/sdG1tHhzugq65xxL3IPVx8i1oHXwy+00KaOEsIYP+TJqX5516Zq6JqtXe9dQwI4uVIy538FdXeEQDHKNS0xesSx8jG0tKa71GiqyQGBrBBxiy144za9y1QHB9k1pvuaza8mVEQOoktmMFfiHzEOhYDQxIzTulOMWxN2ImTsYSupHS6HLR13gDCyROVDzj1Io/U1VHxN5RZBPiqthNiB+/Aj+2FuCwAaxgEE6VVNFJlghi2yiZbl/PvZ3MDT+dAx/NijawVt0qdBBmPvB3jKZkgRN2tyystGiu47hnLosuzjrOjAMA6rP7XkT2gQ5e6hoLlJxWD5IiAHI+gQK7REbyJrEmSwwH0aCVsd1H4FOBNk+rfKpTIr7sRZFTVcZLtUdTZW6EW0XWmrBBPr5jodmouoFZY+dGlWP1vQkG+2eymw5aJCan0oq+x+J9dB+CVZc/2M1zBeRa6Crg7w3smCqOr46jkaRxfoDxV2NdRSla5zkwwFSS7MqPYlqre2oW+pgP7lvRa4MW9++5q+Zg==,iv:RZMNm66PhTWvjJG5jtpJW22TFInHw8LT04qui3fMLgA=,tag:ETMqmFO/8Kve/W55WP21dA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcTM5RTNIakwwZHNrQXE2
+            U2FsK1gwMDhUTDd1MVorbENtQXdnZjYrM1c4CmNQaG5TcU9wK25qQUg5a29UUXBK
+            WlZHK0M0dHEvZWVyZmJzR0RLU1pGWmMKLS0tIGk4TFArQnJyTWJJa3FJRlJhY0do
+            ZE81bENWM3ZUdlR0N2RKMnJkUnJxSG8Ky2ngwj6ZnToGhnAJChU8NXUG+XPPZc2F
+            fOD35BFO5bUNe+V8MkDLae+GQ1hr55r4WnvFpSWywRIjCFYmUJHTgQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-22T12:32:43Z"
+    mac: ENC[AES256_GCM,data:khcLV/lPaY6J5QQmX8466jx9bsXn+NwA3TLIUYs9ipKa539OjIWstwyydVxILSBCwEWGEW86c8EzLBwptBBgg6gehfRJAax5TAn0lBd1lAAiAxZhdNpc2tfoaMaUWfWdpwYjdrtnvAlAkN3/16nvx+TIq7WdU/cWsic96PqhU0A=,iv:I81QvtZ7S+mSAzoXhU0YBMN0L4K+SRHW3UtcSLxwK5s=,tag:gAeAIjyJ13A8gfE7ppBeRg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

values/badhouseplants/org-allanger/app-tandoor-recipes/values.yaml

@@ -0,0 +1,57 @@
+shortcuts:
+  hostname: tandoor.badhouseplants.net
+ext-database:
+  enabled: true
+  name: tandoor-postgres17
+  instance: postgres17
+  credentials:
+    POSTGRES_HOST: "{{ .Hostname }}"
+    POSTGRES_PORT: "{{ .Port }}"
+workload:
+  kind: Deployment
+  strategy:
+    type: RollingUpdate
+  containers:
+    tandoor:
+      securityContext:
+        runAsUser: 1001
+        runAsGroup: 1001
+        fsGroup: 1001
+      envFrom:
+        - main
+        - secrets
+        - secretRef:
+            name: tandoor-postgres17-creds
+          extraVolumes:
+            common:
+              path: /opt/recipes
+      livenessProbe:
+        httpGet:
+          path: /
+          port: 8080
+        initialDelaySeconds: 10
+        failureThreshold: 30
+        periodSeconds: 10
+ingress:
+  main:
+    class: traefik
+    annotations:
+      kubernetes.io/ingress.class: traefik
+      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+      kubernetes.io/tls-acme: "true"
+      kubernetes.io/ingress.allow-http: "false"
+      kubernetes.io/ingress.global-static-ip-name: ""
+      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+extraVolumes:
+  common:
+    emptyDir: {}
+env:
+  main:
+    enabled: true
+    sensitive: false
+    data:
+      DB_ENGINE: django.db.backends.postgresql
+      SOCIAL_PROVIDERS: allauth.socialaccount.providers.openid_connect
+      REMOTE_USER_AUTH: 1
+      SOCIAL_DEFAULT_ACCESS: 1
+      SOCIAL_DEFAULT_GROUP: guest

values/badhouseplants/org-badhouseplants/app-gitea/secrets.yaml

@@ -0,0 +1,50 @@
+gitea:
+    admin:
+        username: ENC[AES256_GCM,data:U230S8544mg=,iv:yL45Opnqp5T4h7erEv0pRHWtH1th8uu1Y4wfeY2aJcQ=,tag:a4vsJEOxlmHj1mwqcUGbiw==,type:str]
+        password: ENC[AES256_GCM,data:IpwOetFEvxt0/tGkiJ8bBI+OR/E=,iv:8OA48CiWeMyqZVs2lp+UzfyymUNQfdgmAQV33+AVQ+s=,tag:stgAMSnB5dCzFu4zvZeVRA==,type:str]
+    config:
+        storage:
+            MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:cn3NsFx0TH0fw6mJt6cArMRyQ6Qng3gIPQ==,iv:Jv+rweQzEXfVWuWycjGSi54jRAm0XEEcNxZ6flbUZWM=,tag:6O9KvcnaVEME5lXl6msZLw==,type:str]
+        mailer:
+            PASSWD: ENC[AES256_GCM,data:3UL0uvz49J3GIOo/eVWKYLrDG+u/lvCr8Q==,iv:HBQKF42R3tHFQxkUoRzsiPCUkFM40qpjM0SYrQSxugE=,tag:iua/nXoogjxnkj9T6UB/Sw==,type:str]
+        database:
+            PASSWD: ENC[AES256_GCM,data:DbL7wryYRQAEzujWNL4I0AwEq6Cr2r78FXQOAw==,iv:Oc2IYwD7iy7AlYVnhvSc61ttOf20qJyuuDnx4yF3/YE=,tag:aLa8+r0kYvzFSuF3hvhL2w==,type:str]
+        session:
+            PROVIDER_CONFIG: ENC[AES256_GCM,data:owsHUHdmzGiFgtD3+nRBmHYKcsNQXblbuCO8V0tLAAMvJBRHSA5YG1TL3Quy2186yoZCPiAdeQwg/o2Iutk2Mlc6/NmeurZbxomV8dWBuqJfn6t44xnDgFnEXpxE5kB5lNCtcjKXmpxC4fkoUVscOyZFmKp9uTgH,iv:evmTZH5NzMB3nhqLhuBmTTF4ztJX9a/ZMTOmYMqSaxs=,tag:dLnk9xt+moGoBhx7tqazig==,type:str]
+        cache:
+            HOST: ENC[AES256_GCM,data:feiTcBqztm76LZgNShj0Go0IRNgG9UwCQP9KrdexosP2XCnSe+giyKoIcADiHQFYVbnnkpw7/UqNxgM0Tx+EQ9eyFKY+PaFyCSFmQwikmAWakDJ+hQNM1VaNaDKdeLiGIeI7nO2MH9hGDMzPWtUgMNBxc9tTS38l,iv:Rcr+uiZMWbG9IPeMm+eiNf3W3yz2L7yqSkJSKUhWHtk=,tag:3cLuUAEU6CZvvUYKF1cCAQ==,type:str]
+        queue:
+            CONN_STR: ENC[AES256_GCM,data:Mw7W72M3HitiAEG1ihWctXyYqHJuSiKBZvQDDRjA4O9Yg9Zsbq+/HVcnh074zbiTjCO/496FLiy88HuAw8lksZ7MXXVvRI7rIcFKFZLpHcjAqkBnB301SGalK/R4bSisECsYIFPjKuh+s4PIuPEIgFtZuiEvYdbT,iv:uYwjzUObav2Hs/JgRIYbGBFNcZm++qS2QqKpz6Ma6EA=,tag:0okDz0yzL4eSat/0roYJ2A==,type:str]
+    oauth:
+        - name: ENC[AES256_GCM,data:sN+DzBKd,iv:0HNSbQEDLsV76DIRHdWnPs9SI/bHRZz6Fw+8B8Hhuns=,tag:mwTWy9VSXapPu3uLk7LgSQ==,type:str]
+          provider: ENC[AES256_GCM,data:m74moJ8h,iv:QfE5F3vpIlEzIftHlX/qpNvsnAab8gTd4CHyECHNcmQ=,tag:JefFm9mfYJSKzBDOb/l6BA==,type:str]
+          key: ENC[AES256_GCM,data:7ScP3oXE0zTnaqL3AigHby39fMk=,iv:sXllPawkQ5BcKmC1iBUJ2WOEPK2lm6W3q+GrprHZhAc=,tag:vSCB9w5x6jjPNu5b5ZEMzw==,type:str]
+          secret: ENC[AES256_GCM,data:XG9D5IUX4MqJzKf+aB7MCeDJAQlIzMxSv3ByAZQAdZCI+5my+cMfeg==,iv:s3e0wFznoX55MeEQj+dK0QrzzatGzDBKfT4xDD00cOA=,tag:vk32YQcPs0kAIOj61YwHww==,type:str]
+        - name: ENC[AES256_GCM,data:eBSL9xrBDN50,iv:TiC3jjpfwS6A9x6PAkMIorwJ9CecxblzEFt5+ZmSW6I=,tag:XA6UrnJbkUyDBgOY9xfIPw==,type:str]
+          provider: ENC[AES256_GCM,data:yh4TBYDI2R0a4f1qSg==,iv:hx8pAuo//U+YY5a2cq/KyoK4qcKbSXWtkrDvACWLU2c=,tag:uJ9JNWdDjb0eTS0ZJXHDaw==,type:str]
+          skip_local_2fa: ENC[AES256_GCM,data:8YwpOw==,iv:2R3Zc4HK/U31SVcXR3xi9J/kJySR3osA8xN3YhvRxBk=,tag:SzBFOwEmczW59SHLGCMb5Q==,type:str]
+          key: ENC[AES256_GCM,data:rLR8ve4=,iv:qOVIBiFjsOrrRg/mca5l7SHc2GdVAdyz0TV3Q7lJlQg=,tag:tYEzx7SoeoAC9/lgWU91uA==,type:str]
+          secret: ENC[AES256_GCM,data:r7sWVeqWTnqbt7ArzpADD5A1fYU6+KSpLohWJuSbEUyPAzOSxfZGxSYNfAwaxACOgmJJnxUeQ9l71nyUDWzGMrFkLr+o+WcQmSTPV3+3iMHDsTdgjEb+tIZFdi0Z5PJ8DCBxjckmbG5cx3O3Kyrjc24SNHCVb62lhduZH1fIlT0=,iv:kvtMCpiOUx10zTKt/ZYQh3leYaY9+v169Sq+sYIScHQ=,tag:t8txjt3xuVKWA7QgBJYuiw==,type:str]
+          autoDiscoverUrl: ENC[AES256_GCM,data:SG2ev/BshOBP0NQnpZRQErZDAEWdReiwp2pb2JJBWZmFvC67//t8WZu1/wilfQjJvJdsDGwk9Rwncoxya5Fb9uKYDAQKzqULJk70Er9pyNaowFbMxiMm+ws=,iv:B9GM9MLIrKTtRfyDxltlFvvm01aRCTQnyiemH4qzjGs=,tag:Wqji+fKliEGJRZ4inTmbXw==,type:str]
+          iconUrl: ENC[AES256_GCM,data:lcW3npgyrc50GIYCyTh5Gpht2CU6hX67j13XNOvGQybU2dsA9BtqpmH0OMQz4b1g/XkuHAp5j3I0wLnGvhXXf4mEugzt8g==,iv:X/kHS77OJLDuNN2lTAWLqPARJ1QZMY1ImuS+xmkUlgM=,tag:0ZRh7eH6dYdZd250Lb/+xA==,type:str]
+          scopes: ENC[AES256_GCM,data:GtTGDrDZwU1r5vEsxg==,iv:/7yMuJpxlML3R1X8onDSFbJVwpYFtnLamaI+X148Tlk=,tag:e8HkvzdpkhDvedVzm7jG3w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6d2JneUUzM1VkM1lvclA3
+            aC9wMGpKSGU5ZnVaUTNlVDNsMlNaOVRNYVdzCkpzVUJzNHN2TmhHektzOC93Vjlj
+            SVU3cUxVUm4wWjJQRWZRdWlRMEU1eUEKLS0tIHRLOEJERXBMd0NFajNjbHhPVVNl
+            b1cyT0RYa3hzbFJjc254bHJMcDIzeTgK/aX6f60NBz6w1TaOFSZDRE7rPniebb75
+            iwO74fJtl5g9WxAG5yByxJ455Uhc2R/+VBbK5BcYFt9cboIgkUrS2A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-25T19:15:08Z"
+    mac: ENC[AES256_GCM,data:ySAOo8j+p9O0v8xYFcjuD6e/pc9LtLxLWC4TdP7mjhdfwwaaoJW96DLEbSYxYN7Co8zHFqdMp5e76SgvhWwP2LNmHLunJ3LNU6u6NSMEFLCSyjAM8KiqB4bTNq7Kf9H2FZbAN58YKXpZEFECJpxoLg2Q9MdRp+BvgURDa2QLZRc=,iv:Ay5vMdrKbNpFyir/N4+mPuOwKwIVupZbeJFKA+DWFDA=,tag:+YUSXQYMfu59oF+hjg0XMg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

values/badhouseplants/org-badhouseplants/app-gitea/values.yaml

@@ -0,0 +1,176 @@
+# ------------------------------------------
+# -- Kubernetes related values
+# ------------------------------------------
+ingress:
+  enabled: true
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    kubernetes.io/tls-acme: "true"
+    kubernetes.io/ingress.allow-http: "false"
+    kubernetes.io/ingress.global-static-ip-name: ""
+    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+    external-dns.alpha.kubernetes.io/ingress-hostname-source: defined-hosts-only
+  hosts:
+    - host: gitea.badhouseplants.net
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: gitea.badhouseplants.net
+      hosts:
+        - gitea.badhouseplants.net
+replicaCount: 1
+clusterDomain: cluster.local
+resources:
+  limits:
+    memory: 1024Mi
+    cpu: 1
+  requests:
+    cpu: 1
+    memory: 1024Mi
+persistence:
+  enabled: true
+  size: 15Gi
+  accessModes:
+    - ReadWriteOnce
+# ------------------------------------------
+# -- Main Gitea settings
+# ------------------------------------------
+gitea:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      # -- TODO(@allanger): Enable it once prometheus is configured
+      enabled: false
+  config:
+    database:
+      DB_TYPE: postgres
+      HOST: postgres17-postgresql.databases.svc.cluster.local
+      NAME: org-badhouseplants-app-gitea
+      USER: org-badhouseplants-app-gitea
+    APP_NAME: Bad Houseplants Gitea
+    ui:
+      meta:
+        AUTHOR: Bad Houseplants
+        DESCRIPTION: '...by allanger'
+    repository:
+      DEFAULT_BRANCH: main
+      MAX_CREATION_LIMIT: 0
+      DISABLED_REPO_UNITS: repo.wiki
+    service:
+      DISABLE_REGISTRATION: true
+    server:
+      DOMAIN: gitea.badhouseplants.net
+      ROOT_URL: https://gitea.badhouseplants.net
+      LFS_START_SERVER: true
+      LANDING_PAGE: explore
+      START_SSH_SERVER: true
+    storage:
+      STORAGE_TYPE: minio
+      MINIO_ENDPOINT: "s3.badhouseplants.net:443"
+      MINIO_ACCESS_KEY_ID: gitea
+      MINIO_BUCKET: gitea
+      MINIO_LOCATION: us-east-1
+      MINIO_USE_SSL: true
+    admin:
+      DISABLE_REGULAR_ORG_CREATION: true
+    packages:
+      ENABLED: true
+    cron:
+      enabled: true
+    attachment:
+      MAX_SIZE: 100
+    actions:
+      ENABLED: true
+    oauth2_client:
+      REGISTER_EMAIL_CONFIRM: false
+      ENABLE_AUTO_REGISTRATION: true
+    session:
+      PROVIDER: redis
+    cache:
+      ENABLED: true
+      ADAPTER: redis
+    queue:
+      TYPE: redis
+    mailer:
+      ENABLED: true
+      FROM: bot@badhouseplants.net
+      PROTOCOL: smtp+startls
+      SMTP_ADDR: stalwart.badhouseplants.net
+      SMTP_PORT: 587
+      USER: bot
+    indexer:
+      REPO_INDEXER_ENABLED: true
+      REPO_INDEXER_PATH: indexers/repos.bleve
+      MAX_FILE_SIZE: 1048576
+      REPO_INDEXER_EXCLUDE: resources/bin/**
+    picture:
+      ENABLE_FEDERATED_AVATAR: false
+service:
+  ssh:
+    type: ClusterIP
+    port: 22
+    clusterIP:
+extraDeploy:
+  - |-
+    apiVersion: kinda.rocks/v1beta1
+    kind: Database
+    metadata:
+      generation: 1
+      labels:
+        app.kubernetes.io/managed-by: Helm
+      name: {{ include "gitea.fullname" $ }}
+    spec:
+      backup:
+        cron: 0 0 * * *
+        enable: false
+      credentials:
+        templates:
+        - name: CONNECTION_STRING
+          secret: true
+          template: {{` '{{ .Protocol }}://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{.Port }}/{{ .Database }}' `}}
+      deletionProtected: true
+      instance: postgres17
+      postgres: {}
+      secretName: {{ include "gitea.fullname" $ }}-db-creds
+  - |-
+    apiVersion: traefik.io/v1alpha1
+    kind: IngressRouteTCP
+    metadata:
+      name: {{ include "gitea.fullname" $ }}-ssh
+    spec:
+      entryPoints:
+      - ssh
+      routes:
+      - match: HostSNI(`*`)
+        services:
+        - name: {{ include "gitea.fullname" $ }}-ssh
+          nativeLB: true
+          port: 22
+
+# ------------------------------------------
+# -- Disabled dependencies
+# ------------------------------------------
+postgresql-ha:
+  enabled: false
+redis-cluster:
+  enabled: false
+
+# extraDeploy:
+#   - |
+#       {{- if $.Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRouteTCP" }}
+#       apiVersion: traefik.io/v1alpha1
+#       kind: IngressRouteTCP
+#       metadata:
+#         name: {{ include "gitea.fullname" . }}-ssh
+#       spec:
+#         entryPoints:
+#           - ssh
+#         routes:
+#           - match: HostSNI('*')
+#             services:
+#               - name: "{{ include "gitea.fullname" . }}-ssh"
+#                 port: 22
+#                 nativeLB: true
+#       {{- end }}

values/badhouseplants/org-badhouseplants/app-navidrome-private/secrets.yaml

@@ -0,0 +1,28 @@
+files:
+    rclone-config:
+        enabled: ENC[AES256_GCM,data:3y4DCg==,iv:n+Pfj4j405WR17aY7RbF6lpOQ58ZQmWrH6dgUTQ0jX4=,tag:xbKEnPnASJTl27ch1Hi00g==,type:bool]
+        sensitive: ENC[AES256_GCM,data:DGby8Q==,iv:nibU4CkdcYlT1F7OkgqE1apUuyJA5M9Vj5x40F9zt3w=,tag:oW+jPP7F1vWY5gf0JyrPdw==,type:bool]
+        remove: []
+        entries:
+            rclone.conf:
+                data: ENC[AES256_GCM,data:m4K3yt7no9mnUOzn/iGtaKqBrDXoLCgxEWV8NacXlOvh7c5ngmTmwoxzTaNxbsCQA7dECYb0dFtPvhF33AqgpcbRnqGrK54v8V+NaldQrgT2up4iQfdYA+sh+yNG3QAXU7eOEBvyFctJ+9dEaBII1sF/xFSkcTwrWkQFTQKLDdNIYU9a8ttEysz0cBWWXL3h9Y7C/mBjPdWIhpaf6Z63hy5P0hnYFftZsVM=,iv:qBBk9xMlZl3FriY2oYk4DQB1EKTsl7/qUj4s8naVvts=,tag:tDUKvK8ZuIxVeJjyUUqeXQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxalE3bUtCWmFVejBJMlZq
+            dUg0U0R2VytsZHZ5QlQ4UGdrRmdsWGhWbEI4Clk1WEZ4U1lEdTJoRVBTbEFXaE1O
+            TW1wb0dycS9HeWdQcUx3KzJKb2kwTVUKLS0tIDU1bE9JWnp3Q3U4V0pVOGs4Z3Rq
+            Q1VsM3orOUZmS3lDaFpNN2g0cnllVWMKqZlPfiIFKn8h56gspbbUhpv9RkL5gF73
+            NzqtFJJwQOGaD3lk2ocaLLkvywJ/DKNf7JupTWlmggHijId4hmpytw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-20T15:04:15Z"
+    mac: ENC[AES256_GCM,data:XRmw86oJLHXMAY/SPv6ptQLV1Eocbig6CQSG1SdOO9scMpfgD3tMY43z5aB16DkW+6AG1ti+TS4JRgXKLaSsAmORqRN0yTwGEktiLs0GxhtDvMYwnclj/Cx76WbZyMkgVzCHe7ZsAI+9DrejSFYbB/CzA+8yq1KmMf/L5NWcv7o=,iv:AcYK48ywr2pzNw/HEY5hWOcjdnmnG2/eWp+r/o15Lbk=,tag:HLKLFYFV+7SWUaFYiNUS3g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1

values/badhouseplants/org-badhouseplants/app-navidrome-private/values.yaml

@@ -0,0 +1,49 @@
+shortcuts:
+  hostname: navidrome.badhouseplants.net
+ingress:
+  main:
+    annotations:
+      kubernetes.io/ingress.class: traefik
+      kubernetes.io/tls-acme: "true"
+      kubernetes.io/ingress.allow-http: "false"
+      kubernetes.io/ingress.global-static-ip-name: ""
+      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+
+      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+env:
+  main:
+    enabled: true
+    sensitive: false
+    remove: []
+    data:
+      ND_MUSICFOLDER: /app/music
+      ND_DATAFOLDER: /app/data
+      ND_LOGLEVEL: info
+      ND_BASEURL: 'https://{{ .Values.shortcuts.hostname }}'
+files:
+  rclone-config:
+    enabled: true
+    sensitive: true
+    remove: []
+    entries:
+      rclone.conf:
+        data: |
+          [music-data]
+          type = s3
+          provider = Minio
+          endpoint = s3.badhouseplants.net
+          location_constraint = us-west-1
+          access_key_id = allanger
+          secret_access_key = fPN3Nv6yDWVnZ7V7eRZ
+  rclone-script:
+    enabled: true
+    sensitive: false
+    remove: []
+    entries:
+      rclone-script:
+        data: |
+          #!/usr/bin/sh
+          while true; do
+            rclone --config /app/rclone.conf sync -P music-data:/music /app/music
+            sleep 10
+          done

values/badhouseplants/org-badhouseplants/app-navidrome/values.yaml

@@ -0,0 +1,54 @@
+middleware:
+  enabled: true
+  middlewares:
+    - name: navidromeauth
+      spec:
+        headers:
+          customRequestHeaders:
+            Remote-User: "guest"
+
+shortcuts:
+  hostname: music.badhouseplants.net
+
+ingress:
+  main:
+    annotations:
+      traefik.ingress.kubernetes.io/router.middlewares: org-badhouseplants-navidromeauth@kubernetescrd
+      kubernetes.io/ingress.class: traefik
+      kubernetes.io/tls-acme: "true"
+      kubernetes.io/ingress.allow-http: "false"
+      kubernetes.io/ingress.global-static-ip-name: ""
+      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+env:
+  main:
+    enabled: true
+    sensitive: false
+    remove: []
+    data:
+      ND_MUSICFOLDER: /app/music
+      ND_DATAFOLDER: /app/data
+      ND_LOGLEVEL: info
+      ND_BASEURL: 'https://{{ .Values.shortcuts.hostname }}'
+      ND_REVERSEPROXYUSERHEADER: "Remote-User"
+      ND_REVERSEPROXYWHITELIST: "0.0.0.0/0"
+      ND_LASTFM_ENABLED: false
+      ND_LISTENBRAINZ_ENABLED: false
+      ND_ENABLEUSEREDITING: false
+      ND_ENABLEFAVOURITES: false
+      ND_ENABLESTARRATING: false
+      ND_ENABLEEXTERNALSERVICES: false
+      ND_ENABLESHARING: true
+files:
+  rclone-config:
+    enabled: true
+    sensitive: false
+    remove: []
+    entries:
+      rclone.conf:
+        data: |
+          [music-data]
+          type = s3
+          provider = Minio
+          endpoint = s3.badhouseplants.net
+          location_constraint = us-west-1

values/badhouseplants/org-badhouseplants/app-open-strike-2/values.yaml

@@ -0,0 +1,20 @@
+deployAnnotations:
+  keel.sh/policy: force
+  keel.sh/trigger: poll
+  keel.sh/initContainers: 'true'
+
+extra:
+  templates:
+    - |-
+      apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteUDP
+      metadata:
+        name: "{{ .Release.Name }}-game"
+      spec:
+        entryPoints:
+        - game-udp
+        routes:
+        - services:
+          - name: app-open-strike-2-main
+            nativeLB: true
+            port: 27015

values/badhouseplants/org-badhouseplants/app-stalwart/secrets.yaml

@@ -0,0 +1,27 @@
+config:
+    env:
+        secrets:
+            data:
+                SW_ADMIN_SECRET: ENC[AES256_GCM,data:dG2zVmvycL7TZM922XADQ/SwWMBrUvXd+BPwpxIvmaDnjejpEaHUfB0xhpkhZqhAB8M=,iv:5hDpUFLLGLf4VLj8h3weOZhiwJKYORg5uKVgXVXKbgM=,tag:9FQru61B5hDPcIoIUDvUtg==,type:str]
+                MINIO_ACCESS_ID: ENC[AES256_GCM,data:HvZa/kOy8ZI=,iv:T2433k3OmZTmPTx2QWEAELlN7zY37LUynapVWpASrJ0=,tag:Kvr4wIgq5dMmXRJDoxqGxA==,type:str]
+                MINIO_SECRET_KEY: ENC[AES256_GCM,data:Tv5VWQprCKtJCghzhZ8YD8/9,iv:hioZ+d0ns+Hr3pBVyfFWgcuRKDrPQmskSnU0XOMwhzA=,tag:nuFn0qV9UMy2ywiFfx5gHg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGMTZGN2NSYXUzcXNJVUx2
+            YXE3Nk5MbnV1dyttUEtmUExabFYvOGdHcTBRCkM1WE9uNlF1OGh4NnNDL3NabXhi
+            OW1NcDlydUMraTVQV2tjLzVla2tpSnMKLS0tIHN6RXVJTzNvZlkyTmdDb09UTUNy
+            TVJyRVI5U2NmV1VIQTk4cjlYM1htMFkKkxsXzn+7nFiTs3mANqO0+f7/TTGKogFk
+            8ix4OpiA9b33kuqi4Z7bXx4ucyCmlDwtxuHvmOEOyW4yJ9F1cgm+Uw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-15T23:05:04Z"
+    mac: ENC[AES256_GCM,data:Kix/IdONJ79Lj1dc/gigpM7BUPyg7EIsPQzkhtu8+nbIQZQsm0CYqlqPx1V7w0r9vef+rCd/8GX8RdKw0o5ZaDZY5l0nXEi9E7dEtcHTYlrr8fqljcsGRAKmOiBRMkPh0jGTEPlFRtb0Inrn85rWUiMJP12hwIIS0t7GpAydKdI=,iv:1pMdzj1x0Hf65nmZ28Lv7yu6Y+suQKxv274nYl8J3HI=,tag:GQL8HOSswz2N56iNAS9l9w==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

values/badhouseplants/org-badhouseplants/app-stalwart/values.yaml

@@ -0,0 +1,317 @@
+shortcuts:
+  hostname: stalwart.badhouseplants.net
+
+base:
+  workload:
+    initContainers:
+      prepare-config:
+        image:
+          registry: registry.hub.docker.com
+          repository: library/alpine
+          tag: latest
+          pullPolicy: Always
+        volumeMounts:
+          files:
+            config:
+              path: /app/config/config.toml
+              subPath: config.toml
+          extraVolumes:
+            config:
+              path: /app/etc
+        command:
+          - sh
+        args:
+          - -c
+          - cp /app/config/config.toml /app/etc/config.toml && echo "" >> /app/etc/config.toml
+    containers:
+      stalwart:
+        volumeMounts:
+          extraVolumes:
+            certs:
+              path: /app/certs
+            stalwart:
+              path: /opt/stalwart-mail
+            config:
+              path: /opt/stalwart-mail/etc
+
+        envFrom:
+          secrets: {}
+          raw:
+            - secretRef:
+                name: app-stalwart-db-creds-17
+
+extraVolumes:
+  certs:
+    secret:
+      secretName: stalwart.badhouseplants.net
+  stalwart:
+    emptyDir: {}
+  config:
+    emptyDir: {}
+ingress:
+  main:
+    annotations:
+      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+      kubernetes.io/ingress.allow-http: "false"
+      kubernetes.io/ingress.class: traefik
+      kubernetes.io/ingress.global-static-ip-name: ""
+      kubernetes.io/tls-acme: "true"
+      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+config:
+  files:
+    config:
+      enabled: true
+      sensitive: false
+      remove: []
+      entries:
+        # Ref: https://github.com/stalwartlabs/mail-server/blob/main/resources/config/config.toml
+        config.toml:
+          data: |-
+            [lookup.default]
+            hostname = "{{ .Values.shortcuts.hostname }}"
+
+            [server.listener."smtp"]
+            bind = ["[::]:25"]
+            protocol = "smtp"
+            proxy.override = true
+            proxy.trusted-networks.0 = "192.168.0.0/16"
+
+            [server.listener."smtp-startls"]
+            bind = ["[::]:587"]
+            protocol = "smtp"
+            proxy.override = true
+            proxy.trusted-networks.0 = "192.168.0.0/16"
+
+            [server.listener."smtps"]
+            bind = ["[::]:465"]
+            protocol = "smtp"
+            tls.implicit = true
+            proxy.override = true
+            proxy.trusted-networks.0 = "192.168.0.0/16"
+
+            [server.listener."imap"]
+            bind = ["[::]:143"]
+            protocol = "imap"
+            proxy.override = true
+            proxy.trusted-networks.0 = "192.168.0.0/16"
+
+            [server.listener."imaptls"]
+            bind = ["[::]:993"]
+            protocol = "imap"
+            tls.implicit = true
+            proxy.override = true
+            proxy.trusted-networks.0 = "192.168.0.0/16"
+
+            [server.listener.pop3]
+            bind = "[::]:110"
+            protocol = "pop3"
+            proxy.override = true
+            proxy.trusted-networks.0 = "192.168.0.0/16"
+
+            [server.listener.pop3s]
+            bind = "[::]:995"
+            protocol = "pop3"
+            tls.implicit = true
+            proxy.override = true
+            proxy.trusted-networks.0 = "192.168.0.0/16"
+
+            [server.listener."sieve"]
+            bind = ["[::]:4190"]
+            protocol = "managesieve"
+            proxy.override = true
+            proxy.trusted-networks.0 = "192.168.0.0/16"
+
+            [server.listener."https"]
+            protocol = "https"
+            bind = ["[::]:443"]
+            tls.implicit = false
+
+            [server.listener."http"]
+            bind = "[::]:8080"
+            protocol = "http"
+            hsts = true
+
+            [store."minio"]
+            type = "s3"
+            bucket = "stalwart"
+            region = "eu-central-1"
+            access-key = "%{env:MINIO_ACCESS_ID}%"
+            secret-key = "%{env:MINIO_SECRET_KEY}%"
+            endpoint = "https://s3.badhouseplants.net:443"
+            timeout = "30s"
+            key-prefix = "/"
+
+            [store."postgresql"]
+            type = "postgresql"
+            host = "postgres17-postgresql.databases.svc.cluster.local"
+            port = 5432
+            database = "%{env:POSTGRES_DB}%"
+            user = "%{env:POSTGRES_USER}%"
+            password = "%{env:POSTGRES_PASSWORD}%"
+            timeout = "15s"
+
+            [storage]
+            data = "postgresql"
+            fts = "postgresql"
+            blob = "minio"
+            lookup = "postgresql"
+            directory = "internal"
+
+            [directory."internal"]
+            type = "internal"
+            store = "postgresql"
+
+            [authentication.fallback-admin]
+            user = "overlord"
+            secret = "%{env:SW_ADMIN_SECRET}%"
+
+            [tracer.console]
+            type = "console"
+            level = "info"
+            ansi = true
+            enable = true
+
+            [certificate."default"]
+            cert = "%{file:/app/certs/tls.crt}%"
+            private-key = "%{file:/app/certs/tls.key}%"
+
+  env:
+    secrets:
+      enabled: true
+      sensitive: true
+
+extra:
+  templates:
+    - |
+      apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteTCP
+      metadata:
+        name: "{{ .Release.Name }}-smtp"
+      spec:
+        entryPoints:
+        - smtp
+        routes:
+        - match: HostSNI(`*`)
+          services:
+          - name: app-stalwart-mail
+            nativeLB: true
+            port: 25
+            proxyProtocol:
+              version: 2
+    - |
+      apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteTCP
+      metadata:
+        name: "{{ .Release.Name }}-smtps"
+      spec:
+        entryPoints:
+        - smtps
+        routes:
+        - match: HostSNI(`*`)
+          services:
+          - name: app-stalwart-mail
+            nativeLB: true
+            port: 465
+            proxyProtocol:
+              version: 2
+    - |
+      apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteTCP
+      metadata:
+        name: "{{ .Release.Name }}-smtp-startls"
+      spec:
+        entryPoints:
+        - smtp-startls
+        routes:
+        - match: HostSNI(`*`)
+          services:
+          - name: app-stalwart-mail
+            nativeLB: true
+            port: 587
+            proxyProtocol:
+              version: 2
+    - |
+      apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteTCP
+      metadata:
+        name: "{{ .Release.Name }}-imap"
+      spec:
+        entryPoints:
+        - imap
+        routes:
+        - match: HostSNI(`*`)
+          services:
+          - name: app-stalwart-mail
+            nativeLB: true
+            port: 143
+            proxyProtocol:
+              version: 2
+    - |
+      apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteTCP
+      metadata:
+        name: "{{ .Release.Name }}-imaps"
+      spec:
+        entryPoints:
+        - imaps
+        routes:
+        - match: HostSNI(`*`)
+          services:
+          - name: app-stalwart-mail
+            nativeLB: true
+            port: 993
+            proxyProtocol:
+              version: 2
+    - |
+      apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteTCP
+      metadata:
+        name: "{{ .Release.Name }}-pop3"
+      spec:
+        entryPoints:
+        - pop3
+        routes:
+        - match: HostSNI(`*`)
+          services:
+          - name: app-stalwart-mail
+            nativeLB: true
+            port: 110
+            proxyProtocol:
+              version: 2
+    - |
+      apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteTCP
+      metadata:
+        name: "{{ .Release.Name }}-pop3s"
+      spec:
+        entryPoints:
+        - pop3s
+        routes:
+        - match: HostSNI(`*`)
+          services:
+          - name: app-stalwart-mail
+            nativeLB: true
+            port: 995
+            proxyProtocol:
+              version: 2
+    - |
+      apiVersion: kinda.rocks/v1beta1
+      kind: Database
+      metadata:
+        name: "{{ .Release.Name }}-postgres17"
+      spec:
+        secretName: {{ .Release.Name  }}-db-creds-17
+        backup:
+          cron: 0 0 * * *
+          enable: false
+        credentials:
+          templates:
+            - name: POSTGRES_HOST
+              secret: true
+              template: "{{` {{ .Hostname }} `}}"
+            - name: POSTGRES_PORT
+              secret: true
+              template: "{{` {{ .Port }} `}}"
+        deletionProtected: true
+        instance: postgres17
+        postgres: {}

values/badhouseplants/org-badhouseplants/app-tandoor-recipes/secrets.yaml

@@ -0,0 +1,25 @@
+env:
+    secrets:
+        data:
+            SECRET_KEY: ENC[AES256_GCM,data:bLecWaJafPbXT2/dvKt3R2KNfuxxgQ6yLxviYbOf,iv:liuexfgYScH+eg/qSO23SQxE7hKpudgkOH3JRDkaa+A=,tag:DEcAbY6rg7mQnhsnukWtFA==,type:str]
+            SOCIALACCOUNT_PROVIDERS: ENC[AES256_GCM,data:kx9ziZhxWcWTu1UG7BPi/sdG1tHhzugq65xxL3IPVx8i1oHXwy+00KaOEsIYP+TJqX5516Zq6JqtXe9dQwI4uVIy538FdXeEQDHKNS0xesSx8jG0tKa71GiqyQGBrBBxiy144za9y1QHB9k1pvuaza8mVEQOoktmMFfiHzEOhYDQxIzTulOMWxN2ImTsYSupHS6HLR13gDCyROVDzj1Io/U1VHxN5RZBPiqthNiB+/Aj+2FuCwAaxgEE6VVNFJlghi2yiZbl/PvZ3MDT+dAx/NijawVt0qdBBmPvB3jKZkgRN2tyystGiu47hnLosuzjrOjAMA6rP7XkT2gQ5e6hoLlJxWD5IiAHI+gQK7REbyJrEmSwwH0aCVsd1H4FOBNk+rfKpTIr7sRZFTVcZLtUdTZW6EW0XWmrBBPr5jodmouoFZY+dGlWP1vQkG+2eymw5aJCan0oq+x+J9dB+CVZc/2M1zBeRa6Crg7w3smCqOr46jkaRxfoDxV2NdRSla5zkwwFSS7MqPYlqre2oW+pgP7lvRa4MW9++5q+Zg==,iv:RZMNm66PhTWvjJG5jtpJW22TFInHw8LT04qui3fMLgA=,tag:ETMqmFO/8Kve/W55WP21dA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcTM5RTNIakwwZHNrQXE2
+            U2FsK1gwMDhUTDd1MVorbENtQXdnZjYrM1c4CmNQaG5TcU9wK25qQUg5a29UUXBK
+            WlZHK0M0dHEvZWVyZmJzR0RLU1pGWmMKLS0tIGk4TFArQnJyTWJJa3FJRlJhY0do
+            ZE81bENWM3ZUdlR0N2RKMnJkUnJxSG8Ky2ngwj6ZnToGhnAJChU8NXUG+XPPZc2F
+            fOD35BFO5bUNe+V8MkDLae+GQ1hr55r4WnvFpSWywRIjCFYmUJHTgQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-22T12:32:43Z"
+    mac: ENC[AES256_GCM,data:khcLV/lPaY6J5QQmX8466jx9bsXn+NwA3TLIUYs9ipKa539OjIWstwyydVxILSBCwEWGEW86c8EzLBwptBBgg6gehfRJAax5TAn0lBd1lAAiAxZhdNpc2tfoaMaUWfWdpwYjdrtnvAlAkN3/16nvx+TIq7WdU/cWsic96PqhU0A=,iv:I81QvtZ7S+mSAzoXhU0YBMN0L4K+SRHW3UtcSLxwK5s=,tag:gAeAIjyJ13A8gfE7ppBeRg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

values/badhouseplants/org-badhouseplants/app-tandoor-recipes/values.yaml

@@ -0,0 +1,57 @@
+shortcuts:
+  hostname: tandoor.badhouseplants.net
+ext-database:
+  enabled: true
+  name: tandoor-postgres17
+  instance: postgres17
+  credentials:
+    POSTGRES_HOST: "{{ .Hostname }}"
+    POSTGRES_PORT: "{{ .Port }}"
+workload:
+  kind: Deployment
+  strategy:
+    type: RollingUpdate
+  containers:
+    tandoor:
+      securityContext:
+        runAsUser: 1001
+        runAsGroup: 1001
+        fsGroup: 1001
+      envFrom:
+        - main
+        - secrets
+        - secretRef:
+            name: tandoor-postgres16-creds
+          extraVolumes:
+            common:
+              path: /opt/recipes
+      livenessProbe:
+        httpGet:
+          path: /
+          port: 8080
+        initialDelaySeconds: 10
+        failureThreshold: 30
+        periodSeconds: 10
+ingress:
+  main:
+    class: traefik
+    annotations:
+      kubernetes.io/ingress.class: traefik
+      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+      kubernetes.io/tls-acme: "true"
+      kubernetes.io/ingress.allow-http: "false"
+      kubernetes.io/ingress.global-static-ip-name: ""
+      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+extraVolumes:
+  common:
+    emptyDir: {}
+env:
+  main:
+    enabled: true
+    sensitive: false
+    data:
+      DB_ENGINE: django.db.backends.postgresql
+      SOCIAL_PROVIDERS: allauth.socialaccount.providers.openid_connect
+      REMOTE_USER_AUTH: 1
+      SOCIAL_DEFAULT_ACCESS: 1
+      SOCIAL_DEFAULT_GROUP: guest

values/badhouseplants/org-badhouseplants/app-vaultwarden/secrets.yaml

@@ -0,0 +1,31 @@
+config:
+    env:
+        secrets:
+            enabled: ENC[AES256_GCM,data:C4TSoQ==,iv:kG2QtaNWHSc2sdhzo8HnMnPE0Mixqs1dvFsAcke/Gw4=,tag:HhbVmIw5RQ9hipQqZ5J2pw==,type:bool]
+            sensitive: ENC[AES256_GCM,data:0wVOUg==,iv:FGxAd9h2e0LeWukZR/THhCscF3FWoK4dnkrX1mqSC+A=,tag:0rpeedT6x2V79WB5xRNbuA==,type:bool]
+            data:
+                SMTP_USERNAME: ENC[AES256_GCM,data:82zb,iv:Z89+Wt6jGMQTZ73ghk1Ey504WYt2Li9XQ2gaH0SB8tI=,tag:RmqHxghik75E9LAABzyVxA==,type:str]
+                ADMIN_PASSWORD: ENC[AES256_GCM,data:ELi8dtNa/OhQKgrXbrgwHK95ntZjyzRSvQ==,iv:IVZbXZlFyCRMc3bW81Ak9UdjeGke0px9mGqrmaW7EHk=,tag:9xli08c0pqnxu2ktTbCMcg==,type:str]
+                ADMIN_TOKEN: ENC[AES256_GCM,data:CAAalqRcu9vsM1bjC76enJCSX/tc7yOd48mxGV0d5rTFxQz08b4JVhKyMzl7BRog7+PMtJkkTnRIXZHgj31FqhRylmHyuAn3iPc=,iv:PpZvZMhOEt6ecdkBcvAOSz+eZktPAzaAlYNjBSgiN/w=,tag:apHKw66HG7TYnpBNVyM7xA==,type:str]
+                DATABASE_URL: null
+                SMTP_PASSWORD: ENC[AES256_GCM,data:g212PzN9/4hxBKMAWFNiR0qAnPPK/tkffg==,iv:1l6dikIQGSjznW9MsaCTdz0wLJmAhiL0ZOdN2J4Q0yA=,tag:tNbPdORUa6IBWgh0HHaNjA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoLys3dkJDK2lrQ0d4ZlJi
+            eFRTSmx1RUtZRnpxdkNvVFFCeXl6dDcvWXdvCitoNkcwVFFxRVJ6dkNUbGVPb1pU
+            b3E4ZjZibFF6QytNdUhXNDFLZXRpSEUKLS0tIHpZTmFXNnptVzJmZFhIU2haRWhR
+            UjNEN1BlREFVak1xdmQzaFY1dHVyM3cKuvMIrQUL1cuw3Odz/Cv+kZV9ZZzBozSW
+            XimhDSkxNrH5OsGC1Jxz/8JOv8abBs4NROzffVdyqtZZzXOLzw3mJQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-02T08:58:16Z"
+    mac: ENC[AES256_GCM,data:px+D6tlAZU6GzlE8/jLc0BaPyRwsfE1jRROy2mX7bhFTIW3lZqt/zangO46fFH5hXZjY5wLNIktCDbawIbUFwAp0vrmXxctZoAftl9hpdtW6ann3yfyv3pdcs7/BKu3s5QUswx6D13iLU0dvzyG4vGcQNmKpxuPQYLuDp2o74hM=,iv:2Y+wsS7QcgQ/8umZ+a21QjU25Yq24Y7UWjXVy9Gmvoo=,tag:APVtby5NCOQxrPAjIbMJ+w==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

values/badhouseplants/org-badhouseplants/app-vaultwarden/values.yaml

@@ -0,0 +1,63 @@
+shortcuts:
+  hostname: vaultwarden.badhouseplants.net
+
+base:
+  workload:
+    kind: Deployment
+    strategy:
+      type: RollingUpdate
+    containers:
+      vaultwarden:
+        envFrom:
+          raw:
+            - secretRef:
+                name: app-vaultwarden-db-creds-17
+ingress:
+  main:
+    class: traefik
+    metadata:
+      annotations:
+        kubernetes.io/ingress.class: traefik
+        traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+        kubernetes.io/tls-acme: "true"
+        kubernetes.io/ingress.allow-http: "false"
+        kubernetes.io/ingress.global-static-ip-name: ""
+        cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+
+config:
+  env:
+    main:
+      enabled: true
+      sensitive: false
+      data:
+        SMTP_HOST: stalwart.badhouseplants.net
+        SMTP_SECURITY: "starttls"
+        SMTP_PORT: 587
+        SMTP_FROM: bot@badhouseplants.net
+        SMTP_FROM_NAME: Vault Warden
+        SMTP_AUTH_MECHANISM: "Plain"
+        SMTP_ACCEPT_INVALID_HOSTNAMES: "false"
+        SMTP_ACCEPT_INVALID_CERTS: "false"
+        SMTP_DEBUG: false
+        DOMAIN: "{{ .Values.shortcuts.hostname }}"
+        LOG_FILE: /app/logs/log.txt
+
+extra:
+  templates:
+    - |-
+      apiVersion: kinda.rocks/v1beta1
+      kind: Database
+      metadata:
+        name: "{{ .Release.Name }}-postgres17"
+      spec:
+        secretName: "{{ .Release.Name  }}-db-creds-17"
+        instance: postgres17
+        deletionProtected: true
+        backup:
+          enable: false
+          cron: 0 0 * * *
+        credentials:
+          templates:
+            - name: DATABASE_URL
+              template: "{{ `{{ .Protocol }}://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}` }}"
+              secret: true

values/badhouseplants/org-onpier/app-memos/values.yaml

@@ -0,0 +1,43 @@
+shortcuts:
+  hostname: notes-onpier.badhouseplants.net
+
+ext-database:
+  enabled: true
+  name: memos-postgres16
+  instance: postgres16
+  credentials:
+    MEMOS_DRIVER: postgres
+    MEMOS_DSN: "{{ .Protocol }}://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}?sslmode=disable"
+
+workload:
+  containers:
+    memos:
+      envFrom:
+        - main
+        - secretRef:
+            name: memos-postgres16-creds
+ingress:
+  main:
+    annotations:
+      kubernetes.io/ingress.class: traefik
+      kubernetes.io/tls-acme: "true"
+      kubernetes.io/ingress.allow-http: "false"
+      kubernetes.io/ingress.global-static-ip-name: ""
+      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+      traefik.ingress.kubernetes.io/router.middlewares: org\-onpier-memosauth@kubernetescrd
+
+ext-secret:
+  enabled: true
+  name: memos-basic-auth
+  data:
+    users: |
+      allanger:$apr1$kNwkQ0S.$9q29sib/xWEp3NDp.tquw/
+
+middleware:
+  enabled: true
+  middlewares:
+    - name: memosauth
+      spec:
+        basicAuth:
+          secret: memos-basic-auth

values/badhouseplants/platform/external-dns/secrets.yaml

@@ -0,0 +1,23 @@
+env:
+    - name: ENC[AES256_GCM,data:iUkU/BNlitD6f6RQ,iv:x5aENGi0aw9gDh2a7h92DfxwQgdbacM3hHtnPVdIKWA=,tag:4vyOlP7XcC1F6pjnUieAuA==,type:str]
+      value: ENC[AES256_GCM,data:cFypu5mF+ktwjNFCBcy0U/1UIt4Fc/CAtH/SngvaaBXY0yinYzaiOQ==,iv:2VQ1Cpmppkz2ylt5NMP84o+0EQkI43jz267HNRjMugg=,tag:co3LJzwxbmxT09km65MVuw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwMXNsQjEwYXdaR0Y3bktt
+            UGFYS09Nc29IR0w0YmpweUtyV2pPbXFPeFJnCjZkclRSVjREanorbk5MKzJybWJI
+            UDlwdlVqWGZockVVeFVrNnZlZGp1NUkKLS0tIDhnUzgxdlFWa1NicVJEUk81cXp5
+            M2xvSjRrNUx5OFRqbUFpSXdyZ04xVzgKMsBwKA8dVSW9BR2jSTBxMPKevual5P8I
+            V+YUcIIUAP1sFjs4jVhTduBSMI/ZSArWYIEX+dQ46oGDLcRzODm9xQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-16T14:21:33Z"
+    mac: ENC[AES256_GCM,data:5nE5vx69ESp0HW0/uxYGp8Lq35Cjb5UpSmNkx1H4ux67K3xs3zEBSrupDuUqzrrj/WFFgTf8fIAnfu//bEUvRqtqkIOb7eTqBlQTCzdKWLMvfwhv3WnfXLljJvZZH+e430z7ayw6psfNbwm5sPr+/sPSijg31xv8x9wN8LfZqno=,iv:BKyKMqQ/eLiDspSlvMh0/I7hKb3xn2BUQhuHwrl+Pfc=,tag:is4SHDuAT2c3Ip2O5ifgWw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

values/badhouseplants/platform/external-dns/values.yaml

@@ -0,0 +1,15 @@
+provider:
+  name: cloudflare
+domainFilters:
+  - badhouseplants.net
+excludeDomains:
+  - ru.badhouseplants.net
+policy: sync
+txtOwnerId: badhp
+txtPrefix: badhp-ext-dns-
+logFormat: json
+logLevel: info
+sources:
+  - service
+  - ingress
+  - crd