chore(deps): update helm release renovate to v39.259.0

Signed-off-by: Nikolai Rodionov <allanger@badhouseplants.net>

.pre-commit-config.yaml

@@ -9,13 +9,13 @@ repos:
       - id: yamlfmt
         exclude: |
           (?x)(
+            ^charts/|
             ^.*secrets.*yaml|
-            ^charts/
           )
-  - repo: https://github.com/codespell-project/codespell
-    rev: v2.2.4
-    hooks:
-      - id: codespell
+          #  - repo: https://github.com/codespell-project/codespell
+          #    rev: v2.2.4
+          #    hooks:
+          #      - id: codespell
   - repo: local
     hooks:
       - id: check-sops-secrets

.sops.yaml

@@ -8,3 +8,7 @@ creation_rules:
     key_groups:
       - age:
           - age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+  - path_regex: common/values/secrets.*
+    key_groups:
+      - age:
+          - age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8

charts/apply-log/Chart.yaml

@@ -1,6 +0,0 @@
-apiVersion: v2
-name: apply-log
-description: A Helm chart for Kubernetes
-type: application
-version: 0.1.0
-appVersion: "1.16.0"

charts/apply-log/templates/_helpers.tpl

@@ -1,62 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "apply-log.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "apply-log.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "apply-log.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "apply-log.labels" -}}
-helm.sh/chart: {{ include "apply-log.chart" . }}
-{{ include "apply-log.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "apply-log.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "apply-log.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "apply-log.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "apply-log.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}

charts/apply-log/templates/configmap.yaml

@@ -1,20 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ .Release.Name }}-apply-log
-  namespace: {{ .Release.Namespace }}
-  labels:
-    k8s.badhouseplants.net/configmap-kind: helmfile-apply-log
-    {{- include "apply-log.labels" . | nindent 4 }}
-data:
-  author: {{ .Values.author }}
-  {{- if .Values.ci }}
-  ci: {{ .Values.ci | quote }}
-  {{- else }}
-  {{- with .Values.cdDisabled }}
-  cdDisabled: {{ . | quote }}
-  {{- end }}
-  branch: {{ .Values.branch }}
-  sha: {{ .Values.sha | quote | replace " " "" }}
-  status: {{ .Values.status }}
-  {{- end }}

charts/apply-log/values.yaml

@@ -1,7 +0,0 @@
-name: test
-ci: false
-branch: main
-author: test
-sha: dummy
-status: clean
-cdDisabled: false

charts/issuer/templates/issuer.yaml

@@ -1,10 +1,23 @@
+{{- range $name, $issuer := .Values.clusterIssuers }}
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
   labels:
-    {{- include "issuer.labels" . | nindent 4 }}
-  name: "{{ .Values.name }}"
+    {{- include "issuer.labels" $ | nindent 4 }}
+  name: "{{ $name }}"
 spec:
-  acme:
-{{ .Values.spec | toYaml | indent 2 }}
+{{ $issuer.spec | toYaml | indent 2 }}
+{{- end }}
+{{- range $name, $issuer := .Values.issuers }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    {{- include "issuer.labels" $ | nindent 4 }}
+  name: "{{ $name }}"
+  namespace: {{ $issuer.namespace }}
+spec:
+{{ $issuer.spec | toYaml | indent 2 }}
+{{- end }}

charts/metallb-resources/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: metallb-resources
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"

charts/metallb-resources/templates/_helpers.tpl

@@ -1,7 +1,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "root.name" -}}
+{{- define "metallb-resources.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
@@ -10,7 +10,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "root.fullname" -}}
+{{- define "metallb-resources.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "root.chart" -}}
+{{- define "metallb-resources.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Common labels
 */}}
-{{- define "root.labels" -}}
-helm.sh/chart: {{ include "root.chart" . }}
-{{ include "root.selectorLabels" . }}
+{{- define "metallb-resources.labels" -}}
+helm.sh/chart: {{ include "metallb-resources.chart" . }}
+{{ include "metallb-resources.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -45,17 +45,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "root.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "root.name" . }}
+{{- define "metallb-resources.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "metallb-resources.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
 Create the name of the service account to use
 */}}
-{{- define "root.serviceAccountName" -}}
+{{- define "metallb-resources.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
-{{- default (include "root.fullname" .) .Values.serviceAccount.name }}
+{{- default (include "metallb-resources.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}

charts/metallb-resources/templates/ip_address_pool.tpl

@@ -0,0 +1,7 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: {{ include "metallb-resources.fullname" . }}
+spec:
+  addresses:
+  - {{ .Values.addresses}}

charts/metallb-resources/values.yaml

@@ -0,0 +1 @@
+addresses: 1.1.1.1-1.1.1.1

charts/namespaces/templates/namespaces.yaml

@@ -15,5 +15,24 @@ metadata:
     {{- with $ns.annotations}}
     {{- toYaml . | nindent 4 }}
   {{- end }}
+{{- if $ns.defaultRegcred }}
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+  name: regcred
+  namespace: {{ $ns.name }}
+data:
+  .dockerconfigjson: {{ $.Values.defaultRegcred }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: default
+  namespace: {{ $ns.name }}
+imagePullSecrets:
+  - name: regcred
+{{- end }}
 {{- end }}
 {{- end }}

charts/root/.helmignore

@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/

charts/root/Chart.yaml

@@ -1,6 +0,0 @@
-apiVersion: v2
-name: root
-description: A Helm chart for Kubernetes
-type: application
-version: 0.1.5
-appVersion: "1.16.0"

charts/root/templates/root.yaml

@@ -1,25 +0,0 @@
-{{ if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: GitRepository
-metadata:
-  name: root
-spec:
-  interval: 30s
-  url: {{ .Values.url }}
-  ref:
-    branch: {{ .Values.branch }}
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: root
-spec:
-  interval: 30s
-  targetNamespace: flux-system
-  sourceRef:
-    kind: GitRepository
-    name: root
-  path: "."
-  prune: false
-  timeout: 1m
-{{- end }}

charts/root/templates/self.yaml

@@ -1,25 +0,0 @@
-{{ if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: GitRepository
-metadata:
-  name: root-self
-spec:
-  interval: 30s
-  url: {{ .Values.self.url }}
-  ref:
-    branch: {{ .Values.self.branch }}
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: root-self
-spec:
-  interval: 30s
-  targetNamespace: flux-system
-  sourceRef:
-    kind: GitRepository
-    name: root-self
-  path: "."
-  prune: false
-  timeout: 1m
-{{- end }}

charts/root/values.yaml

@@ -1,5 +0,0 @@
-url: https://git.badhouseplants.net/giantswarm/cluster-example.git
-branch: main
-self:
-  url: git@git.badhouseplants.net:giantswarm/root-config.git
-  branch: master

charts/tf-ocloud/.helmignore

@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/

charts/tf-ocloud/Chart.lock

@@ -1,6 +0,0 @@
-dependencies:
-- name: helm-library
-  repository: oci://ghcr.io/allanger/allangers-helm-library
-  version: 0.1.4
-digest: sha256:6306a6a8d3c51b2b5f37cffa88c3731550da789d1ce2317a83a3f9a657310f8e
-generated: "2024-10-16T20:01:59.337767+02:00"

charts/tf-ocloud/Chart.yaml

@@ -1,15 +0,0 @@
-apiVersion: v2
-name: tf-ocloud
-type: application
-version: 0.1.0
-appVersion: 0.1.5
-maintainers:
-  - name: allanger
-    email: allanger@zohomail.com
-    url: https://badhouseplants.net
-dependencies:
-  - name: helm-library
-    version: 0.1.5
-    repository: oci://ghcr.io/allanger/allangers-helm-library
-annotations:
-  allowed_workload_kinds: "Deployment"

charts/tf-ocloud/templates/install.yaml

@@ -1,3 +0,0 @@
-{{ include "lib.component.workload" . }}
-{{ include "lib.component.files" . }}
-{{ include "lib.component.env" . }}

charts/tf-ocloud/values.yaml

@@ -1,67 +0,0 @@
----
-workload:
-  kind: Deployment
-  strategy:
-    type: RollingUpdate
-  securityContext: {}
-  containers:
-    tf:
-      securityContext: {}
-      image:
-        registry: zot.badhouseplants.net
-        repository: badhouseplants/terraform-ocloud
-        tag: 7eae6ec805bc99618a196abf9d4d2e0fd19f75e6
-        pullPolicy: Always
-      envFrom:
-        - main
-      mounts:
-        files:
-          ocloudkey:
-            path: /src/key.pem
-            subPath: key.pem
-          publickey:
-            path: /src/public_key
-            subPath: public-key
-          privatekey:
-            path: /src/ssh_key
-            subPath: ssh-key
-          tfvars:
-            path: /src/terraform.tfvars
-            subPath: terraform.tfvars
-        extraVolumes:
-          dottf:
-            path: /src/.terraform
-
-extraVolumes:
-  dottf:
-    emptyDir: {}
-
-files:
-  ocloudkey:
-    enabled: true
-    sensitive: false
-    remove: []
-    entries:
-      key.pem:
-        data: dummy
-  publickey:
-    enabled: true
-    sensitive: false
-    remove: []
-    entries:
-      public-key:
-        data: dummy
-  privatekey:
-    enabled: true
-    sensitive: false
-    remove: []
-    entries:
-      ssh-key:
-        data: dummy
-  tfvars:
-    enabled: true
-    sensitive: false
-    remove: []
-    entries:
-      terraform.tfvars:
-        data: dummy

common/environments.yaml

@@ -2,6 +2,7 @@ environments:
   badhouseplants:
     kubeContext: badhouseplants
     values:
+      - ./common/values/values.badhouseplants.yaml
       - base:
           enabled: true
       - velero:
@@ -21,10 +22,15 @@ environments:
       - redis:
           enabled: true
       - istio:
-          enabled: false
+          enabled: true
+      - dbOperator:
+          enabled: true
+      - monitoring:
+          enabled: true
   etersoft:
     kubeContext: etersoft
     values:
+      - ./common/values/values.etersoft.yaml
       - base:
           enabled: true
       - velero:
@@ -41,53 +47,11 @@ environments:
           enabled: false
       - redis:
           enabled: false
-      - postgres16:
-          enabled: true
-      - istio:
-          enabled: false
-  xray-1:
-    kubeContext: xray-1
-    values:
-      - base:
-          enabled: false
-      - velero:
-          enabled: false
-      - workload:
-          enabled: false
-      - backups:
-          enabled: false
-      - openebs:
-          enabled: false
-      - localpath:
-          enabled: false
-      - postgres17:
-          enabled: false
-      - redis:
-          enabled: false
       - postgres16:
           enabled: false
       - istio:
           enabled: false
-  xray-2:
-    kubeContext: xray-2
-    values:
-      - base:
+      - dbOperator:
           enabled: false
-      - velero:
-          enabled: false
-      - workload:
-          enabled: false
-      - backups:
-          enabled: false
-      - openebs:
-          enabled: false
-      - localpath:
-          enabled: false
-      - postgres17:
-          enabled: false
-      - redis:
-          enabled: false
-      - postgres16:
-          enabled: false
-      - istio:
+      - monitoring:
           enabled: false

common/repositories.yaml

@@ -1,24 +0,0 @@
-repositories:
-  - name: bedag
-    url: https://bedag.github.io/helm-charts/
-  - name: metrics-server
-    url: https://kubernetes-sigs.github.io/metrics-server/
-  - name: jetstack
-    url: https://charts.jetstack.io
-  - name: metallb
-    url: https://metallb.github.io/metallb
-  - name: traefik
-    url: https://traefik.github.io/charts
-  - name: coredns
-    url: https://coredns.github.io/helm
-  - name: cilium
-    url: https://helm.cilium.io/
-  - name: vmware-tanzu
-    url: https://vmware-tanzu.github.io/helm-charts/
-  - name: openebs
-    url: https://openebs.github.io/openebs
-  - name: local-path-provisioner
-    url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master
-  - name: istio
-    url: https://istio-release.storage.googleapis.com/charts
-

common/templates.yaml

@@ -1,4 +1,10 @@
+helmDefaults:
+  kubeContext: {{ .StateValues.kubeContext }}
+
 templates:
+  # ---------------------------
+  # -- Hooks
+  # ---------------------------
   crd-management-hook:
     hooks:
       - events: ["preapply"]
@@ -22,42 +28,33 @@ templates:
         args:
           - -c
           - "helm show crds {{ `{{ .Release.Chart }}` }} --version {{ `{{ .Release.Version }}` }} | kubectl delete -f - || true"
-  apply-log:
-    disableOpenAPIValidation: true
-    disableValidation: true
-    dependencies:
-      - chart: ./charts/apply-log
-        version: '0.1.0'
-        alias: apply-log
-    set:
-      - name: apply-log.ci
-        value: '{{ env "CI" }}'
-      - name: apply-log.author
-        value: '{{ env "USER" }}'
-      - name: apply-log.branch
-        value: '{{ exec "git" (list "rev-parse" "--abbrev-ref" "HEAD") }}'
-      - name: apply-log.sha
-        value: '{{exec "git" (list "rev-parse" "--short" "HEAD") }}'
-      - name: apply-log.status
-        value: '{{ exec "sh" (list "-c" "test -z $(git status --porcelain) && echo clean || echo dirty") }}'
-  disable-cd:
-    labels:
-      k8s.onpier.de/cd-disabled: 'true'
-    set:
-      - name: apply-log.cdDisabled
-        value: "true"
   # ----------------------------
   # -- Configs
   # ----------------------------
   default-common-values:
     values:
-      - ./values/common/values.{{ `{{ .Release.Name }}` }}.yaml
+      - '{{ requiredEnv "PWD" }}/values/common/values.{{ `{{ .Release.Name }}` }}.yaml'
   default-env-values:
     values:
-      - ./values/{{ .Environment.Name }}/values.{{ `{{ .Release.Name }}` }}.yaml
+      - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/values.{{ `{{ .Release.Name }}` }}.yaml'
   default-env-secrets:
     secrets:
-      - ./values/{{ .Environment.Name }}/secrets.{{ `{{ .Release.Name }}` }}.yaml
+      - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/secrets.{{ `{{ .Release.Name }}` }}.yaml'
+  common-values:
+    values:
+      - '../values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
+  common-values-tpl:
+    values:
+      - '../values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
+  env-values:
+    values:
+      - '../values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
+  env-values-tpl:
+    values:
+      - '../values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
+  env-secrets:
+    secrets:
+      - '../values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/secrets.yaml'
   # ----------------------------
   # -- Extensions
   # ----------------------------
@@ -67,56 +64,56 @@ templates:
         version: 2.0.0
         alias: istio-gateway
     values:
-      - ./values/common/values.istio-gateway.yaml
+      - '{{ requiredEnv "PWD" }}/values/common/values.istio-gateway.yaml'
   ext-tcp-routes:
     dependencies:
       - chart: bedag/raw
         version: 2.0.0
         alias: traefik
     values:
-      - ./values/common/values.tcp-route.yaml
+      - '../values/common/values.tcp-route.yaml'
   ext-udp-routes:
     dependencies:
       - chart: bedag/raw
         version: 2.0.0
         alias: traefik-udp
     values:
-      - ./values/common/values.udp-route.yaml
+      - '{{ requiredEnv "PWD" }}/values/common/values.udp-route.yaml'
   ext-traefik-middleware:
     dependencies:
       - chart: bedag/raw
         version: 2.0.0
         alias: middleware
     values:
-      - ./values/common/values.middleware.yaml
+      - '{{ requiredEnv "PWD" }}/values/common/values.middleware.yaml'
   ext-istio-resource:
     dependencies:
       - chart: bedag/raw
         version: 2.0.0
         alias: istio
     values:
-      - ./values/common/values.istio.yaml
+      - '{{ requiredEnv "PWD" }}/values/common/values.istio.yaml'
   ext-certificate:
     dependencies:
       - chart: bedag/raw
         version: 2.0.0
         alias: certificate
     values:
-      - ./values/common/values.certificate.yaml
+      - '{{ requiredEnv "PWD" }}/values/common/values.certificate.yaml'
   ext-metallb:
     dependencies:
       - chart: bedag/raw
         version: 2.0.0
         alias: metallb
     values:
-      - ./common/extensions/metallb.yaml
+      - '{{ requiredEnv "PWD" }}/common/extensions/metallb.yaml'
   service-monitor:
     dependencies:
       - chart: bedag/raw
         version: 2.0.0
         alias: service-monitor
     values:
-      - ./values/common/values.service-monitor.yaml
+      - '{{ requiredEnv "PWD" }}/values/common/values.service-monitor.yaml'
   namespace:
     dependencies:
       - chart: bedag/raw
@@ -131,18 +128,25 @@ templates:
         version: 2.0.0
         alias: ext-database
     values:
-      - ./values/common/values.database.yaml
+      - '../values/common/values.database.yaml'
   ext-secret:
     dependencies:
       - chart: bedag/raw
         version: 2.0.0
         alias: ext-secret
     values:
-      - ./values/common/values.secret.yaml
+      - '{{ requiredEnv "PWD" }}/values/common/values.secret.yaml'
   ext-cilium:
     dependencies:
       - chart: bedag/raw
         version: 2.0.0
         alias: ext-cilium
     values:
-      - ./values/common/values.ext-cilium.yaml
+      - '{{ requiredEnv "PWD" }}/values/common/values.ext-cilium.yaml'
+  ext-self-signed-cert:
+    dependencies:
+      - chart: bedag/raw
+        version: 2.0.0
+        alias: ext-self-signed-cert
+    values:
+      - '{{ requiredEnv "PWD" }}/common/extensions/self-signed-cert.yaml'

common/values/values.badhouseplants.yaml

@@ -1,4 +1,6 @@
-namespaces:
-  kubeSystem: kube-system
-  kubePublic: kube-public
-  
+registry: registry.badhouseplants.net/containers
+registry_url: registry.badhouseplants.net
+main_ip: 195.201.249.91
+tools:
+  openebs:
+    enabled: true

common/values/values.etersoft.yaml

@@ -0,0 +1,6 @@
+registry: registry.ru.badhouseplants.net/containers
+registry_url: registry.ru.badhouseplants.net
+main_ip: 91.232.225.63
+tools:
+  openebs:
+    enabled: false

helmfile.yaml

@@ -1,158 +0,0 @@
-bases:
-  - ./common/environments.yaml
-  - ./common/templates.yaml
-  - ./common/repositories.yaml
-helmDefaults:
-  postRenderer: ./scripts/post_render_apply_log.sh
-releases:
-  # -------------------------------------------------------------------
-  # -- Bootstrap the cluster resources
-  # -------------------------------------------------------------------
-  # -- Prepare all the required namespaces
-  - name: namespaces
-    postRendererArgs:
-      - "{{` {{ . }} `}}"
-    chart: ./charts/namespaces
-    namespace: kube-public
-    createNamespace: false
-    inherit:
-      - template: default-env-values
-
-  # -------------------------------------------------------------------
-  # -- Prepare all the required roles
-  - name: roles
-    chart: ./charts/roles
-    namespace: kube-public
-    createNamespace: false
-    needs:
-      - kube-public/namespaces
-    inherit:
-      - template: default-env-values
-      - template: apply-log
-        # -------------------------------------------------------------------
-        # -- Deploy the core cluster workload
-        # -------------------------------------------------------------------
-
-  - name: coredns
-    chart: coredns/coredns
-    version: 1.37.0
-    namespace: kube-system
-    inherit:
-      - template: default-common-values
-      - template: apply-log
-
-  - name: cilium
-    chart: cilium/cilium
-    version: 1.16.4
-    condition: base.enabled
-    namespace: kube-system
-    needs:
-      - kube-system/coredns
-    inherit:
-      - template: default-env-values
-      - template: apply-log
-
-  - name: cert-manager
-    chart: jetstack/cert-manager
-    version: v1.16.2
-    namespace: kube-system
-    condition: base.enabled
-    missingFileHandler: Warn
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-common-values
-      - template: default-env-values
-      - template: apply-log
-
-  - name: issuer
-    chart: ./charts/issuer
-    namespace: kube-public
-    missingFileHandler: Warn
-    condition: base.enabled
-    needs:
-      - kube-system/cert-manager
-    inherit:
-      - template: default-common-values
-      - template: default-env-values
-      - template: apply-log
-
-  - name: metrics-server
-    chart: metrics-server/metrics-server
-    version: 3.12.2
-    namespace: kube-system
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-common-values
-      - template: apply-log
-
-  - name: metallb
-    chart: metallb/metallb
-    namespace: kube-system
-    condition: base.enabled
-    version: 0.14.8
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-common-values
-      - template: apply-log
-
-  - name: metallb-resources
-    chart: bedag/raw
-    version: 2.0.0
-    condition: base.enabled
-    namespace: kube-system
-    needs:
-      - kube-system/metallb
-    inherit:
-      - template: ext-metallb
-      - template: default-env-values
-      - template: apply-log
-
-  - name: traefik
-    chart: traefik/traefik
-    version: 33.1.0
-    condition: base.enabled
-    namespace: kube-system
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-common-values
-      - template: default-env-values
-      - template: apply-log
-
-  - name: velero
-    chart: vmware-tanzu/velero
-    namespace: velero
-    version: 8.1.0
-    condition: velero.enabled
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: crd-management-hook
-      - template: apply-log
-
-  - name: openebs
-    chart: openebs/openebs
-    condition: openebs.enabled
-    namespace: kube-system
-    version: 4.1.1
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-env-values
-      - template: apply-log
-
-  # -- Not versions since it's idnstalled from git
-  - name: local-path-provisioner
-    chart: local-path-provisioner/local-path-provisioner
-    condition: localpath.enabled
-    namespace: kube-system
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-env-values
-      - template: apply-log

helmfile.yaml.gotmpl

@@ -0,0 +1,29 @@
+---
+bases:
+  - ./common/environments.yaml
+---
+helmfiles:
+  - path: ./helmfiles/base.yaml
+    values:
+      - kubeContext: "{{ .Environment.KubeContext }}"
+      - {{ toYaml .Environment.Values | nindent 8 }}
+  - path: ./helmfiles/system.yaml
+    values:
+      - kubeContext: "{{ .Environment.KubeContext }}"
+      - {{ toYaml .Environment.Values | nindent 8 }}
+  - path: ./helmfiles/platform.yaml
+    values:
+      - kubeContext: "{{ .Environment.KubeContext }}"
+      - {{ toYaml .Environment.Values | nindent 8 }}
+  - path: ./helmfiles/databases.yaml
+    values:
+      - kubeContext: "{{ .Environment.KubeContext }}"
+      - {{ toYaml .Environment.Values | nindent 8 }}
+  - path: ./helmfiles/monitoring.yaml
+    values:
+      - kubeContext: "{{ .Environment.KubeContext }}"
+      - {{ toYaml .Environment.Values | nindent 8 }}
+  - path: ./helmfiles/{{ .Environment.Name }}-applications.yaml
+    values:
+      - kubeContext: "{{ .Environment.KubeContext }}"
+      - {{ toYaml .Environment.Values | nindent 8 }}

helmfiles/applications.yaml

@@ -0,0 +1,28 @@
+bases:
+  - ../common/templates.yaml
+
+repositories:
+  - name: gitea
+    url: https://dl.gitea.io/charts/
+  - name: bedag
+    url: https://bedag.github.io/helm-charts/
+  - name: minecraft
+    url: https://itzg.github.io/minecraft-server-charts/
+
+releases:
+  - name: app-gitea
+    chart: gitea/gitea
+    version: 11.0.1
+    namespace: org-badhouseplants
+    inherit:
+      - template: env-values
+      - template: env-secrets
+
+  - name: minecraft
+    chart: minecraft/minecraft
+    namespace: games
+    version: 4.26.3
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+      - template: env-secrets

helmfiles/badhouseplants-applications.yaml

@@ -0,0 +1,144 @@
+bases:
+  - ../common/templates.yaml
+
+repositories:
+  - name: gitea
+    url: https://dl.gitea.io/charts/
+  - name: bedag
+    url: https://bedag.github.io/helm-charts/
+  - name: minecraft
+    url: https://itzg.github.io/minecraft-server-charts/
+  - name: allangers-charts
+    url: ghcr.io/allanger/allangers-charts
+    oci: true
+  - name: woodpecker
+    url: https://woodpecker-ci.org
+  - name: renovate
+    url: https://docs.renovatebot.com/helm-charts
+  - name: badhouseplants-helm
+    url: git+https://gitea.badhouseplants.net/badhouseplants/badhouseplants-helm@charts?ref=main
+
+releases:
+  - name: app-gitea
+    chart: gitea/gitea
+    version: 11.0.1
+    namespace: org-badhouseplants
+    inherit:
+      - template: env-values
+      - template: env-secrets
+
+  - name: minecraft
+    chart: minecraft/minecraft
+    namespace: games
+    version: 4.26.3
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+      - template: env-secrets
+
+  - name: app-vaultwarden
+    chart: allangers-charts/vaultwarden
+    version: 3.1.1
+    namespace: org-badhouseplants
+    inherit:
+      - template: env-values
+      - template: env-secrets
+
+  - name: app-stalwart
+    chart: allangers-charts/stalwart
+    version: 1.2.0
+    namespace: org-badhouseplants
+    inherit:
+      - template: env-values
+      - template: env-secrets
+
+  - name: app-tandoor-recipes
+    chart: allangers-charts/tandoor-recipes
+    version: 0.2.0
+    namespace: org-allanger
+    inherit:
+      - template: env-values
+      - template: env-secrets
+      - template: ext-database
+
+  - name: app-navidrome
+    chart: allangers-charts/navidrome
+    namespace: org-badhouseplants
+    version: 0.56.0
+    inherit:
+      - template: env-values
+      - template: ext-traefik-middleware
+
+  - name: app-navidrome-private
+    chart: allangers-charts/navidrome
+    namespace: org-badhouseplants
+    version: 0.56.0
+    inherit:
+      - template: env-values
+      - template: env-secrets
+
+  - name: memos
+    chart: allangers-charts/memos
+    version: 0.4.0
+    namespace: applications
+    inherit:
+      - template: env-values
+      - template: ext-database
+
+  - name: badhouseplants-net
+    chart: badhouseplants-helm/badhouseplants-net
+    namespace: production
+    values:
+      - deployAnnotations:
+          keel.sh/policy: force
+          keel.sh/trigger: poll
+          keel.sh/initContainers: 'true'
+
+  - name: server-xray-public-edge
+    chart: allangers-charts/server-xray
+    installed: true
+    namespace: public-xray
+    version: 0.7.0
+    inherit:
+      - template: env-secrets
+      - template: env-values
+      - template: ext-tcp-routes
+      - template: ext-cilium
+      - template: ext-certificate
+
+  - name: server-xray-public
+    chart: allangers-charts/server-xray
+    namespace: public-xray
+    version: 0.7.0
+    inherit:
+      - template: env-secrets
+      - template: env-values
+      - template: ext-tcp-routes
+      - template: ext-cilium
+      - template: ext-certificate
+
+  - name: woodpecker-ci
+    chart: woodpecker/woodpecker
+    namespace: pipelines
+    version: 3.1.0
+    inherit:
+      - template: ext-database
+      - template: env-values
+      - template: env-secrets
+
+  - name: renovate-gitea
+    chart: renovate/renovate
+    namespace: pipelines
+    version: 39.259.0
+    inherit:
+      - template: env-values
+      - template: env-secrets
+
+  - name: renovate-github
+    chart: renovate/renovate
+    installed: true
+    namespace: pipelines
+    version: 39.259.0
+    inherit:
+      - template: env-values
+      - template: env-secrets

helmfiles/base.yaml

@@ -0,0 +1,21 @@
+bases:
+  - ../common/templates.yaml
+
+releases:
+  # -- This one must be executed with --take-ownership at least once
+  - name: namespaces
+    chart: ../charts/namespaces
+    namespace: kube-system
+    createNamespace: false
+    inherit:
+      - template: env-values
+      - template: env-secrets
+
+  - name: roles
+    chart: ../charts/roles
+    namespace: kube-system
+    createNamespace: false
+    needs:
+      - kube-system/namespaces
+    inherit:
+      - template: env-values

helmfiles/databases.yaml

@@ -1,21 +1,25 @@
 bases:
-  - ../../common/environments.yaml
-  - ../../common/templates.yaml
+  - ../common/templates.yaml
+
 repositories:
   - name: bitnami
     url: registry-1.docker.io/bitnamicharts
     oci: true
   - name: bedag
     url: https://bedag.github.io/helm-charts/
+commonLabels:
+  installation: databases
 releases:
   - name: redis
     chart: bitnami/redis
     namespace: databases
     condition: redis.enabled
-    version: 20.4.0
+    version: 20.13.2
     inherit:
-      - template: default-env-values
-      - template: default-env-secrets
+      - template: common-values-tpl
+      - template: env-values
+      - template: env-secrets
+
   - name: postgres16
     labels:
       bundle: postgres
@@ -24,15 +28,18 @@ releases:
     condition: postgres16.enabled
     version: 15.5.38
     inherit:
-      - template: default-env-values
-      - template: default-env-secrets
+      - template: common-values-tpl
+      - template: env-values
+      - template: env-secrets
+
   - name: postgres17
     labels:
       bundle: postgres
     namespace: databases
     chart: bitnami/postgresql
     condition: postgres17.enabled
-    version: 16.0.6
+    version: 16.3.4
     inherit:
-      - template: default-env-values
-      - template: default-env-secrets
+      - template: common-values-tpl
+      - template: env-values
+      - template: env-secrets

helmfiles/etersoft-applications.yaml

@@ -0,0 +1,58 @@
+bases:
+  - ../common/templates.yaml
+repositories:
+  - name: allangers-charts
+    url: ghcr.io/allanger/allangers-charts
+    oci: true
+  - name: gabe565
+    url: ghcr.io/gabe565/charts
+    oci: true
+  - name: xray-docs
+    url: git+https://gitea.badhouseplants.net/badhouseplants/xray-docs.git@helm?ref=main
+
+releases:
+  - name: qbittorrent
+    chart: gabe565/qbittorrent
+    version: 0.4.1
+    namespace: applications
+    inherit:
+      - template: env-values
+      - template: ext-secret
+      - template: ext-traefik-middleware
+  - name: vaultwardentest
+    chart: allangers-charts/vaultwarden
+    version: 3.1.1
+    namespace: applications
+    inherit:
+      - template: env-values
+      - template: env-secrets
+
+  - name: memos
+    chart: allangers-charts/memos
+    version: 0.4.0
+    namespace: applications
+    inherit:
+      - template: env-values
+
+  - name: external-service-xray
+    chart: ../kustomizations/external-service-xray
+    installed: true
+    namespace: public-xray
+
+  - name: server-xray-public
+    chart: allangers-charts/server-xray
+    namespace: public-xray
+    version: 0.7.0
+    inherit:
+      - template: env-secrets
+      - template: env-values
+      - template: ext-tcp-routes
+      - template: ext-cilium
+      - template: ext-certificate
+
+  - name: xray-docs
+    chart: xray-docs/xray-docs
+    installed: true
+    namespace: public-xray
+    inherit:
+      - template: env-values

helmfiles/monitoring.yaml

@@ -1,6 +1,6 @@
 bases:
-  - ../../common/environments.yaml
-  - ../../common/templates.yaml
+  - ../common/templates.yaml
+
 repositories:
   - name: bedag
     url: https://bedag.github.io/helm-charts/
@@ -8,34 +8,39 @@ repositories:
     url: https://prometheus-community.github.io/helm-charts
   - name: grafana
     url: https://grafana.github.io/helm-charts
+
 releases:
   - name: prometheus
     chart: prometheus-community/kube-prometheus-stack
     namespace: observability
-    version: 66.3.1
+    condition: monitoring.enabled
+    version: 70.8.0
     inherit:
-      - template: default-env-values
-      - template: default-env-secrets
+      - template: env-values
+      - template: env-secrets
       - template: crd-management-hook
   - name: grafana
     chart: grafana/grafana
     namespace: observability
-    version: 8.6.4
+    condition: monitoring.enabled
+    version: 8.13.1
     installed: true
     inherit:
-      - template: default-env-values
-      - template: default-env-secrets
+      - template: env-values
+      - template: env-secrets
   - name: loki
     chart: grafana/loki
+    condition: monitoring.enabled
     namespace: observability
-    version: 6.23.0
+    version: 6.29.0
     inherit:
-      - template: default-env-values
+      - template: env-values
       - template: ext-secret
       - template: ext-traefik-middleware
   - name: promtail
     chart: grafana/promtail
+    condition: monitoring.enabled
     namespace: observability
     version: 6.16.6
     inherit:
-      - template: default-env-values
+      - template: env-values

helmfiles/pipelines.yaml

@@ -1,6 +1,6 @@
 bases:
-  - ../../common/environments.yaml
-  - ../../common/templates.yaml
+  - ../common/templates.yaml
+
 repositories:
   - name: woodpecker
     url: https://woodpecker-ci.org
@@ -8,26 +8,28 @@ repositories:
     url: https://docs.renovatebot.com/helm-charts
   - name: bedag
     url: https://bedag.github.io/helm-charts/
+
 releases:
   - name: woodpecker-ci
     chart: woodpecker/woodpecker
     namespace: pipelines
-    version: 2.0.2
+    version: 3.1.0
     inherit:
       - template: ext-database
-      - template: default-env-values
-      - template: default-env-secrets
+      - template: env-values
+      - template: env-secrets
   - name: renovate-gitea
     chart: renovate/renovate
     namespace: pipelines
-    version: 39.57.4
+    version: 39.259.0
     inherit:
-      - template: default-env-values
-      - template: default-env-secrets
+      - template: env-values
+      - template: env-secrets
   - name: renovate-github
     chart: renovate/renovate
+    installed: true
     namespace: pipelines
-    version: 39.57.4
+    version: 39.259.0
     inherit:
-      - template: default-env-values
-      - template: default-env-secrets
+      - template: env-values
+      - template: env-secrets

helmfiles/platform.yaml

@@ -0,0 +1,125 @@
+bases:
+  - ../common/templates.yaml
+
+repositories:
+  - name: keel
+    url: https://keel-hq.github.io/keel/
+  - name: uptime-kuma
+    url: https://helm.irsigler.cloud
+  - name: external-dns
+    url: https://kubernetes-sigs.github.io/external-dns/
+  - name: minio-standalone
+    url: https://charts.min.io/
+  - name: db-operator
+    url: https://db-operator.github.io/charts
+  - name: zot
+    url: https://zotregistry.dev/helm-charts/
+  - name: goauthentik
+    url: https://charts.goauthentik.io/
+  - name: flux-community
+    url: ghcr.io/fluxcd-community/charts
+    oci: true
+  - name: bedag
+    url: https://bedag.github.io/helm-charts/
+  - name: argo
+    url: https://argoproj.github.io/argo-helm
+
+releases:
+  - name: external-dns
+    chart: external-dns/external-dns
+    version: 1.16.1
+    namespace: platform
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+      - template: env-secrets
+
+  - name: flux2
+    chart: flux-community/flux2
+    installed: false
+    version: 2.15.0
+    namespace: flux-system
+    inherit:
+      - template: common-values-tpl
+
+  - name: argocd
+    chart: argo/argo-cd
+    version: 7.8.28
+    namespace: argocd
+    installed: false
+    inherit:
+      - template: env-values
+      - template: env-secrets
+
+  - name: keel
+    chart: keel/keel
+    version: v1.0.5
+    labels:
+      layer: platform
+    namespace: platform
+    inherit:
+      - template: common-values-tpl
+
+  - name: uptime-kuma
+    chart: uptime-kuma/uptime-kuma
+    version: 2.21.2
+    namespace: platform
+    labels:
+      layer: platform
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+
+  - name: minio
+    chart: minio-standalone/minio
+    version: 5.4.0
+    namespace: platform
+    labels:
+      layer: platform
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+      - template: env-secrets
+
+  - name: db-operator
+    namespace: platform
+    chart: db-operator/db-operator
+    condition: dbOperator.enabled
+    version: 1.35.0
+    inherit:
+      - template: common-values-tpl
+
+  - name: db-instances
+    chart: db-operator/db-instances
+    condition: dbOperator.enabled
+    namespace: platform
+    needs:
+      - platform/db-operator
+    version: 2.4.0
+    inherit:
+      - template: env-values
+      - template: env-secrets
+
+  - name: zot
+    chart: zot/zot
+    version: 0.1.68
+    namespace: platform
+    condition: workload.enabled
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+      - template: env-secrets
+
+  - name: authentik
+    chart: goauthentik/authentik
+    version: 2025.2.4
+    namespace: platform
+    createNamespace: false
+    condition: workload.enabled
+    needs:
+      - platform/db-operator
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+      - template: env-secrets
+      - template: ext-database

helmfiles/system.yaml

@@ -1,10 +1,13 @@
 bases:
-  - ../../common/environments.yaml
-  - ../../common/templates.yaml
+  - ../common/templates.yaml
 
 repositories:
-  - name: bedag
-    url: https://bedag.github.io/helm-charts/
+  - name: coredns
+    url: https://coredns.github.io/helm
+  - name: zot
+    url: https://zotregistry.dev/helm-charts/
+  - name: cilium
+    url: https://helm.cilium.io/
   - name: metrics-server
     url: https://kubernetes-sigs.github.io/metrics-server/
   - name: jetstack
@@ -13,171 +16,166 @@ repositories:
     url: https://metallb.github.io/metallb
   - name: traefik
     url: https://traefik.github.io/charts
-  - name: coredns
-    url: https://coredns.github.io/helm
-  - name: cilium
-    url: https://helm.cilium.io/
+  - name: local-path-provisioner
+    url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master
+  - name: kyverno
+    url: https://kyverno.github.io/kyverno/
   - name: vmware-tanzu
     url: https://vmware-tanzu.github.io/helm-charts/
   - name: openebs
     url: https://openebs.github.io/openebs
-  - name: local-path-provisioner
-    url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master
   - name: istio
     url: https://istio-release.storage.googleapis.com/charts
 
 releases:
-  - name: namespaces
-    chart: '{{ requiredEnv "PWD" }}/charts/namespaces/chart'
-    namespace: kube-public
-    createNamespace: false
-    inherit:
-      - template: default-env-values
-      - template: apply-log
-
-  - name: roles
-    chart: '{{ requiredEnv "PWD" }}/charts/roles'
-    namespace: kube-public
-    createNamespace: false
-    needs:
-      - kube-public/namespaces
-    inherit:
-      - template: default-env-values
-
   - name: coredns
     chart: coredns/coredns
-    version: 1.37.0
+    version: 1.40.0
     namespace: kube-system
     inherit:
-      - template: default-common-values
+      - template: common-values-tpl
 
   - name: cilium
     chart: cilium/cilium
-    version: 1.16.4
-    condition: base.enabled
+    version: 1.17.3
     namespace: kube-system
     needs:
       - kube-system/coredns
     inherit:
-      - template: default-env-values
+      - template: common-values
+      - template: common-values-tpl
 
   - name: cert-manager
     chart: jetstack/cert-manager
-    version: v1.16.2
+    version: v1.17.2
     namespace: kube-system
-    condition: base.enabled
     missingFileHandler: Warn
     needs:
       - kube-system/cilium
     inherit:
-      - template: default-common-values
-      - template: default-env-values
+      - template: common-values
+      - template: common-values-tpl
 
   - name: issuer
-    chart: '{{ requiredEnv "PWD" }}/charts/issuer'
-    namespace: kube-public
+    chart: ../charts/issuer
+    namespace: kube-system
     missingFileHandler: Warn
-    condition: base.enabled
     needs:
       - kube-system/cert-manager
     inherit:
-      - template: default-common-values
-      - template: default-env-values
+      - template: common-values
 
-  - name: metrics-server
-    chart: metrics-server/metrics-server
-    version: 3.12.2
+  - name: local-path-provisioner
+    chart: local-path-provisioner/local-path-provisioner
     namespace: kube-system
+    inherit:
+      - template: common-values-tpl
+
+  - name: kyverno
+    chart: kyverno/kyverno
+    namespace: kyverno
+    version: 3.4.0
     needs:
       - kube-system/cilium
     inherit:
-      - template: default-common-values
+      - template: common-values-tpl
+
+  - name: kyverno-policies
+    chart: kyverno/kyverno-policies
+    namespace: kyverno
+    version: 3.4.0
+    needs:
+      - kyverno/kyverno
+
+  - name: custom-kyverno-policies
+    chart: ../kustomizations/kyverno/{{ .Environment.Name }}
+    namespace: kyverno
+    needs:
+      - kyverno/kyverno
 
   - name: metallb
     chart: metallb/metallb
     namespace: kube-system
     condition: base.enabled
-    version: 0.14.8
+    version: 0.14.9
     needs:
-      - kube-system/cilium
+      - registry/cluster-mirror
     inherit:
-      - template: default-common-values
+      - template: common-values
+      - template: common-values-tpl
 
   - name: metallb-resources
-    chart: bedag/raw
+    chart: ../charts/metallb-resources
     version: 2.0.0
     condition: base.enabled
     namespace: kube-system
     needs:
       - kube-system/metallb
     inherit:
-      - template: ext-metallb
-      - template: default-env-values
+      - template: common-values-tpl
 
   - name: traefik
     chart: traefik/traefik
-    version: 33.1.0
+    version: 35.1.0
     condition: base.enabled
     namespace: kube-system
+    inherit:
+      - template: common-values-tpl
+      - template: common-values
+      - template: env-values
+
+  - name: cluster-mirror
+    chart: zot/zot
+    version: 0.1.68
+    createNamespace: false
+    installed: true
+    namespace: registry
     needs:
       - kube-system/cilium
     inherit:
-      - template: default-common-values
-      - template: default-env-values
+      - template: common-values-tpl
+      - template: env-secrets
+
+  - name: metrics-server
+    chart: metrics-server/metrics-server
+    version: 3.12.2
+    namespace: kube-system
+    needs:
+      - registry/cluster-mirror
+    inherit:
+      - template: common-values-tpl
+
+  - name: openebs
+    chart: openebs/openebs
+    condition: tools.openebs.enabled
+    namespace: kube-system
+    version: 4.2.0
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
 
   - name: velero
     chart: vmware-tanzu/velero
     namespace: velero
-    version: 8.1.0
+    version: 9.0.1
     condition: velero.enabled
-    needs:
-      - kube-system/cilium
     inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: crd-management-hook
-
-  - name: openebs
-    chart: openebs/openebs
-    condition: openebs.enabled
-    namespace: kube-system
-    version: 4.1.1
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-env-values
-
-  # -- Not versions since it's idnstalled from git
-  - name: local-path-provisioner
-    chart: local-path-provisioner/local-path-provisioner
-    condition: localpath.enabled
-    namespace: kube-system
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-env-values
+      - template: common-values-tpl
+      - template: env-values
+      - template: env-secrets
 
   - name: istio-base
     chart: istio/base
-    condition: istio.enabled
     namespace: istio-system
+    version: 1.25.2
     inherit:
-      - template: crd-management-hook
-
-  - name: istio-ingressgateway
-    chart: istio/gateway
-    condition: istio.enabled
-    namespace: istio-system
-    needs:
-      - istio-system/istio-base
-    inherit:
-      - template: default-env-values
+      - template: common-values
 
   - name: istiod
     chart: istio/istiod
-    condition: istio.enabled
     namespace: istio-system
+    version: 1.25.2
     inherit:
-      - template: default-env-values
+      - template: common-values-tpl
     needs:
       - istio-system/istio-base

installations/applications/helmfile-badhouseplants.yaml

@@ -1,134 +0,0 @@
-bases:
-  - ../../common/environments.yaml
-  - ../../common/templates.yaml
-repositories:
-  - name: softplayer-oci
-    url: zot.badhouseplants.net/softplayer/helm
-    oci: true
-  - name: allanger-oci
-    url: zot.badhouseplants.net/allanger/helm
-    oci: true
-  - name: requarks
-    url: https://charts.js.wiki
-  - name: ananace-charts
-    url: https://ananace.gitlab.io/charts
-  - name: gitea
-    url: https://dl.gitea.io/charts/
-  - name: mailu
-    url: https://mailu.github.io/helm-charts/
-  - name: bedag
-    url: https://bedag.github.io/helm-charts/
-  - name: bitnami
-    url: https://charts.bitnami.com/bitnami
-  - name: allangers-charts
-    url: ghcr.io/allanger/allangers-charts
-    oci: true
-  - name: robjuz
-    url: https://robjuz.github.io/helm-charts/
-  - name: badhouseplants-helm
-    url: git+https://gitea.badhouseplants.net/badhouseplants/badhouseplants-helm@charts?ref=main
-releases:
-  - name: funkwhale
-    chart: ananace-charts/funkwhale
-    namespace: applications
-    installed: false
-    version: 2.0.5
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-database
-  - name: gitea
-    chart: gitea/gitea
-    version: 10.6.0
-    namespace: applications
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-database
-      - template: ext-tcp-routes
-  - name: openvpn
-    chart: allangers-charts/openvpn
-    version: 0.0.2
-    namespace: applications
-    inherit:
-      - template: default-env-values
-      - template: ext-tcp-routes
-  - name: vaultwarden
-    chart: allangers-charts/vaultwarden
-    version: 2.3.0
-    namespace: applications
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-database
-  - name: stalwart
-    chart: allangers-charts/stalwart
-    version: 0.4.0
-    namespace: applications
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-tcp-routes
-  - name: navidrome
-    chart: allangers-charts/navidrome
-    namespace: applications
-    version: 0.2.0
-    inherit:
-      - template: default-env-values
-      - template: ext-traefik-middleware
-  - name: navidrome-private
-    chart: allangers-charts/navidrome
-    namespace: applications
-    version: 0.2.0
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-  - name: server-xray-public
-    chart: allangers-charts/server-xray
-    namespace: public-xray
-    version: 0.4.0
-    inherit:
-      - template: default-env-secrets
-      - template: default-env-values
-      - template: ext-tcp-routes
-      - template: ext-cilium
-      - template: ext-certificate
-  - name: server-xray-public-edge
-    chart: allangers-charts/server-xray
-    installed: true
-    namespace: public-xray
-    version: 0.4.0
-    inherit:
-      - template: default-env-secrets
-      - template: default-env-values
-      - template: ext-tcp-routes
-      - template: ext-cilium
-      - template: ext-certificate
-  - name: vaultwardentest
-    chart: allangers-charts/vaultwarden
-    version: 2.4.0
-    namespace: applications
-    installed: false
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-database
-
-  - name: tandoor-recipes
-    chart: allangers-charts/tandoor-recipes
-    installed: false
-    version: 0.1.0
-    namespace: applications
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-database
-
-  - name: badhouseplants-net
-    chart: badhouseplants-helm/badhouseplants-net
-    namespace: production
-    values:
-      - deployAnnotations:
-          keel.sh/policy: force
-          keel.sh/trigger: poll
-          keel.sh/initContainers: 'true'

installations/applications/helmfile-etersoft.yaml

@@ -1,60 +0,0 @@
-bases:
-  - ../../common/environments.yaml
-  - ../../common/templates.yaml
-repositories:
-  - name: allangers-charts
-    url: ghcr.io/allanger/allangers-charts
-    oci: true
-  - name: gabe565
-    url: ghcr.io/gabe565/charts
-    oci: true
-releases:
-  - name: openvpn
-    chart: allangers-charts/openvpn
-    version: 0.0.2
-    namespace: applications
-    inherit:
-      - template: default-env-values
-      - template: ext-tcp-routes
-  - name: qbittorrent
-    chart: gabe565/qbittorrent
-    version: 0.4.0
-    namespace: applications
-    inherit:
-      - template: default-env-values
-      - template: ext-secret
-      - template: ext-traefik-middleware
-  - name: vaultwardentest
-    chart: allangers-charts/vaultwarden
-    version: 2.4.0
-    namespace: applications
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-database
-  - name: tf-ocloud
-    chart: ../../charts/tf-ocloud
-    namespace: pipelines
-    installed: false
-    inherit:
-      - template: default-env-secrets
-
-  - name: nrodionov
-    chart: bitnami/wordpress
-    version: 23.1.28
-    namespace: applications
-    installed: true
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-  - name: server-xray-public-bridge
-    chart: allangers-charts/server-xray
-    installed: true
-    namespace: public-xray
-    version: 0.4.0
-    inherit:
-      - template: default-env-secrets
-      - template: default-env-values
-      - template: ext-tcp-routes
-      - template: ext-cilium
-      - template: ext-certificate

installations/applications/helmfile-xray-1.yaml

@@ -1,23 +0,0 @@
-bases:
-  - ../../common/environments.yaml
-  - ../../common/templates.yaml
-repositories:
-  - name: allangers-charts
-    url: ghcr.io/allanger/allangers-charts
-    oci: true
-releases:
-  - name: server-xray-public
-    chart: allangers-charts/server-xray
-    namespace: public-xray
-    version: 0.4.0
-    inherit:
-      - template: default-env-secrets
-      - template: default-env-values
-      - template: ext-self-signed-cert
-  - name: promtail
-    chart: grafana/promtail
-    namespace: promtail
-    version: 6.16.6
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets

installations/applications/helmfile-xray-2.yaml

@@ -1,16 +0,0 @@
-bases:
-  - ../../common/environments.yaml
-  - ../../common/templates.yaml
-repositories:
-  - name: allangers-charts
-    url: ghcr.io/allanger/allangers-charts
-    oci: true
-releases:
-  - name: server-xray-public
-    chart: allangers-charts/server-xray
-    namespace: public-xray
-    version: 0.4.0
-    inherit:
-      - template: default-env-secrets
-      - template: default-env-values
-      - template: ext-self-signed-cert

installations/applications/helmfile.yaml

@@ -1,6 +0,0 @@
-bases:
-  - ../../common/environments.yaml
-  - ../../common/templates.yaml
-
-helmfiles:
-  - ./helmfile-{{ `{{ .Environment.Name }}` }}.yaml

installations/development/helmfile.yaml

@@ -1,9 +0,0 @@
-bases:
-  - ../../common/environments.yaml
-  - ../../common/templates.yaml
-repositories:
-  - name: argo
-    url: https://argoproj.github.io/argo-helm
-releases:
-  - name: badhouseplants
-    namespace: platform

installations/games/helmfile.yaml

@@ -1,29 +0,0 @@
-bases:
-  - ../../common/environments.yaml
-  - ../../common/templates.yaml
-repositories:
-  - name: bedag
-    url: https://bedag.github.io/helm-charts/
-  - name: minecraft
-    url: https://itzg.github.io/minecraft-server-charts/
-  - name: allangers-charts
-    url: ghcr.io/allanger/allangers-charts
-    oci: true
-releases:
-  - name: minecraft
-    chart: minecraft/minecraft
-    namespace: games
-    version: 4.23.6
-    inherit:
-      - template: ext-tcp-routes
-      - template: default-env-values
-      - template: default-env-secrets
-
-  - name: team-fortress-2
-    chart: allangers-charts/team-fortress-2
-    namespace: team-fortress-2
-    version: 0.1.2
-    inherit:
-      - template: ext-tcp-routes
-      - template: default-env-values
-      - template: default-env-secrets

installations/platform/helmfile.yaml

@@ -1,114 +0,0 @@
-bases:
-  - ../../common/environments.yaml
-  - ../../common/templates.yaml
-
-repositories:
-  - name: argo
-    url: https://argoproj.github.io/argo-helm
-  - name: db-operator
-    url: https://db-operator.github.io/charts
-  - name: zot
-    url: https://zotregistry.dev/helm-charts/
-  - name: bedag
-    url: https://bedag.github.io/helm-charts/
-  - name: crossplane-stable
-    url: https://charts.crossplane.io/stable
-  - name: goauthentik
-    url: https://charts.goauthentik.io/
-  - name: minio-standalone
-    url: https://charts.min.io/
-  - name: kyverno
-    url: https://kyverno.github.io/kyverno/
-  - name: external-dns
-    url: https://kubernetes-sigs.github.io/external-dns/
-  - name: keel
-    url: https://keel-hq.github.io/keel/
-
-releases:
-  - name: db-operator
-    namespace: platform
-    chart: db-operator/db-operator
-    version: 1.30.0
-
-  - name: db-instances
-    chart: db-operator/db-instances
-    namespace: platform
-    needs:
-      - platform/db-operator
-    version: 2.4.0
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-
-  - name: zot
-    chart: zot/zot
-    version: 0.1.65
-    createNamespace: false
-    installed: true
-    namespace: platform
-    condition: workload.enabled
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-
-  - name: authentik
-    chart: goauthentik/authentik
-    version: 2024.10.5
-    namespace: platform
-    createNamespace: false
-    condition: workload.enabled
-    needs:
-      - platform/db-operator
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-database
-
-  - name: minio
-    chart: minio-standalone/minio
-    version: 5.3.0
-    namespace: platform
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-
-  - name: kyverno
-    chart: kyverno/kyverno
-    namespace: kyverno
-    condition: workload.enabled
-    labels:
-      bootstrap: true
-    version: 3.3.3
-
-  - name: kyverno-policies
-    chart: kyverno/kyverno-policies
-    namespace: kyverno
-    condition: workload.enabled
-    labels:
-      bootstrap: true
-    version: 3.3.2
-    needs:
-      - kyverno/kyverno
-
-  - name: custom-kyverno-policies
-    chart: ../../kustomizations/kyverno/
-    namespace: kyverno
-    condition: workload.enabled
-    labels:
-      bootstrap: true
-    needs:
-      - kyverno/kyverno
-
-  - name: external-dns
-    chart: external-dns/external-dns
-    version: 1.15.0
-    namespace: platform
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-
-  - name: keel
-    chart: keel/keel
-    version: 1.0.4
-    namespace: platform
-    condition: workload.enabled

installations/storage/helmfile.yaml

@@ -1,34 +0,0 @@
-bases:
-  - ../../common/environments.yaml
-  - ../../common/templates.yaml
-repositories:
-  - name: longhorn
-    url: https://charts.longhorn.io
-  - name: rook-release
-    url: https://charts.rook.io/release
-releases:
-  - name: rook-ceph
-    chart: rook-release/rook-ceph
-    installed: true
-    namespace: rook-ceph
-    version: v1.14.6
-    inherit:
-      - template: default-env-values
-  - name: rook-ceph-cluster
-    chart: rook-release/rook-ceph-cluster
-    installed: false
-    namespace: rook-ceph
-    version: v1.14.6
-    needs:
-      - rook-ceph/rook-ceph
-    inherit:
-      - template: default-env-values
-  - name: longhorn
-    chart: longhorn/longhorn
-    namespace: longhorn-system
-    installed: true
-    version: 1.7.2
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: ext-secret

kustomizations/external-service-xray/service.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: xray-external-proxy
+spec:
+  externalName: xray-public.badhouseplants.net
+  sessionAffinity: None
+  type: ExternalName
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: xray-external-proxy
+spec:
+  entryPoints:
+    - xray-public
+  routes:
+    - match: HostSNI(`*`)
+      services:
+        - name: xray-external-proxy
+          nativeLB: true
+          port: 27015
+

kustomizations/kyverno/add-applied-by.yaml

@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-applied-by
+spec:
+  background: false
+  rules:
+    - name: add-applied-by
+      match:
+        any:
+          - resources:
+              kinds:
+                - '*'
+              namespaces:
+                - org-*
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            annotations:
+              applied-by: "{{ request.userInfo.username }}"

kustomizations/kyverno/badhouseplants/pvc-patch.yaml

@@ -0,0 +1,58 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: replace-storage-class-by-openebs
+spec:
+  rules:
+    - name: local-path-fix
+      match:
+        any:
+          - resources:
+              kinds:
+                - PersistentVolumeClaim
+              namespaces:
+                - registry
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            annotations:
+              volume.kubernetes.io/selected-node: bordeaux
+    - name: replace-storage-class
+      match:
+        any:
+          - resources:
+              kinds:
+                - PersistentVolumeClaim
+              namespaces:
+                - games
+                - application
+                - platform
+                - pipelines
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            annotations:
+              volume.beta.kubernetes.io/storage-class: openebs-hostpath
+          spec:
+            storageClassName: openebs-hostpath
+            accessModes:
+              - ReadWriteOnce
+    #- name: remove-unwanted-annotations
+    #  match:
+    #    any:
+    #      - resources:
+    #          kinds:
+    #            - PersistentVolumeClaim
+    #          namespaces:
+    #            - games
+    #  mutate:
+    #    patchesJson6902: |-
+    #      - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-class"
+    #        op: replace
+    #        value: openebs-hostpath
+    #      - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-provisioner"
+    #        op: replace
+    #        value: openebs.io/local
+    #      - path: "/metadata/annotations/volume.kubernetes.io~1storage-provisioner"
+    #        op: replace
+    #        value: openebs.io/local

kustomizations/kyverno/etersoft/pvc-patch.yaml

@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: append-node-name-to-pvc
+spec:
+  rules:
+    - name: replace-storage-class
+      match:
+        any:
+          - resources:
+              kinds:
+                - PersistentVolumeClaim
+              namespaces:
+                - applications
+                - platform
+                - registry
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            annotations:
+              volume.kubernetes.io/selected-node: yekaterinburg

kustomizations/kyverno/pvc-patch.yaml

@@ -1,44 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: replace-storage-class-by-openebs
-spec:
-  rules:
-    - name: replace-storage-class
-      match:
-        any:
-          - resources:
-              kinds:
-                - PersistentVolumeClaim
-              namespaces:
-                - games
-                - application
-                - platform
-      mutate:
-        patchStrategicMerge:
-          metadata:
-            annotations:
-              volume.beta.kubernetes.io/storage-class: openebs-hostpath
-          spec:
-            storageClassName: openebs-hostpath
-            accessModes:
-              - ReadWriteOnce
-    - name: remove-unwanted-annotations
-      match:
-        any:
-          - resources:
-              kinds:
-                - PersistentVolumeClaim
-              namespaces:
-                - games
-      mutate:
-        patchesJson6902: |-
-          - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-class"
-            op: replace
-            value: openebs-hostpath
-          - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-provisioner"
-            op: replace
-            value: openebs.io/local
-          - path: "/metadata/annotations/volume.kubernetes.io~1storage-provisioner"
-            op: replace
-            value: openebs.io/local

manifests/peerauth.yaml

@@ -0,0 +1,8 @@
+apiVersion: security.istio.io/v1
+kind: PeerAuthentication
+metadata:
+  name: default
+  namespace: public-xray
+spec:
+  mtls:
+    mode: STRICT

scripts/post_render_apply_log.sh

@@ -1,11 +0,0 @@
-#!/bin/bash
-
-WORKDIR=$(mktemp -d)
-cat <&0 > "${WORKDIR}/result.yaml"
-
-echo "---" >> "${WORKDIR}/result.yaml"
-
-kubectl create configmap --dry-run=client "${1}-apply-log" -o yaml --from-literal author="${USER}" >> "${WORKDIR}/result.yaml"
-
-cat "${WORKDIR}/result.yaml"
-

values/badhouseplants/applications/memos/values.yaml

@@ -0,0 +1,35 @@
+shortcuts:
+  hostname: notes.badhouseplants.net
+ext-database:
+  enabled: true
+  name: memos-postgres16
+  instance: postgres16
+  credentials:
+    MEMOS_DRIVER: postgres
+    MEMOS_DSN: "{{ .Protocol }}://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}?sslmode=disable"
+base:
+  workload:
+    containers:
+      memos:
+        envFrom:
+          main: {}
+          raw:
+            - secretRef:
+                name: memos-postgres16-creds
+
+storage:
+  data:
+    metadata:
+      annotations:
+        volume.kubernetes.io/selected-node: bordeaux
+    storageClassName: openebs-hostpath
+ingress:
+  main:
+    metadata:
+      annotations:
+        kubernetes.io/ingress.class: traefik
+        kubernetes.io/tls-acme: "true"
+        kubernetes.io/ingress.allow-http: "false"
+        kubernetes.io/ingress.global-static-ip-name: ""
+        cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+        traefik.ingress.kubernetes.io/router.entrypoints: web,websecure

values/badhouseplants/argocd/argocd/secrets.yaml

@@ -0,0 +1,21 @@
+configs:
+    cm:
+        dex.config: ENC[AES256_GCM,data:U+BKH82hTX8a08ZVJM8WJ2NuwIJR2Diax4VUxziFhHlZWMJKWCl2BNSquKxaFincmoR3Lqn95wyfsoGKwjPxINqYw0F3zbZttlfpyG84Jg2Y4E3+NDE0YtPv1stE47aW8ZWDycjcvrW9UGANEQWHGoEMVC7sIDmSEKc4zZYVOrDPnIDOl8Fdt+7oQb9XcITvkt28DJymMvm2FLJPEB9Iz/M9V72r8QhA9ASYEWnhjYUnv63A92YH7FBr+5rdlaRSW/jJfnTWViHdi9F0fYyPmjgcyAitSXZNbPs3bd8uV7ZZTWIQGMb1IpB9SFHxMBHLNv510kFmdn0RpThIrSiDrbau4OiXcFj3N3JOStlz/AlWBkAj/zNfCcdZfsSvICARcAuw4Jowh0fGSzi3uJrr9CezWTj5t3SN+KoKGs2vO5DoD8dmjtI3vStICVs9jN8QXiPb4WpUALyM9AT41Eg+oo/58SnxNjovJ2xw/DV4GTQxpzaPCC1yagR4vSR+/qlRYU9SUinw53kzm2tZjabAVbfpTlbq7F7Ld/GuW3IQh/fULBTxYGys9s++72GdG/P0elLjvCV0Xt3vIona//uVKQFXQB8rxAMWLnTHFbM9Y6uWlZkN/W63ceJAYzXNBtC/uzfMV8GRZQpbb/QVO9U/F54yefoB7XJ8BSrHYiCvIeV/SwWINNw9Lo/Cy4nsC6UrqYdanz32HrwawSGikfGjQGXDE1n3DcPXbA6rGR2N7bbxZnIeI7TLP+pNxEg8Apr550Vh1qM9oCDx7cYgFkAEb/X/P4PYqRe1yRn+jzomAPidhGCuHibtihCXU8bht4i3uwT91SJDNEmJI9yBSxAMY9pgjmSuVTO22tI=,iv:D+KOoEOhvNSEbx4h8ltF0Kj8XBp5B6ipCXFtREvqXdw=,tag:jVZjICBTlwEUAeaH7Rgkbg==,type:str]
+    credentialTemplates:
+        ssh-creds:
+            sshPrivateKey: ENC[AES256_GCM,data:NFkcWS4nL0KOtNaXU+InVIoVJhCiasJWN2JTJ2AP9WH9caU5pDw2mpT1mF0zZuRw/hvwJTrkSjA2pV6hiCEVwJegEWqWIKgnakEeF6XZPJK+ryWSLA2jg3Ba8BCMZxMTq9olZEt4ap/irKhvkoDxERdvGp/bsWYwNsy/lo92xNqAeGAWlyS4H5bBPx8RtzJx7MrVmGsOGmtPhaX9AxGtot13FZ07Y0lW0PZ75VgQzNS05Y9obO99hrdJ2sfGdmZtvqtENJGQh9sLzAKKbZFj5bE+A7TA54qVItmePEg6JhWdJ+0QMoyGXUaX1b1XsdwV8TOZEFOj9KI1RwsrOhwlD1sqkKJC1l498mOwP+xeFXJkGOtT2DB+Ds6LU4byXKMkvhwNQho2BBkQ/+W59IIL1+4a6RHMJwO1dhK94AsQDjy0TNyKKTSk8erotlwefR5ny+ZnARe2V5mLObmAZWdbni+AzvfHCrOQcmk3dxwLBCc98/hDzAMlbjsE34GWUEI5rcp+uHhFgnLaTNJE/PJOwP1WlFiyoDIpi2lj,iv:3XAh3cSFA2r1PMlXMo/1ubpIIgyGDDMhpni7hlinSBg=,tag:9po/JY+NFnOz3Xaw5L60PQ==,type:str]
+sops:
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZzFUTVVQNit4eTNiYWcw
+            Z2JsNEVGcm9Qa2NkWnQ3Ym1RSmV5ang4dGt3CkJhdSsyeHJlZWdtbkx3alhqemxD
+            NWdHdGV2K1ZOeGpqSS84SHVWMUN3OGMKLS0tIFhNWXBHcFg5VDNVUWVaY3RhY0dz
+            aXNSKzVjZEZRZlBaelk1TTNYcTkxcWMKC1gn1y9T0PsFOE4hKYS7m4OgHGkFcK/p
+            SSFtTltvEs6jEeXitHhGcn1IWy4hxEvUBnVMGwTkweIKefwxkHi9/A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-14T12:08:28Z"
+    mac: ENC[AES256_GCM,data:YzmFndPEnQAs9LDD41xQPGTUvU2zUup7J3dTUPLVmBZVHbV2Ml2xAmxMLXJ0G1VOM6h+TEQasU/ZUadLc41GM4m8aZfvxnQtMxPJEP9L1g4zhE3zzXAGXixcQ9xDY3aDhVwdoipyMo23kQqaHageVIfoBxE5ClI+ci0FepeBO/I=,iv:8hAfCtpoecVU8WgAStfqFArAMqBAiPJQGgKMJhJnDBE=,tag:lbJOH1IAf6Enl8g/Pe2I+Q==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.1

values/badhouseplants/argocd/argocd/values.yaml

@@ -42,7 +42,7 @@ redis:
       enabled: false
 
 global:
-  domain: argo.badhouseplants.net
+  domain: argocd.badhouseplants.net
 
 server:
   ingress:
@@ -71,7 +71,7 @@ server:
       kubernetes.io/ingress.global-static-ip-name: ""
       cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
     ingressClassName: traefik
-    hostname: "argogrpc.badhouseplants.net"
+    hostname: "argocdgrpc.badhouseplants.net"
     path: /
     pathType: Prefix
     tls: true
@@ -95,31 +95,42 @@ configs:
       g, allanger@zohomail.com, role:admin
       g, allanger@badhouseplants.net, role:admin
       g, rodion.n.rodionov@gmail.com, role:admin
+      g, jacklull@badhouseplants.net, role:admin
       p, drone, applications, *, badhouseplants/*,allow
   cm:
     exec.enabled: "true"
-    url: https://argo.badhouseplants.net
+    url: https://argocd.badhouseplants.net
     kustomize.buildOptions: "--enable-alpha-plugins"
     accounts.drone: apiKey, login
     accounts.drone.enabled: "true"
   credentialTemplates:
     ssh-creds:
-      url: git@github.com
-
-applicationSet:
-  metrics:
-    enabled: false
-    serviceMonitor:
-      enabled: false
-
+      url: git@gitea.badhouseplants.net
+  ssh:
+    # -- Specifies if the argocd-ssh-known-hosts-cm configmap should be created by Helm.
+    create: true
+    knownHosts: |
+      gitea.badhouseplants.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDpR4dE3oAGModn9GWtwVYrsnFod6pBXU8Z/uRj8l/hHjQaipISwNu8pqteGvssZatXBPkRj3zcf6yqgzufz9dXvt42XBN+H8c9UfeVrysivfTZ2DY3/J+vj0UBZy6kmf/sj83MTDaO2fIpnXOD2o3YYUeRVLL5YzTX1l22ih+LvvynY3gtmncf1SZOee1FTNJ2PdYi38F8Vp1MLAgcOTTsBd0WjCgx5xinzlPXwSxp6l4tp+aB6tsL4j5/6yudJfMkaOGTBCqybXyt6xYnYLTBbgmNlMd/0N9iOw4RYZfIaPDry6lTgNlJUWO5E7psckyjnCs1dvDRrJgL98q7X7+v8WNOqJMOFczLDAVtYq9akSFkJfAoNZ6FY4p//Xbgy3kukRlcSbot5ecBxPw0Cr9HAmO46uiaUHhPnVySyPKTiaDpOc5pjp6vak277jhSOqx0fX38aSVXyGJ5DYDgcg6f2nWjjhiLC3N3HDLtVjDJ6aw/yilldCRLugxXYT+nDtJjz84S8c13HvsREeW0vTncsBiY7y0WWCQyWj2W3Hp9SSNHuwl5xr+gQWSlhzBuDTceDlf4/TjaUIngWV+hVdkJEBFAcb9Oxib6AqF6Qrrw5lJUaboEA5RQs9Lh0lFfuirANzpVy1t279wZ0AEf6oFdeXLeHiV56QzKJLnbkzg8Q==
   repositories:
-    argo-deployment:
-      url: git@github.com:allanger/argo-deployment.git
-      name: argo-deployment
-      insecure: "true"
-      type: git
-    cluster-config:
-      url: git@github.com:allanger/cluster-config.git
-      name: cluster-config
-      insecure: "true"
+    go-test:
+      url: git@gitea.badhouseplants.net:sharing/go-test-project.git
+      name: go-test
       type: git
+      project: default
+#applicationSet:
+#  metrics:
+#    enabled: false
+#    serviceMonitor:
+#      enabled: false
+#
+#  repositories:
+#    argo-deployment:
+#      url: git@github.com:allanger/argo-deployment.git
+#      name: argo-deployment
+#      insecure: "true"
+#      type: git
+#    cluster-config:
+#      url: git@github.com:allanger/cluster-config.git
+#      name: cluster-config
+#      insecure: "true"
+#      type: git

values/badhouseplants/databases/postgres16/values.yaml

@@ -9,7 +9,7 @@ metrics:
 primary:
   persistence:
     size: 2Gi
-  resources: 
+  resources:
     limits:
       ephemeral-storage: 1Gi
       memory: 512Mi

values/badhouseplants/databases/redis/secrets.yaml

@@ -0,0 +1,26 @@
+global:
+    redis:
+        #ENC[AES256_GCM,data:INOZ17f72Qf6D+drbcvmnZRBRIeXLSAV9RmfOLZFp45qt8GWSHMnevqq9ge4Zlydtsd3BDek/JLUNl6YHPPq9qM1EFujY2htbOHyf0Cn,iv:zZDMizNKFllCyNH/bUF+vuB9YOikjo3q5ebzu3LYvCc=,tag:H0XX/D9xh0HS0Xnqgs/aag==,type:comment]
+        #ENC[AES256_GCM,data:JiLOpJanuZnMpN5dMvw2,iv:YEVZSdRHez1lCb61hWLvalLq8F67l7KF0WXmmuj9bck=,tag:KnpfgwUYBQLZsj4Jk13RtQ==,type:comment]
+        #ENC[AES256_GCM,data:mzDGjHlXUunu1yA=,iv:LOOU/QGaHKeDrssbk1haYd0lPclbFak9GygEbbN0gFs=,tag:4cUubeiY6aJj5KVKVkdFUA==,type:comment]
+        password: ENC[AES256_GCM,data:kN93kIMiVTGWbaYgMC1n1MWqdl8s3cbZS5vvYTa2,iv:Qy+GQchC6s2PoarPWtquipF9gAVYZR6mn0GeHABRogE=,tag:V/xbfm9u51UUG+we/3nNLQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrOHRuN1J1ODYvc0Z3OW5H
+            NFhVM0dWWGZETU0vTzVkeUk1NFVWc2FSaGprCm5NalJKUWxtLzA5VTU3YjR5VWtx
+            NExtbTZZZUZteVBTYnNWTVZvbnF5VFUKLS0tIEpBTDhPbkVLVytaY29aUktmZGF2
+            bnVKWmI4RWpLaGU5WTIwblJRcDFDMlUK2BHkUNbpRMo0jm2Sk+Qcf4giufJtaJyM
+            xuoG41AqGs4+KEDS8/rF9HK7z+2Wk9H5b8L+/W0n+J5EPOvwvFePTA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-26T12:23:02Z"
+    mac: ENC[AES256_GCM,data:xrA6hCFIH/R/j/V1T60xx5Eix5Z5ETREQP4zYriLkZQ4hEzL2WdJFExK1VXSfX4KmIR8215XHmHnWu70eIoAnFUaozBosIFtJz0YNrNNok6MeDGD5fy5mcBQfCqLw+rwbW/uxY7DQrchgVT9iFAkpRSoVPUzn6ku/xCmTmSlv3E=,iv:lNLR5QHKPUWb1Mz8mIFCHnjpuQVF7ttNTOy9+jEzLyo=,tag:G4iZ/9nWKh97JLGOxbgSQg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

values/badhouseplants/games/minecraft/values.yaml

@@ -1,33 +1,15 @@
-service-account:
-  enabled: true
-  resources:
-    - name: minecraft-exporter
-      label:
-        app: minecraft-minecraft-metrics
-      endpoints:
-        port: metrics
-traefik:
-  enabled: true
-  tcpRoutes:
-    - name: minecraft-tcp
-      entrypoint: minecraft
-      gateway: istio-system/badhouseplants-minecraft
-      match: HostSNI(`*`)
-      service: minecraft-minecraft
-      port: 25565
 # --------------------------------------------------
 # -- Main values
 # --------------------------------------------------
 image:
-  #tag: java21-graalvm
-  tag: java21-jdk
+  tag: java23-graalvm
   pullPolicy: Always
 resources:
   requests:
-    memory: 3.5Gi
+    memory: 2.7Gi
     cpu: 2.5
   limits:
-    memory: 3.5Gi
+    memory: 2.7Gi
 lifecycle:
   postStart:
     - bash
@@ -52,32 +34,23 @@ readinessProbe:
   successThreshold: 1
   timeoutSeconds: 20
 minecraftServer:
-  memory: 3000M
+  memory: 2000M
   jvmOpts: |
     -server
   jvmXXOpts: |
-    -Xms3000G -Xmx3500G -XX:+UseG1GC -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=20 -XX:G1ReservePercent=20 -XX:MaxGCPauseMillis=50 -XX:G1HeapRegionSize=32M
+    -Xms2000G -Xmx2500G -XX:+UseG1GC -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=20 -XX:G1ReservePercent=20 -XX:MaxGCPauseMillis=50 -XX:G1HeapRegionSize=32M
   overrideServerProperties: true
   eula: "TRUE"
   onlineMode: false
   difficulty: hard
   hardcore: true
-  version: "1.21.1"
+  version: "1.21.5"
   maxWorldSize: 90000
   type: "FABRIC"
   gameMode: survival
   pvp: true
   modUrls: []
   serviceType: NodePort
-  #- https://github.com/CaffeineMC/lithium-fabric/releases/download/mc1.20.1-0.11.2/lithium-fabric-mc1.20.1-0.11.2-api.jar
-  #- https://github.com/CaffeineMC/sodium-fabric/releases/download/mc1.20.1-0.5.11/sodium-fabric-0.5.11+mc1.20.1.jar
-  #- https://github.com/CaffeineMC/lithium-fabric/releases/download/mc1.20.1-0.11.2/lithium-fabric-mc1.20.1-0.11.2.jar
-  #pluginUrls:
-  #  - https://github.com/dmulloy2/ProtocolLib/releases/download/5.2.0/ProtocolLib.jar
-  #  - https://mediafilez.forgecdn.net/files/3789/833/GravityControl-2.0.0.jar
-  #  - https://mediafilez.forgecdn.net/files/3151/915/CrackShot.jar
-  #  - https://s3.badhouseplants.net/public-download/MechanicsCore-3.4.8.jar
-  #  - https://s3.badhouseplants.net/public-download/WeaponMechanics-3.4.9.jar
   rcon:
     enabled: true
     withGeneratedPassword: false
@@ -85,7 +58,7 @@ minecraftServer:
     serviceType: ClusterIP
   extraPorts:
     - name: metrics
-      containerPort: 9225
+      containerPort: 19565
       protocol: TCP
       service:
         enabled: true
@@ -93,12 +66,11 @@ minecraftServer:
         labels:
           exporter: minecraft
         type: ClusterIP
-        port: 9925
+        port: 19565
       ingress:
         enabled: false
 persistence:
   storageClass: openebs-hostpath
-  #storageClass: local-path
   dataDir:
     enabled: true
     Size: 9Gi
@@ -121,35 +93,6 @@ mcbackup:
   persistence:
     backupDir:
       enabled: false
-# ---------------------------------------------
-# -- Install Plugins
-# ---------------------------------------------
-initContainers:
-  - name: 0-download-mods
-    image: alpine/curl
-    command:
-      - curl
-      - -L
-      - "https://s3.badhouseplants.net/minecraft-mods/server_mods.tar"
-      - -o
-      - /download/server_mods.tar
-    volumeMounts:
-      - name: download
-        mountPath: /download
-        readOnly: false
-  - name: 1-copy-plugins-to-minecraft
-    image: ubuntu
-    command:
-      - sh
-      - -c
-      - cd /mods  && tar -xvf /download/server_mods.tar || true
-    volumeMounts:
-      - name: plugins
-        mountPath: /mods
-        readOnly: false
-      - name: download
-        mountPath: /download
-        readOnly: false
 extraVolumes:
   - volumeMounts:
       - name: plugins
@@ -162,3 +105,36 @@ extraVolumes:
       - name: download
         emptyDir:
           sizeLimit: 500Mi
+extraDeploy:
+  - |-
+      apiVersion: monitoring.coreos.com/v1
+      kind: ServiceMonitor
+      metadata:
+        name: minecraft
+      spec:
+        endpoints:
+        - interval: 30s
+          port: metrics
+          scrapeTimeout: 10s
+          path: '/'
+        namespaceSelector:
+          matchNames:
+          - games
+        selector:
+          matchLabels:
+            app.kubernetes.io/instance: minecraft
+  - |-
+      apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteTCP
+      metadata:
+        name: minecraft-tcp
+      spec:
+        entryPoints:
+        - minecraft
+        routes:
+        - match: HostSNI(`*`)
+          services:
+          - name: minecraft
+            nativeLB: true
+            port: 25565
+

values/badhouseplants/kube-system/namespaces/secrets.yaml

@@ -0,0 +1,21 @@
+defaultRegcred: ENC[AES256_GCM,data:lsqr2fBEosOQqYLBwps1hmgFs90zkzbdHpO8UwJWcMl1/CGkyzroACqHkL8taaOnnvwWwadIL8FU3382jamw0Xk5O51bFSBbCxTs3xd4ibwe39ha5YI6YQDHADDb/u1Yw4TctJ/h9xykXHDOL4foE5Z860e16vtMiVvniLD9OGfR6utb9gvZHE2QqZTlHR9U4PY2vLWWQMN3VRvipT7hulmOUzXMVcuBswmyDF39PvTba6Ea7A83V9h6HpqNeSA1ewKREIDOFqjhl7tIit8aQnuee58bJCTVIdg6gyR6yfu6sF22wdUlsJ7CAHtd41sbhEhWGyzJIqg=,iv:J1CfAJmNpI7lgQalYJlXs+JX5I0e6COGrsenMhvDGLA=,tag:nHkq8VF47I/9FS8uGcEyuw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwWHpPUkZqbC9LaEtJYzhF
+            L0hIZUtOa3E4KzJDOFlwaFRVWDdJRnBtR1ZjCnVLNzhyQkdxS2dtK2lFaWRJUkJq
+            dThURHRTRG5GT1BqaTZRbzlUbXYzWHMKLS0tIFRSa1lkSGQrN1RGdklzYzZNU3BH
+            ZE0wMk1sRGg1M1lrNVFMTityK3cwK00Kbhugumz27RVo1SJjaljEbklHY6CW7xGD
+            UCbN0LGh5PPpN6eCbZW8dB1+/lLR9AnyYr6okrGM2iztaJQdlwRvww==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-27T10:24:56Z"
+    mac: ENC[AES256_GCM,data:xGqmh1TPg0OJLSycbnjsF4Ai844ZzlCzawQXmROpORJEiSL/3R1W+2PsBT5KcAfG7y2+Ovyk+l1FeorIPuqnbcezX9zUxMOaFXJylmwvNYXCwoihU6Yx2hg9SuFhnwINAhCLqOaRKIh8xPUaK8nRVqwJJa0jW6eCyZ5lsLtpz90=,iv:pmPfpSv3VfVz/MvTGTWoMxzkF3BvCMhK+HxEeN5pzNI=,tag:WkLcTz/WlLXmq8EojHfdlA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

values/badhouseplants/kube-system/namespaces/values.yaml

@@ -0,0 +1,39 @@
+namespaces:
+  - name: registry
+  - name: flux-system
+    defaultRegcred: true
+  - name: argocd
+    defaultRegcred: true
+  - name: kube-system
+    defaultRegcred: true
+  - name: production
+    defaultRegcred: true
+  - name: kyverno
+    defaultRegcred: true
+  - name: velero
+    defaultRegcred: true
+  - name: observability
+    defaultRegcred: true
+  - name: databases
+    defaultRegcred: true
+  - name: istio-system
+    defaultRegcred: true
+  - name: applications
+    defaultRegcred: true
+    labels:
+      istio-injection: enabled
+  - name: platform
+    defaultRegcred: true
+  - name: games
+    defaultRegcred: true
+  - name: pipelines
+    defaultRegcred: true
+  - name: public-xray
+    defaultRegcred: true
+    labels:
+      istio-injection: disabled
+  - name: org-badhouseplants
+    defaultRegcred: true
+  - name: org-allanger
+    labels:
+      istio-injection: enabled

values/badhouseplants/kube-system/openebs/values.yaml

@@ -1,6 +1,7 @@
 localpv-provisioner:
   hostpathClass:
     isDefaultClass: true
+
 zfs-localpv:
   crds:
     zfsLocalPv:

values/badhouseplants/kube-system/traefik/values.yaml

@@ -10,13 +10,12 @@ ports:
         readTimeout: 0
         idleTimeout: 0
         writeTimeout: 0
-    forwardedHeaders:
-      trustedIPs:
-        - "192.168.0.0/16"
-    proxyProtocol:
-      trustedIPs:
-        - "192.168.0.0/16"
-      insecure: true
+        forwardedHeaders:
+          trustedIPs:
+            - "192.168.0.0/16"
+        proxyProtocol:
+          trustedIPs:
+            - "192.168.0.0/16"
   ssh:
     port: 22
     expose:
@@ -47,9 +46,9 @@ ports:
     exposedPort: 25
     expose:
       default: true
-    proxyProtocol:
-      trustedIPs:
-        - "192.168.0.0/16"
+      proxyProtocol:
+        trustedIPs:
+          - "192.168.0.0/16"
   smtps:
     port: 465
     protocol: TCP
@@ -101,27 +100,38 @@ ports:
     proxyProtocol:
       trustedIPs:
         - "192.168.0.0/16"
+
   minecraft:
     port: 25565
     protocol: TCP
     exposedPort: 25565
     expose:
       default: true
-  shadowsocks:
-    port: 8388
-    protocol: TCP
-    exposedPort: 8388
-    expose:
-      default: true
-  tf2:
+
+  game-udp:
     port: 37015
     protocol: UDP
     exposedPort: 37015
     expose:
       default: true
-  tf2-rcon:
-    port: 37015
-    protocol: TCP
-    exposedPort: 37015
-    expose:
-      default: true
+
+      #  tf2-rcon:
+      #    port: 37015
+      #    protocol: TCP
+      #    exposedPort: 37015
+      #    expose:
+      #      default: true
+
+      #  ssocks-etcp:
+      #    port: 8444
+      #    protocol: TCP
+      #    exposedPort: 8443
+      #    expose:
+      #      default: true
+      #
+      #  ssocks-eudp:
+      #    port: 8445
+      #    protocol: UDP
+      #    exposedPort: 8443
+      #    expose:
+      #      default: true

values/badhouseplants/observability/loki/values.yaml

@@ -63,6 +63,10 @@ distributor:
   replicas: 0
 compactor:
   replicas: 0
+gateway:
+  replicas: 1
+  affinity:
+    podAntiAffinity: ~
 indexGateway:
   replicas: 0
 bloomCompactor:

values/badhouseplants/observability/prometheus/values.yaml

@@ -1,7 +1,3 @@
-# ------------------------------------------
-# -- Istio extenstion. Just because I'm
-# --  not using ingress nginx
-# ------------------------------------------
 coreDns:
   enabled: false
 kubeEtcd:

values/badhouseplants/org-allanger/app-tandoor-recipes/secrets.yaml

@@ -0,0 +1,25 @@
+env:
+    secrets:
+        data:
+            SECRET_KEY: ENC[AES256_GCM,data:bLecWaJafPbXT2/dvKt3R2KNfuxxgQ6yLxviYbOf,iv:liuexfgYScH+eg/qSO23SQxE7hKpudgkOH3JRDkaa+A=,tag:DEcAbY6rg7mQnhsnukWtFA==,type:str]
+            SOCIALACCOUNT_PROVIDERS: ENC[AES256_GCM,data:kx9ziZhxWcWTu1UG7BPi/sdG1tHhzugq65xxL3IPVx8i1oHXwy+00KaOEsIYP+TJqX5516Zq6JqtXe9dQwI4uVIy538FdXeEQDHKNS0xesSx8jG0tKa71GiqyQGBrBBxiy144za9y1QHB9k1pvuaza8mVEQOoktmMFfiHzEOhYDQxIzTulOMWxN2ImTsYSupHS6HLR13gDCyROVDzj1Io/U1VHxN5RZBPiqthNiB+/Aj+2FuCwAaxgEE6VVNFJlghi2yiZbl/PvZ3MDT+dAx/NijawVt0qdBBmPvB3jKZkgRN2tyystGiu47hnLosuzjrOjAMA6rP7XkT2gQ5e6hoLlJxWD5IiAHI+gQK7REbyJrEmSwwH0aCVsd1H4FOBNk+rfKpTIr7sRZFTVcZLtUdTZW6EW0XWmrBBPr5jodmouoFZY+dGlWP1vQkG+2eymw5aJCan0oq+x+J9dB+CVZc/2M1zBeRa6Crg7w3smCqOr46jkaRxfoDxV2NdRSla5zkwwFSS7MqPYlqre2oW+pgP7lvRa4MW9++5q+Zg==,iv:RZMNm66PhTWvjJG5jtpJW22TFInHw8LT04qui3fMLgA=,tag:ETMqmFO/8Kve/W55WP21dA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcTM5RTNIakwwZHNrQXE2
+            U2FsK1gwMDhUTDd1MVorbENtQXdnZjYrM1c4CmNQaG5TcU9wK25qQUg5a29UUXBK
+            WlZHK0M0dHEvZWVyZmJzR0RLU1pGWmMKLS0tIGk4TFArQnJyTWJJa3FJRlJhY0do
+            ZE81bENWM3ZUdlR0N2RKMnJkUnJxSG8Ky2ngwj6ZnToGhnAJChU8NXUG+XPPZc2F
+            fOD35BFO5bUNe+V8MkDLae+GQ1hr55r4WnvFpSWywRIjCFYmUJHTgQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-22T12:32:43Z"
+    mac: ENC[AES256_GCM,data:khcLV/lPaY6J5QQmX8466jx9bsXn+NwA3TLIUYs9ipKa539OjIWstwyydVxILSBCwEWGEW86c8EzLBwptBBgg6gehfRJAax5TAn0lBd1lAAiAxZhdNpc2tfoaMaUWfWdpwYjdrtnvAlAkN3/16nvx+TIq7WdU/cWsic96PqhU0A=,iv:I81QvtZ7S+mSAzoXhU0YBMN0L4K+SRHW3UtcSLxwK5s=,tag:gAeAIjyJ13A8gfE7ppBeRg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

values/badhouseplants/org-allanger/app-tandoor-recipes/values.yaml

@@ -0,0 +1,57 @@
+shortcuts:
+  hostname: tandoor.badhouseplants.net
+ext-database:
+  enabled: true
+  name: tandoor-postgres17
+  instance: postgres17
+  credentials:
+    POSTGRES_HOST: "{{ .Hostname }}"
+    POSTGRES_PORT: "{{ .Port }}"
+workload:
+  kind: Deployment
+  strategy:
+    type: RollingUpdate
+  containers:
+    tandoor:
+      securityContext:
+        runAsUser: 1001
+        runAsGroup: 1001
+        fsGroup: 1001
+      envFrom:
+        - main
+        - secrets
+        - secretRef:
+            name: tandoor-postgres17-creds
+          extraVolumes:
+            common:
+              path: /opt/recipes
+      livenessProbe:
+        httpGet:
+          path: /
+          port: 8080
+        initialDelaySeconds: 10
+        failureThreshold: 30
+        periodSeconds: 10
+ingress:
+  main:
+    class: traefik
+    annotations:
+      kubernetes.io/ingress.class: traefik
+      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+      kubernetes.io/tls-acme: "true"
+      kubernetes.io/ingress.allow-http: "false"
+      kubernetes.io/ingress.global-static-ip-name: ""
+      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+extraVolumes:
+  common:
+    emptyDir: {}
+env:
+  main:
+    enabled: true
+    sensitive: false
+    data:
+      DB_ENGINE: django.db.backends.postgresql
+      SOCIAL_PROVIDERS: allauth.socialaccount.providers.openid_connect
+      REMOTE_USER_AUTH: 1
+      SOCIAL_DEFAULT_ACCESS: 1
+      SOCIAL_DEFAULT_GROUP: guest

values/badhouseplants/org-badhouseplants/app-gitea/secrets.yaml

@@ -0,0 +1,50 @@
+gitea:
+    admin:
+        username: ENC[AES256_GCM,data:U230S8544mg=,iv:yL45Opnqp5T4h7erEv0pRHWtH1th8uu1Y4wfeY2aJcQ=,tag:a4vsJEOxlmHj1mwqcUGbiw==,type:str]
+        password: ENC[AES256_GCM,data:IpwOetFEvxt0/tGkiJ8bBI+OR/E=,iv:8OA48CiWeMyqZVs2lp+UzfyymUNQfdgmAQV33+AVQ+s=,tag:stgAMSnB5dCzFu4zvZeVRA==,type:str]
+    config:
+        storage:
+            MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:cn3NsFx0TH0fw6mJt6cArMRyQ6Qng3gIPQ==,iv:Jv+rweQzEXfVWuWycjGSi54jRAm0XEEcNxZ6flbUZWM=,tag:6O9KvcnaVEME5lXl6msZLw==,type:str]
+        mailer:
+            PASSWD: ENC[AES256_GCM,data:3UL0uvz49J3GIOo/eVWKYLrDG+u/lvCr8Q==,iv:HBQKF42R3tHFQxkUoRzsiPCUkFM40qpjM0SYrQSxugE=,tag:iua/nXoogjxnkj9T6UB/Sw==,type:str]
+        database:
+            PASSWD: ENC[AES256_GCM,data:DbL7wryYRQAEzujWNL4I0AwEq6Cr2r78FXQOAw==,iv:Oc2IYwD7iy7AlYVnhvSc61ttOf20qJyuuDnx4yF3/YE=,tag:aLa8+r0kYvzFSuF3hvhL2w==,type:str]
+        session:
+            PROVIDER_CONFIG: ENC[AES256_GCM,data:owsHUHdmzGiFgtD3+nRBmHYKcsNQXblbuCO8V0tLAAMvJBRHSA5YG1TL3Quy2186yoZCPiAdeQwg/o2Iutk2Mlc6/NmeurZbxomV8dWBuqJfn6t44xnDgFnEXpxE5kB5lNCtcjKXmpxC4fkoUVscOyZFmKp9uTgH,iv:evmTZH5NzMB3nhqLhuBmTTF4ztJX9a/ZMTOmYMqSaxs=,tag:dLnk9xt+moGoBhx7tqazig==,type:str]
+        cache:
+            HOST: ENC[AES256_GCM,data:feiTcBqztm76LZgNShj0Go0IRNgG9UwCQP9KrdexosP2XCnSe+giyKoIcADiHQFYVbnnkpw7/UqNxgM0Tx+EQ9eyFKY+PaFyCSFmQwikmAWakDJ+hQNM1VaNaDKdeLiGIeI7nO2MH9hGDMzPWtUgMNBxc9tTS38l,iv:Rcr+uiZMWbG9IPeMm+eiNf3W3yz2L7yqSkJSKUhWHtk=,tag:3cLuUAEU6CZvvUYKF1cCAQ==,type:str]
+        queue:
+            CONN_STR: ENC[AES256_GCM,data:Mw7W72M3HitiAEG1ihWctXyYqHJuSiKBZvQDDRjA4O9Yg9Zsbq+/HVcnh074zbiTjCO/496FLiy88HuAw8lksZ7MXXVvRI7rIcFKFZLpHcjAqkBnB301SGalK/R4bSisECsYIFPjKuh+s4PIuPEIgFtZuiEvYdbT,iv:uYwjzUObav2Hs/JgRIYbGBFNcZm++qS2QqKpz6Ma6EA=,tag:0okDz0yzL4eSat/0roYJ2A==,type:str]
+    oauth:
+        - name: ENC[AES256_GCM,data:sN+DzBKd,iv:0HNSbQEDLsV76DIRHdWnPs9SI/bHRZz6Fw+8B8Hhuns=,tag:mwTWy9VSXapPu3uLk7LgSQ==,type:str]
+          provider: ENC[AES256_GCM,data:m74moJ8h,iv:QfE5F3vpIlEzIftHlX/qpNvsnAab8gTd4CHyECHNcmQ=,tag:JefFm9mfYJSKzBDOb/l6BA==,type:str]
+          key: ENC[AES256_GCM,data:7ScP3oXE0zTnaqL3AigHby39fMk=,iv:sXllPawkQ5BcKmC1iBUJ2WOEPK2lm6W3q+GrprHZhAc=,tag:vSCB9w5x6jjPNu5b5ZEMzw==,type:str]
+          secret: ENC[AES256_GCM,data:XG9D5IUX4MqJzKf+aB7MCeDJAQlIzMxSv3ByAZQAdZCI+5my+cMfeg==,iv:s3e0wFznoX55MeEQj+dK0QrzzatGzDBKfT4xDD00cOA=,tag:vk32YQcPs0kAIOj61YwHww==,type:str]
+        - name: ENC[AES256_GCM,data:eBSL9xrBDN50,iv:TiC3jjpfwS6A9x6PAkMIorwJ9CecxblzEFt5+ZmSW6I=,tag:XA6UrnJbkUyDBgOY9xfIPw==,type:str]
+          provider: ENC[AES256_GCM,data:yh4TBYDI2R0a4f1qSg==,iv:hx8pAuo//U+YY5a2cq/KyoK4qcKbSXWtkrDvACWLU2c=,tag:uJ9JNWdDjb0eTS0ZJXHDaw==,type:str]
+          skip_local_2fa: ENC[AES256_GCM,data:8YwpOw==,iv:2R3Zc4HK/U31SVcXR3xi9J/kJySR3osA8xN3YhvRxBk=,tag:SzBFOwEmczW59SHLGCMb5Q==,type:str]
+          key: ENC[AES256_GCM,data:rLR8ve4=,iv:qOVIBiFjsOrrRg/mca5l7SHc2GdVAdyz0TV3Q7lJlQg=,tag:tYEzx7SoeoAC9/lgWU91uA==,type:str]
+          secret: ENC[AES256_GCM,data:r7sWVeqWTnqbt7ArzpADD5A1fYU6+KSpLohWJuSbEUyPAzOSxfZGxSYNfAwaxACOgmJJnxUeQ9l71nyUDWzGMrFkLr+o+WcQmSTPV3+3iMHDsTdgjEb+tIZFdi0Z5PJ8DCBxjckmbG5cx3O3Kyrjc24SNHCVb62lhduZH1fIlT0=,iv:kvtMCpiOUx10zTKt/ZYQh3leYaY9+v169Sq+sYIScHQ=,tag:t8txjt3xuVKWA7QgBJYuiw==,type:str]
+          autoDiscoverUrl: ENC[AES256_GCM,data:SG2ev/BshOBP0NQnpZRQErZDAEWdReiwp2pb2JJBWZmFvC67//t8WZu1/wilfQjJvJdsDGwk9Rwncoxya5Fb9uKYDAQKzqULJk70Er9pyNaowFbMxiMm+ws=,iv:B9GM9MLIrKTtRfyDxltlFvvm01aRCTQnyiemH4qzjGs=,tag:Wqji+fKliEGJRZ4inTmbXw==,type:str]
+          iconUrl: ENC[AES256_GCM,data:lcW3npgyrc50GIYCyTh5Gpht2CU6hX67j13XNOvGQybU2dsA9BtqpmH0OMQz4b1g/XkuHAp5j3I0wLnGvhXXf4mEugzt8g==,iv:X/kHS77OJLDuNN2lTAWLqPARJ1QZMY1ImuS+xmkUlgM=,tag:0ZRh7eH6dYdZd250Lb/+xA==,type:str]
+          scopes: ENC[AES256_GCM,data:GtTGDrDZwU1r5vEsxg==,iv:/7yMuJpxlML3R1X8onDSFbJVwpYFtnLamaI+X148Tlk=,tag:e8HkvzdpkhDvedVzm7jG3w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6d2JneUUzM1VkM1lvclA3
+            aC9wMGpKSGU5ZnVaUTNlVDNsMlNaOVRNYVdzCkpzVUJzNHN2TmhHektzOC93Vjlj
+            SVU3cUxVUm4wWjJQRWZRdWlRMEU1eUEKLS0tIHRLOEJERXBMd0NFajNjbHhPVVNl
+            b1cyT0RYa3hzbFJjc254bHJMcDIzeTgK/aX6f60NBz6w1TaOFSZDRE7rPniebb75
+            iwO74fJtl5g9WxAG5yByxJ455Uhc2R/+VBbK5BcYFt9cboIgkUrS2A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-25T19:15:08Z"
+    mac: ENC[AES256_GCM,data:ySAOo8j+p9O0v8xYFcjuD6e/pc9LtLxLWC4TdP7mjhdfwwaaoJW96DLEbSYxYN7Co8zHFqdMp5e76SgvhWwP2LNmHLunJ3LNU6u6NSMEFLCSyjAM8KiqB4bTNq7Kf9H2FZbAN58YKXpZEFECJpxoLg2Q9MdRp+BvgURDa2QLZRc=,iv:Ay5vMdrKbNpFyir/N4+mPuOwKwIVupZbeJFKA+DWFDA=,tag:+YUSXQYMfu59oF+hjg0XMg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

values/badhouseplants/org-badhouseplants/app-gitea/values.yaml

@@ -1,20 +1,4 @@
 # ------------------------------------------
-# -- Database extension is used to manage
-# --  database with db-operator
-# ------------------------------------------
-ext-database:
-  enabled: true
-  name: gitea-postgres16
-  instance: postgres16
-traefik:
-  enabled: true
-  tcpRoutes:
-    - name: gitea-ssh
-      service: gitea-ssh
-      match: HostSNI(`*`)
-      entrypoint: ssh
-      port: 22
-# ------------------------------------------
 # -- Kubernetes related values
 # ------------------------------------------
 ingress:
@@ -40,31 +24,29 @@ replicaCount: 1
 clusterDomain: cluster.local
 resources:
   limits:
-    cpu: 512m
-    memory: 1024Mi
+    memory: 1.5Gi
   requests:
-    cpu: 512m
-    memory: 256Mi
+    cpu: 1.5
+    memory: 1.5Gi
 persistence:
   enabled: true
   size: 15Gi
   accessModes:
-    - ReadWriteMany
+    - ReadWriteOnce
 # ------------------------------------------
 # -- Main Gitea settings
 # ------------------------------------------
 gitea:
   metrics:
-    enabled: true
+    enabled: false
     serviceMonitor:
-      # -- TODO(@allanger): Enable it once prometheus is configured
       enabled: false
   config:
     database:
       DB_TYPE: postgres
-      HOST: postgres16-postgresql.databases.svc.cluster.local
-      NAME: applications-gitea-postgres16
-      USER: applications-gitea-postgres16
+      HOST: postgres17-postgresql.databases.svc.cluster.local
+      NAME: org-badhouseplants-app-gitea
+      USER: org-badhouseplants-app-gitea
     APP_NAME: Bad Houseplants Gitea
     ui:
       meta:
@@ -75,13 +57,14 @@ gitea:
       MAX_CREATION_LIMIT: 0
       DISABLED_REPO_UNITS: repo.wiki
     service:
-      DISABLE_REGISTRATION: false
+      DISABLE_REGISTRATION: true
     server:
       DOMAIN: gitea.badhouseplants.net
       ROOT_URL: https://gitea.badhouseplants.net
       LFS_START_SERVER: true
       LANDING_PAGE: explore
       START_SSH_SERVER: true
+      ENABLE_PPROF: false
     storage:
       STORAGE_TYPE: minio
       MINIO_ENDPOINT: "s3.badhouseplants.net:443"
@@ -128,6 +111,47 @@ service:
     type: ClusterIP
     port: 22
     clusterIP:
+deployment:
+  env:
+    - name: REQUIRE_SIGNIN_VIEW
+      value: expensive
+extraDeploy:
+  - |-
+    apiVersion: kinda.rocks/v1beta1
+    kind: Database
+    metadata:
+      generation: 1
+      labels:
+        app.kubernetes.io/managed-by: Helm
+      name: {{ include "gitea.fullname" $ }}
+    spec:
+      backup:
+        cron: 0 0 * * *
+        enable: false
+      credentials:
+        templates:
+        - name: CONNECTION_STRING
+          secret: true
+          template: {{` '{{ .Protocol }}://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{.Port }}/{{ .Database }}' `}}
+      deletionProtected: true
+      instance: postgres17
+      postgres: {}
+      secretName: {{ include "gitea.fullname" $ }}-db-creds
+  - |-
+    apiVersion: traefik.io/v1alpha1
+    kind: IngressRouteTCP
+    metadata:
+      name: {{ include "gitea.fullname" $ }}-ssh
+    spec:
+      entryPoints:
+      - ssh
+      routes:
+      - match: HostSNI(`*`)
+        services:
+        - name: {{ include "gitea.fullname" $ }}-ssh
+          nativeLB: true
+          port: 22
+
 # ------------------------------------------
 # -- Disabled dependencies
 # ------------------------------------------

values/badhouseplants/org-badhouseplants/app-navidrome-private/values.yaml

@@ -8,6 +8,7 @@ ingress:
       kubernetes.io/ingress.allow-http: "false"
       kubernetes.io/ingress.global-static-ip-name: ""
       cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+
       traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
 env:
   main:

values/badhouseplants/org-badhouseplants/app-navidrome/values.yaml

@@ -6,12 +6,14 @@ middleware:
         headers:
           customRequestHeaders:
             Remote-User: "guest"
+
 shortcuts:
   hostname: music.badhouseplants.net
+
 ingress:
   main:
     annotations:
-      traefik.ingress.kubernetes.io/router.middlewares: applications-navidromeauth@kubernetescrd
+      traefik.ingress.kubernetes.io/router.middlewares: org-badhouseplants-navidromeauth@kubernetescrd
       kubernetes.io/ingress.class: traefik
       kubernetes.io/tls-acme: "true"
       kubernetes.io/ingress.allow-http: "false"

values/badhouseplants/org-badhouseplants/app-open-strike-2/values.yaml

@@ -0,0 +1,20 @@
+deployAnnotations:
+  keel.sh/policy: force
+  keel.sh/trigger: poll
+  keel.sh/initContainers: 'true'
+
+extra:
+  templates:
+    - |-
+      apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteUDP
+      metadata:
+        name: "{{ .Release.Name }}-game"
+      spec:
+        entryPoints:
+        - game-udp
+        routes:
+        - services:
+          - name: app-open-strike-2-main
+            nativeLB: true
+            port: 27015

values/badhouseplants/org-badhouseplants/app-stalwart/secrets.yaml

@@ -0,0 +1,27 @@
+config:
+    env:
+        secrets:
+            data:
+                SW_ADMIN_SECRET: ENC[AES256_GCM,data:dG2zVmvycL7TZM922XADQ/SwWMBrUvXd+BPwpxIvmaDnjejpEaHUfB0xhpkhZqhAB8M=,iv:5hDpUFLLGLf4VLj8h3weOZhiwJKYORg5uKVgXVXKbgM=,tag:9FQru61B5hDPcIoIUDvUtg==,type:str]
+                MINIO_ACCESS_ID: ENC[AES256_GCM,data:HvZa/kOy8ZI=,iv:T2433k3OmZTmPTx2QWEAELlN7zY37LUynapVWpASrJ0=,tag:Kvr4wIgq5dMmXRJDoxqGxA==,type:str]
+                MINIO_SECRET_KEY: ENC[AES256_GCM,data:Tv5VWQprCKtJCghzhZ8YD8/9,iv:hioZ+d0ns+Hr3pBVyfFWgcuRKDrPQmskSnU0XOMwhzA=,tag:nuFn0qV9UMy2ywiFfx5gHg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGMTZGN2NSYXUzcXNJVUx2
+            YXE3Nk5MbnV1dyttUEtmUExabFYvOGdHcTBRCkM1WE9uNlF1OGh4NnNDL3NabXhi
+            OW1NcDlydUMraTVQV2tjLzVla2tpSnMKLS0tIHN6RXVJTzNvZlkyTmdDb09UTUNy
+            TVJyRVI5U2NmV1VIQTk4cjlYM1htMFkKkxsXzn+7nFiTs3mANqO0+f7/TTGKogFk
+            8ix4OpiA9b33kuqi4Z7bXx4ucyCmlDwtxuHvmOEOyW4yJ9F1cgm+Uw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-15T23:05:04Z"
+    mac: ENC[AES256_GCM,data:Kix/IdONJ79Lj1dc/gigpM7BUPyg7EIsPQzkhtu8+nbIQZQsm0CYqlqPx1V7w0r9vef+rCd/8GX8RdKw0o5ZaDZY5l0nXEi9E7dEtcHTYlrr8fqljcsGRAKmOiBRMkPh0jGTEPlFRtb0Inrn85rWUiMJP12hwIIS0t7GpAydKdI=,iv:1pMdzj1x0Hf65nmZ28Lv7yu6Y+suQKxv274nYl8J3HI=,tag:GQL8HOSswz2N56iNAS9l9w==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

values/badhouseplants/org-badhouseplants/app-stalwart/values.yaml

@@ -0,0 +1,318 @@
+shortcuts:
+  hostname: stalwart.badhouseplants.net
+
+base:
+  workload:
+    initContainers:
+      prepare-config:
+        image:
+          registry: registry.hub.docker.com
+          repository: library/alpine
+          tag: latest
+          pullPolicy: Always
+        volumeMounts:
+          files:
+            config:
+              path: /app/config/config.toml
+              subPath: config.toml
+          extraVolumes:
+            config:
+              path: /app/etc
+        command:
+          - sh
+        args:
+          - -c
+          - cp /app/config/config.toml /app/etc/config.toml && echo "" >> /app/etc/config.toml
+    containers:
+      stalwart:
+        volumeMounts:
+          extraVolumes:
+            certs:
+              path: /app/certs
+            stalwart:
+              path: /opt/stalwart-mail
+            config:
+              path: /opt/stalwart-mail/etc
+
+        envFrom:
+          secrets: {}
+          raw:
+            - secretRef:
+                name: app-stalwart-db-creds-17
+
+extraVolumes:
+  certs:
+    secret:
+      secretName: stalwart.badhouseplants.net
+  stalwart:
+    emptyDir: {}
+  config:
+    emptyDir: {}
+ingress:
+  main:
+    metadata:
+      annotations:
+        cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+        kubernetes.io/ingress.allow-http: "false"
+        kubernetes.io/ingress.class: traefik
+        kubernetes.io/ingress.global-static-ip-name: ""
+        kubernetes.io/tls-acme: "true"
+        traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+config:
+  files:
+    config:
+      enabled: true
+      sensitive: false
+      remove: []
+      entries:
+        # Ref: https://github.com/stalwartlabs/mail-server/blob/main/resources/config/config.toml
+        config.toml:
+          data: |-
+            [lookup.default]
+            hostname = "{{ .Values.shortcuts.hostname }}"
+
+            [server.listener."smtp"]
+            bind = ["[::]:25"]
+            protocol = "smtp"
+            proxy.override = true
+            proxy.trusted-networks.0 = "192.168.0.0/16"
+
+            [server.listener."smtp-startls"]
+            bind = ["[::]:587"]
+            protocol = "smtp"
+            proxy.override = true
+            proxy.trusted-networks.0 = "192.168.0.0/16"
+
+            [server.listener."smtps"]
+            bind = ["[::]:465"]
+            protocol = "smtp"
+            tls.implicit = true
+            proxy.override = true
+            proxy.trusted-networks.0 = "192.168.0.0/16"
+
+            [server.listener."imap"]
+            bind = ["[::]:143"]
+            protocol = "imap"
+            proxy.override = true
+            proxy.trusted-networks.0 = "192.168.0.0/16"
+
+            [server.listener."imaptls"]
+            bind = ["[::]:993"]
+            protocol = "imap"
+            tls.implicit = true
+            proxy.override = true
+            proxy.trusted-networks.0 = "192.168.0.0/16"
+
+            [server.listener.pop3]
+            bind = "[::]:110"
+            protocol = "pop3"
+            proxy.override = true
+            proxy.trusted-networks.0 = "192.168.0.0/16"
+
+            [server.listener.pop3s]
+            bind = "[::]:995"
+            protocol = "pop3"
+            tls.implicit = true
+            proxy.override = true
+            proxy.trusted-networks.0 = "192.168.0.0/16"
+
+            [server.listener."sieve"]
+            bind = ["[::]:4190"]
+            protocol = "managesieve"
+            proxy.override = true
+            proxy.trusted-networks.0 = "192.168.0.0/16"
+
+            [server.listener."https"]
+            protocol = "https"
+            bind = ["[::]:443"]
+            tls.implicit = false
+
+            [server.listener."http"]
+            bind = "[::]:8080"
+            protocol = "http"
+            hsts = true
+
+            [store."minio"]
+            type = "s3"
+            bucket = "stalwart"
+            region = "eu-central-1"
+            access-key = "%{env:MINIO_ACCESS_ID}%"
+            secret-key = "%{env:MINIO_SECRET_KEY}%"
+            endpoint = "https://s3.badhouseplants.net:443"
+            timeout = "30s"
+            key-prefix = "/"
+
+            [store."postgresql"]
+            type = "postgresql"
+            host = "postgres17-postgresql.databases.svc.cluster.local"
+            port = 5432
+            database = "%{env:POSTGRES_DB}%"
+            user = "%{env:POSTGRES_USER}%"
+            password = "%{env:POSTGRES_PASSWORD}%"
+            timeout = "15s"
+
+            [storage]
+            data = "postgresql"
+            fts = "postgresql"
+            blob = "minio"
+            lookup = "postgresql"
+            directory = "internal"
+
+            [directory."internal"]
+            type = "internal"
+            store = "postgresql"
+
+            [authentication.fallback-admin]
+            user = "overlord"
+            secret = "%{env:SW_ADMIN_SECRET}%"
+
+            [tracer.console]
+            type = "console"
+            level = "info"
+            ansi = true
+            enable = true
+
+            [certificate."default"]
+            cert = "%{file:/app/certs/tls.crt}%"
+            private-key = "%{file:/app/certs/tls.key}%"
+
+  env:
+    secrets:
+      enabled: true
+      sensitive: true
+
+extra:
+  templates:
+    - |
+      apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteTCP
+      metadata:
+        name: "{{ .Release.Name }}-smtp"
+      spec:
+        entryPoints:
+        - smtp
+        routes:
+        - match: HostSNI(`*`)
+          services:
+          - name: app-stalwart-mail
+            nativeLB: true
+            port: 25
+            proxyProtocol:
+              version: 2
+    - |
+      apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteTCP
+      metadata:
+        name: "{{ .Release.Name }}-smtps"
+      spec:
+        entryPoints:
+        - smtps
+        routes:
+        - match: HostSNI(`*`)
+          services:
+          - name: app-stalwart-mail
+            nativeLB: true
+            port: 465
+            proxyProtocol:
+              version: 2
+    - |
+      apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteTCP
+      metadata:
+        name: "{{ .Release.Name }}-smtp-startls"
+      spec:
+        entryPoints:
+        - smtp-startls
+        routes:
+        - match: HostSNI(`*`)
+          services:
+          - name: app-stalwart-mail
+            nativeLB: true
+            port: 587
+            proxyProtocol:
+              version: 2
+    - |
+      apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteTCP
+      metadata:
+        name: "{{ .Release.Name }}-imap"
+      spec:
+        entryPoints:
+        - imap
+        routes:
+        - match: HostSNI(`*`)
+          services:
+          - name: app-stalwart-mail
+            nativeLB: true
+            port: 143
+            proxyProtocol:
+              version: 2
+    - |
+      apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteTCP
+      metadata:
+        name: "{{ .Release.Name }}-imaps"
+      spec:
+        entryPoints:
+        - imaps
+        routes:
+        - match: HostSNI(`*`)
+          services:
+          - name: app-stalwart-mail
+            nativeLB: true
+            port: 993
+            proxyProtocol:
+              version: 2
+    - |
+      apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteTCP
+      metadata:
+        name: "{{ .Release.Name }}-pop3"
+      spec:
+        entryPoints:
+        - pop3
+        routes:
+        - match: HostSNI(`*`)
+          services:
+          - name: app-stalwart-mail
+            nativeLB: true
+            port: 110
+            proxyProtocol:
+              version: 2
+    - |
+      apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteTCP
+      metadata:
+        name: "{{ .Release.Name }}-pop3s"
+      spec:
+        entryPoints:
+        - pop3s
+        routes:
+        - match: HostSNI(`*`)
+          services:
+          - name: app-stalwart-mail
+            nativeLB: true
+            port: 995
+            proxyProtocol:
+              version: 2
+    - |
+      apiVersion: kinda.rocks/v1beta1
+      kind: Database
+      metadata:
+        name: "{{ .Release.Name }}-postgres17"
+      spec:
+        secretName: {{ .Release.Name  }}-db-creds-17
+        backup:
+          cron: 0 0 * * *
+          enable: false
+        credentials:
+          templates:
+            - name: POSTGRES_HOST
+              secret: true
+              template: "{{` {{ .Hostname }} `}}"
+            - name: POSTGRES_PORT
+              secret: true
+              template: "{{` {{ .Port }} `}}"
+        deletionProtected: true
+        instance: postgres17
+        postgres: {}

values/badhouseplants/org-badhouseplants/app-tandoor-recipes/secrets.yaml

@@ -0,0 +1,25 @@
+env:
+    secrets:
+        data:
+            SECRET_KEY: ENC[AES256_GCM,data:bLecWaJafPbXT2/dvKt3R2KNfuxxgQ6yLxviYbOf,iv:liuexfgYScH+eg/qSO23SQxE7hKpudgkOH3JRDkaa+A=,tag:DEcAbY6rg7mQnhsnukWtFA==,type:str]
+            SOCIALACCOUNT_PROVIDERS: ENC[AES256_GCM,data:kx9ziZhxWcWTu1UG7BPi/sdG1tHhzugq65xxL3IPVx8i1oHXwy+00KaOEsIYP+TJqX5516Zq6JqtXe9dQwI4uVIy538FdXeEQDHKNS0xesSx8jG0tKa71GiqyQGBrBBxiy144za9y1QHB9k1pvuaza8mVEQOoktmMFfiHzEOhYDQxIzTulOMWxN2ImTsYSupHS6HLR13gDCyROVDzj1Io/U1VHxN5RZBPiqthNiB+/Aj+2FuCwAaxgEE6VVNFJlghi2yiZbl/PvZ3MDT+dAx/NijawVt0qdBBmPvB3jKZkgRN2tyystGiu47hnLosuzjrOjAMA6rP7XkT2gQ5e6hoLlJxWD5IiAHI+gQK7REbyJrEmSwwH0aCVsd1H4FOBNk+rfKpTIr7sRZFTVcZLtUdTZW6EW0XWmrBBPr5jodmouoFZY+dGlWP1vQkG+2eymw5aJCan0oq+x+J9dB+CVZc/2M1zBeRa6Crg7w3smCqOr46jkaRxfoDxV2NdRSla5zkwwFSS7MqPYlqre2oW+pgP7lvRa4MW9++5q+Zg==,iv:RZMNm66PhTWvjJG5jtpJW22TFInHw8LT04qui3fMLgA=,tag:ETMqmFO/8Kve/W55WP21dA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcTM5RTNIakwwZHNrQXE2
+            U2FsK1gwMDhUTDd1MVorbENtQXdnZjYrM1c4CmNQaG5TcU9wK25qQUg5a29UUXBK
+            WlZHK0M0dHEvZWVyZmJzR0RLU1pGWmMKLS0tIGk4TFArQnJyTWJJa3FJRlJhY0do
+            ZE81bENWM3ZUdlR0N2RKMnJkUnJxSG8Ky2ngwj6ZnToGhnAJChU8NXUG+XPPZc2F
+            fOD35BFO5bUNe+V8MkDLae+GQ1hr55r4WnvFpSWywRIjCFYmUJHTgQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-02-22T12:32:43Z"
+    mac: ENC[AES256_GCM,data:khcLV/lPaY6J5QQmX8466jx9bsXn+NwA3TLIUYs9ipKa539OjIWstwyydVxILSBCwEWGEW86c8EzLBwptBBgg6gehfRJAax5TAn0lBd1lAAiAxZhdNpc2tfoaMaUWfWdpwYjdrtnvAlAkN3/16nvx+TIq7WdU/cWsic96PqhU0A=,iv:I81QvtZ7S+mSAzoXhU0YBMN0L4K+SRHW3UtcSLxwK5s=,tag:gAeAIjyJ13A8gfE7ppBeRg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

values/badhouseplants/org-badhouseplants/app-tandoor-recipes/values.yaml

@@ -2,8 +2,8 @@ shortcuts:
   hostname: tandoor.badhouseplants.net
 ext-database:
   enabled: true
-  name: tandoor-postgres16
-  instance: postgres16
+  name: tandoor-postgres17
+  instance: postgres17
   credentials:
     POSTGRES_HOST: "{{ .Hostname }}"
     POSTGRES_PORT: "{{ .Port }}"
@@ -14,15 +14,24 @@ workload:
   containers:
     tandoor:
       securityContext:
-        runAsUser: 1000
-        runAsGroup: 3000
-        fsGroup: 3000
-        supplementalGroups: [3000]
+        runAsUser: 1001
+        runAsGroup: 1001
+        fsGroup: 1001
       envFrom:
         - main
         - secrets
         - secretRef:
             name: tandoor-postgres16-creds
+          extraVolumes:
+            common:
+              path: /opt/recipes
+      livenessProbe:
+        httpGet:
+          path: /
+          port: 8080
+        initialDelaySeconds: 10
+        failureThreshold: 30
+        periodSeconds: 10
 ingress:
   main:
     class: traefik
@@ -33,7 +42,9 @@ ingress:
       kubernetes.io/ingress.allow-http: "false"
       kubernetes.io/ingress.global-static-ip-name: ""
       cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
-
+extraVolumes:
+  common:
+    emptyDir: {}
 env:
   main:
     enabled: true

values/badhouseplants/org-badhouseplants/app-vaultwarden/secrets.yaml

@@ -0,0 +1,26 @@
+config:
+    env:
+        secrets:
+            enabled: ENC[AES256_GCM,data:bai2CQ==,iv:NG7q1ZsDpCW9Lu00fGsibpTEHGtew+l5TFOLOpljlwU=,tag:Z2/fXmsEEqhDzCdTWS/Qhw==,type:bool]
+            sensitive: ENC[AES256_GCM,data:n+dNXA==,iv:iFM0+5G5Bsw4NI+JH1vMMrty3Zo0El0HE9F6PEDsJrY=,tag:EcbzQHVeOHVLVC7kgaRPXw==,type:bool]
+            data:
+                SMTP_USERNAME: ENC[AES256_GCM,data:eQ4c,iv:4vX/ioHWEA6DzMwZ+23dgUN4PJ7Asz7bbufG5Fy80iI=,tag:1Mq0Hj/23T4fvGEXuNUtxA==,type:str]
+                ADMIN_PASSWORD: ENC[AES256_GCM,data:B08urSqwYgekI6I5LDYGHbPK5n3r+woRZw==,iv:K2O9aSJLRMbK+N2lfX4ojSqhbmb9KbWsuW2DtYZHCOA=,tag:Qz0OJ7aWwC+/9d1oc38ySw==,type:str]
+                ADMIN_TOKEN: ENC[AES256_GCM,data:sKVugfrrR9L5LtozHPibGiPULiwv8pAot925Z/rQ0V/mW+DVvNPEw4odgfX596Ddmd8oV5zo5Mz8WIPUCmrVmfdoz+3YzVywEy8=,iv:npthfz4xcW6fF10RhHCF6uXH/6526l3gjZGRu+Xpylg=,tag:vsPsRZ7EIQ7FMvqJga3hhg==,type:str]
+                DATABASE_URL: null
+                SMTP_PASSWORD: ENC[AES256_GCM,data:quvcZQKauXeW+l8xkYgVBElBQveoRWKDBA==,iv:KpQH+Ef87jl/M9XpBtIKNhn7ATHoV+Jgjpzg2Li28Kg=,tag:jniePrO7UVp/cz/eIh19mg==,type:str]
+sops:
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGNnFwbWFpTWgxRk45S240
+            cVI5ekJXdVIwaG5NcGRPa2xTN2pFV2tyN1JBClNVMGhNL2FaM2pCK0sxbjgyalJN
+            MnpQeHBxY2RtWkI2c1htV3oyQmNnbVUKLS0tIGg4ZXNwaFRKNTlIRDluT3k0VDRD
+            Y3pIaEdFb1JwMnVrYnJ4UkpWMERmZFUKa45EvUqkvjaL85xh3gyxTeJ02IxPJf9a
+            TGjAvpjBrym9v++OrHn2otw1NOeZwSP1hmSCc+sa6/0yFqcU031xjQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-01T10:29:47Z"
+    mac: ENC[AES256_GCM,data:VmYotoR4BJJv2mZ+kt+NNn+oXLKWHed0o/TkJO93/4eLUm8Wg9SPMA1ZYYe9YRfgbIhYxPlQbPPKQBv95XeOS1FFL24VyenTTP3TXWroeXxOWubko/Fp88U3glJXs5jfL5DLYKvGwTXG3tchFDwH9m6QOABX+aRxvNBEP5zXUxs=,iv:HMzuvl8YCPj9ZA5tKfExQfSbvwu4IEHz6sMLAe8g7vo=,tag:lI2fh1b7prHsBS8Snrbdtw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.0

values/badhouseplants/org-badhouseplants/app-vaultwarden/values.yaml

@@ -0,0 +1,63 @@
+shortcuts:
+  hostname: vaultwarden.badhouseplants.net
+
+base:
+  workload:
+    kind: Deployment
+    strategy:
+      type: RollingUpdate
+    containers:
+      vaultwarden:
+        envFrom:
+          raw:
+            - secretRef:
+                name: app-vaultwarden-db-creds-17
+ingress:
+  main:
+    class: traefik
+    metadata:
+      annotations:
+        kubernetes.io/ingress.class: traefik
+        traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+        kubernetes.io/tls-acme: "true"
+        kubernetes.io/ingress.allow-http: "false"
+        kubernetes.io/ingress.global-static-ip-name: ""
+        cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+
+config:
+  env:
+    main:
+      enabled: true
+      sensitive: false
+      data:
+        SMTP_HOST: stalwart.badhouseplants.net
+        SMTP_SECURITY: "starttls"
+        SMTP_PORT: 587
+        SMTP_FROM: bot@badhouseplants.net
+        SMTP_FROM_NAME: Vault Warden
+        SMTP_AUTH_MECHANISM: "Plain"
+        SMTP_ACCEPT_INVALID_HOSTNAMES: "false"
+        SMTP_ACCEPT_INVALID_CERTS: "false"
+        SMTP_DEBUG: false
+        DOMAIN: "{{ .Values.shortcuts.hostname }}"
+        LOG_FILE: /app/logs/log.txt
+
+extra:
+  templates:
+    - |-
+      apiVersion: kinda.rocks/v1beta1
+      kind: Database
+      metadata:
+        name: "{{ .Release.Name }}-postgres17"
+      spec:
+        secretName: "{{ .Release.Name  }}-db-creds-17"
+        instance: postgres17
+        deletionProtected: true
+        backup:
+          enable: false
+          cron: 0 0 * * *
+        credentials:
+          templates:
+            - name: DATABASE_URL
+              template: "{{ `{{ .Protocol }}://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}` }}"
+              secret: true

values/badhouseplants/org-onpier/app-memos/values.yaml

@@ -0,0 +1,43 @@
+shortcuts:
+  hostname: notes-onpier.badhouseplants.net
+
+ext-database:
+  enabled: true
+  name: memos-postgres16
+  instance: postgres16
+  credentials:
+    MEMOS_DRIVER: postgres
+    MEMOS_DSN: "{{ .Protocol }}://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}?sslmode=disable"
+
+workload:
+  containers:
+    memos:
+      envFrom:
+        - main
+        - secretRef:
+            name: memos-postgres16-creds
+ingress:
+  main:
+    annotations:
+      kubernetes.io/ingress.class: traefik
+      kubernetes.io/tls-acme: "true"
+      kubernetes.io/ingress.allow-http: "false"
+      kubernetes.io/ingress.global-static-ip-name: ""
+      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+      traefik.ingress.kubernetes.io/router.middlewares: org\-onpier-memosauth@kubernetescrd
+
+ext-secret:
+  enabled: true
+  name: memos-basic-auth
+  data:
+    users: |
+      allanger:$apr1$kNwkQ0S.$9q29sib/xWEp3NDp.tquw/
+
+middleware:
+  enabled: true
+  middlewares:
+    - name: memosauth
+      spec:
+        basicAuth:
+          secret: memos-basic-auth

values/badhouseplants/pipelines/renovate-github/secrets.yaml

@@ -0,0 +1,17 @@
+secrets:
+    RENOVATE_TOKEN: ENC[AES256_GCM,data:ohd4EhTlhRpQ+IXVf1Nb73+h0VHrMZduPhkbm53s3/+HRKUZd7JepA==,iv:qtbH0lz9Li+jjWcef6JGRpbcsOGlG+e3TNHDukAK2HE=,tag:KVmari0LUGHVb61VSFtgXw==,type:str]
+sops:
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TGozODRjVzQvdzlvSE5s
+            RTlReWNSWDlzUVVLVmZXV1c3dWVwUU9hbWw4CnJUL20yTFpHMUJFWTdYQ2JWUisx
+            Y0djU2FhaEtVSTlRWEY3Z0RnOUhVVjAKLS0tIEZEUjhqUTRtTEo0L3haWFlRT2JS
+            QTFVWU5RSTBldzBjalg1TFBDY3hGUEEKCH1rY+tGtRNGMYrfSjqXbVsrPAleVHDO
+            Altiz0ceC5ODo01zwBf63vDVqjZtbIQNZ8oQ8Pjlktp3jCpL7JNK9A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-01T08:52:26Z"
+    mac: ENC[AES256_GCM,data:6PyWgR3f7lnen5Jun04Tsw1P7rcAgTSuF+YEh0fq3r3xHvQYFGesfEO4PHLfCGYtjyyCeyzpwBUIoUHTmI5tRYjLwjwRiIu/GH75eSLOx0y0gYMl8JUeaPxSpPvElpii3XAm7vKEJhTR9QzNuzduf0Q1JdlR6TM68XM8g78zeSc=,iv:CqTrPYoLg4IgW5zTsIcmGQUg5RfK+IQmxeQIQbd6oqk=,tag:P8Je5EhAv5TqqT77nPwlHw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.1

values/badhouseplants/pipelines/woodpecker-ci/values.yaml

@@ -4,8 +4,8 @@
 # ------------------------------------------
 ext-database:
   enabled: true
-  name: woodpecker-postgres16
-  instance: postgres16
+  name: woodpecker-postgres17
+  instance: postgres17
   credentials:
     WOODPECKER_DATABASE_DATASOURCE: "postgres://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}?sslmode=disable"
 server:
@@ -41,7 +41,7 @@ server:
     WOODPECKER_ESCALATE: true
     WOODPECKER_BACKEND_K8S_NAMESPACE: pipelines
   extraSecretNamesForEnvFrom:
-    - woodpecker-postgres16-creds
+    - woodpecker-postgres17-creds
 agent:
   enabled: true
   extraSecretNamesForEnvFrom: []

values/badhouseplants/platform/authentik/secrets.yaml

@@ -0,0 +1,19 @@
+authentik:
+    email:
+        password: ENC[AES256_GCM,data:aP/oiXCzwLsEd0qAp8aAPufQ1Ko=,iv:T5YdegcjWEK4MDdzLhFmsvV56OPl0jkhmtepohujP/s=,tag:EXerXi4m06Ryy7WVD3ZURg==,type:str]
+    secret_key: ENC[AES256_GCM,data:Oh/csFD5+FDfyXUYRVCEPrBE6UXPFZkR5VEep1bkAjs4hltuOaO22Q==,iv:IiBtFjBbsjepC2VmEk6wEe7r14lv48DBX12SpXaUCmc=,tag:ITR6OJiCYMxUoTGnSCPTQQ==,type:str]
+sops:
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSUNmTVZ0ZC9LaytCUTZy
+            TTRNR0M0WDVmN0RPVllWTmR0dnMrdzBCOFJnCkMrNGVCc1FnYkZTaE1vUFRCVWI0
+            WERUTWMwanFZUDFnVExZL2NyVTNWTk0KLS0tIEN2K0wzQm8vUkw4azZPaE9LZGsx
+            UW05cHVjemNBeDFGbHhoVXR4ckUxUXMKgfTTlw0Q3J+pFSW+eEyfK1tkrbEd4ZzR
+            x0ONWS1GTx+um+r76NYNRI+W93FD5d4/jiiZGPB6rupMSje9DV41MQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-12T15:22:14Z"
+    mac: ENC[AES256_GCM,data:xwt0NRuygT/qAlhnfKHLqgVFfEMKMIgiGvjCl7baIplwl94Kxqhh6JMgCogjjtoI2iGrAY3QPamfTDQIOEItB/yqQ7S9NApWIfsXtA8t85YuWwnP3OTCDmpy6dcP1FOV4lGmSvsqr65+OYKALrPTRkA7pV9kGo3roO6BPJbpb+Y=,iv:5eY4EOBM0ZFSjiyKmOJ07YNStOg0+Db3cM27g8+Y//s=,tag:rT1aCz5M0k9AbxKSWhmJ1A==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.1