Update Helm release gatekeeper to v3.21.0

Revert "Merge branch 'renovate/authentik-2025.x' into 'main'"

See merge request developerdurp/homelab!50

ansible/newcluster.yaml

@@ -1,2 +1,2 @@
 argocd login --insecure
-argocd cluster add <cluster> --name<name>
+argocd cluster add default --name prd --yes --kubeconfig ~/Documents/config-prd

ansible/roles/base/files/authorized_keys_user

@@ -1 +1,2 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhPVgL8gXdRTw0E2FvlOUoUI4vd794nB0nZVIsc+U5M
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGilcndatMrXg06VxtNKuIo3scoyyXbYX8Z7cOjeA102AAAABHNzaDo= desktop-arch-09-08-2025-yubikey
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINsbNSZ5Wr+50Ahz+IeZxt6F7gZ6wm1J8uKXQLbdbKFaAAAABHNzaDo= desktop-arch-09-08-2025-yubikeyNano

dev/cert-manager/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: v1.16.3
+  version: v1.17.2

dev/cert-manager/templates/secretvault.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: cloudflare-api-token-secret

dev/external-dns/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-dns
   repository: https://charts.bitnami.com/bitnami
-  version: 8.3.8
+  version: 8.9.2

dev/external-dns/templates/secrets.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: external-dns-secret

dev/external-secrets/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-secrets
   repository: https://charts.external-secrets.io
-  version: 0.13.0
+  version: 0.17.0

dev/metallb-system/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: metallb
   repository: https://metallb.github.io/metallb
-  version: 0.14.9
+  version: 0.15.2

dev/terraform/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     proxmox = {
       source  = "Telmate/proxmox"
-      version = "3.0.1-rc6"
+      version = "3.0.1-rc9"
     }
   }
 }

dev/traefik/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: traefik
   repository: https://traefik.github.io/charts
-  version: 34.0.0
+  version: 34.5.0

dev/vault/Chart.yaml

@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: vault
   repository: https://helm.releases.hashicorp.com  
-  version: 0.29.1
+  version: 0.30.0
 

dev/vault/templates/secret-store.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
   name: vault

dmz/authentik/Chart.yaml

@@ -7,6 +7,6 @@ version: 0.1.0
 appVersion: "1.16.0"
 
 dependencies:
-- name: authentik-remote-cluster
-  repository: https://charts.goauthentik.io
-  version: 2.0.0
+  - name: authentik-remote-cluster
+    repository: https://charts.goauthentik.io
+    version: 2.1.0

dmz/authentik/templates/ingress.yaml

@@ -0,0 +1,62 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: authentik-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: authentik-tls
+  commonName: "authentik.durp.info"
+  dnsNames:
+    - "authentik.durp.info"
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: authentik-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: infra-cluster
+          port: 443
+  tls:
+    secretName: authentik-tls
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: authentik-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info
+
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: infra-cluster
+subsets:
+  - addresses:
+      - ip: 192.168.12.130
+    ports:
+      - port: 443
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: infra-cluster
+spec:
+  ports:
+    - protocol: TCP
+      port: 443
+      targetPort: 443

dmz/cert-manager/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: v1.16.3
+  version: v1.17.2

dmz/cert-manager/templates/secretvault.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: cloudflare-api-token-secret

dmz/crowdsec/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: crowdsec
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+  - name: crowdsec
+    repository: https://crowdsecurity.github.io/helm-charts
+    version: 0.19.4

dmz/crowdsec/templates/secrets.yaml

@@ -0,0 +1,29 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: enroll-key
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: enroll-key
+  data:
+    - secretKey: ENROLL_INSTANCE_NAME
+      remoteRef:
+        key: kv/crowdsec/dmz-enroll
+        property: ENROLL_INSTANCE_NAME
+    - secretKey: ENROLL_KEY
+      remoteRef:
+        key: kv/crowdsec/dmz-enroll
+        property: ENROLL_KEY
+    - secretKey: ENROLL_TAGS
+      remoteRef:
+        key: kv/crowdsec/dmz-enroll
+        property: ENROLL_TAGS
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dmz/crowdsec/values.yaml

@@ -0,0 +1,24 @@
+crowdsec:
+  #
+  image:
+    repository: registry.durp.info/crowdsecurity/crowdsec
+    pullPolicy: Always
+
+  # for raw logs format: json or cri (docker|containerd)
+  container_runtime: containerd
+  agent:
+    # Specify each pod whose logs you want to process
+    acquisition:
+      # The namespace where the pod is located
+      - namespace: traefik
+        # The pod name
+        podName: traefik-*
+        # as in crowdsec configuration, we need to specify the program name to find a matching parser
+        program: traefik
+    env:
+      - name: COLLECTIONS
+        value: "crowdsecurity/traefik"
+  lapi:
+    envFrom:
+      - secretRef:
+          name: enroll-key

dmz/external-dns/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-dns
   repository: https://charts.bitnami.com/bitnami
-  version: 8.3.8
+  version: 8.9.2

dmz/external-dns/templates/secrets.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: external-dns-secret

dmz/external-dns/values.yaml

@@ -1,6 +1,8 @@
 external-dns:
   global:
     imageRegistry: "registry.durp.info"
+    security:
+      allowInsecureImages: true
 
   image:
     pullPolicy: Always
@@ -9,10 +11,10 @@ external-dns:
 
   sources:
     - service
-    
+
   provider: cloudflare
   cloudflare:
-    secretName : "external-dns"
+    secretName: "external-dns"
     proxied: false
 
   policy: sync

dmz/external-secrets/Chart.yaml

@@ -6,6 +6,6 @@ version: 0.0.1
 appVersion: 0.0.1
 
 dependencies:
-- name: external-secrets
-  repository: https://charts.external-secrets.io
-  version: 0.15.0
+  - name: external-secrets
+    repository: https://charts.external-secrets.io
+    version: 0.17.0

dmz/external-secrets/values.yaml

@@ -1,7 +1,13 @@
 external-secrets:
-  replicaCount: 3
+  global:
+    security:
+      allowInsecureImages: true
+
+  log:
+    level: debug
+  replicaCount: 1
   revisionHistoryLimit: 1
-  leaderElect: true
+  leaderElect: false
 
   installCRDs: true
   crds:
@@ -16,24 +22,24 @@ external-secrets:
     repository: registry.durp.info/external-secrets/external-secrets
     pullPolicy: Always
 
-  extraVolumes: 
+  extraVolumes:
     - name: ca-pemstore
       configMap:
         name: ca-pemstore
 
-  extraVolumeMounts: 
+  extraVolumeMounts:
     - name: ca-pemstore
       mountPath: /etc/ssl/certs/vault.pem
       subPath: vault.pem
       readOnly: true
 
-  resources: 
-    requests:
-      memory: 32Mi
-      cpu: 10m
-    limits:
-      memory: 32Mi
-      cpu: 10m
+  #  resources:
+  #    requests:
+  #      memory: 32Mi
+  #      cpu: 10m
+  #    limits:
+  #      memory: 32Mi
+  #      cpu: 10m
 
   webhook:
     create: false
@@ -44,24 +50,24 @@ external-secrets:
       repository: registry.durp.info/external-secrets/external-secrets
       pullPolicy: Always
 
-    extraVolumes: 
+    extraVolumes:
       - name: ca-pemstore
         configMap:
           name: ca-pemstore
 
-    extraVolumeMounts: 
+    extraVolumeMounts:
       - name: ca-pemstore
         mountPath: /etc/ssl/certs/vault.pem
         subPath: vault.pem
         readOnly: true
 
-    resources: 
-      requests:
-        memory: 32Mi
-        cpu: 10m
-      limits:
-        memory: 32Mi
-        cpu: 10m
+  #    resources:
+  #      requests:
+  #        memory: 32Mi
+  #        cpu: 10m
+  #      limits:
+  #        memory: 32Mi
+  #        cpu: 10m
 
   certController:
     create: false
@@ -74,7 +80,7 @@ external-secrets:
       pullPolicy: Always
       tag: ""
 
-    resources: 
+    resources:
       requests:
         memory: 32Mi
         cpu: 10m
@@ -82,12 +88,12 @@ external-secrets:
         memory: 32Mi
         cpu: 10m
 
-    extraVolumes: 
+    extraVolumes:
       - name: ca-pemstore
         configMap:
           name: ca-pemstore
 
-    extraVolumeMounts: 
+    extraVolumeMounts:
       - name: ca-pemstore
         mountPath: /etc/ssl/certs/vault.pem
         subPath: vault.pem

dmz/gitlab-runner/Chart.yaml

@@ -8,8 +8,8 @@ appVersion: 0.0.1
 dependencies:
 - name: gitlab-runner
   repository: https://charts.gitlab.io/
-  version: 0.69.0
+  version: 0.77.2
 - name: gitlab-runner
   repository: https://charts.gitlab.io/
-  version: 0.69.0
+  version: 0.77.2
   alias: personal

dmz/gitlab-runner/templates/secrets.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: gitlab-secret
@@ -27,7 +27,7 @@ metadata:
 
 ---
 
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: gitlab-secret-personal

dmz/internalproxy/templates/authentik.yaml

@@ -1,42 +1,40 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: authentik-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`authentik.durp.info`) && PathPrefix(`/`) 
-    kind: Rule
-    services:
-    - name: infra-cluster
-      port: 443
-  tls:
-    secretName: authentik-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: authentik-tls
-spec:
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  secretName: authentik-tls
-  commonName: "authentik.durp.info"
-  dnsNames:
-  - "authentik.durp.info"
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: authentik-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
+#apiVersion: traefik.io/v1alpha1
+#kind: IngressRoute
+#metadata:
+#  name: authentik-ingress
+#spec:
+#  entryPoints:
+#    - websecure
+#  routes:
+#    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
+#      kind: Rule
+#      services:
+#        - name: infra-cluster
+#          port: 443
+#  tls:
+#    secretName: authentik-tls
+#
+#---
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: authentik-tls
+#spec:
+#  issuerRef:
+#    name: letsencrypt-production
+#    kind: ClusterIssuer
+#  secretName: authentik-tls
+#  commonName: "authentik.durp.info"
+#  dnsNames:
+#    - "authentik.durp.info"
+#
+#---
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: authentik-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/internalproxy/templates/gitlab.yaml

@@ -0,0 +1,68 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitlab
+spec:
+  ports:
+    - name: app
+      port: 9080
+      protocol: TCP
+      targetPort: 9080
+  clusterIP: None
+  type: ClusterIP
+
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: gitlab
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 9080
+        protocol: TCP
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitlab-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`gitlab.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: gitlab
+          port: 9080
+          scheme: http
+  tls:
+    secretName: gitlab-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitlab-tls
+spec:
+  secretName: gitlab-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "gitlab.durp.info"
+  dnsNames:
+    - "gitlab.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: gitlab-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: gitlab.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/grafana.yaml

@@ -0,0 +1,40 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: grafana-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`grafana.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: infra-cluster
+          port: 443
+  tls:
+    secretName: grafana-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: grafana-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: grafana-tls
+  commonName: "grafana.durp.info"
+  dnsNames:
+    - "grafana.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: grafana-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/invidious.yaml

@@ -0,0 +1,74 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: invidious
+spec:
+  ports:
+  - name: app
+    port: 3000
+    protocol: TCP
+    targetPort: 3000
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: invidious
+subsets:
+- addresses:
+  - ip: 192.168.20.104
+  ports:
+  - name: app
+    port: 3000
+    protocol: TCP
+
+---    
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: invidious-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`invidious.durp.info`) && PathPrefix(`/`)
+    middlewares:
+    - name: authentik-proxy-provider
+      namespace: traefik  
+    kind: Rule
+    services:
+    - name: invidious
+      port: 3000
+  tls:
+    secretName: invidious-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: invidious-tls
+spec:
+  secretName: invidious-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "invidious.durp.info"
+  dnsNames:
+  - "invidious.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: invidious-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: invidious.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/n8n.yaml

@@ -0,0 +1,68 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: n8n
+spec:
+  ports:
+    - name: app
+      port: 5678
+      protocol: TCP
+      targetPort: 5678
+  clusterIP: None
+  type: ClusterIP
+
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: n8n
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 5678
+        protocol: TCP
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: n8n-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`n8n.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: n8n
+          port: 5678
+          scheme: http
+  tls:
+    secretName: n8n-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: n8n-tls
+spec:
+  secretName: n8n-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "n8n.durp.info"
+  dnsNames:
+    - "n8n.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: n8n-dns
+  annotations:
+    dns.alpha.kubernetes.io/hostname: n8n.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/octopus.yaml

@@ -15,7 +15,6 @@ spec:
     secretName: octopus-tls
 
 ---
-
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -30,7 +29,6 @@ spec:
     - "octopus.durp.info"
 
 ---
-
 kind: Service
 apiVersion: v1
 metadata:

dmz/internalproxy/templates/ollama.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: ollama-secret

dmz/internalproxy/templates/redlib.yaml

@@ -1,74 +1,74 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: redlib
-spec:
-  ports:
-  - name: app
-    port: 8082
-    protocol: TCP
-    targetPort: 8082
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: redlib
-subsets:
-- addresses:
-  - ip: 192.168.21.200
-  ports:
-  - name: app
-    port: 8082
-    protocol: TCP
-
----    
-
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: redlib-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
-    middlewares:
-    - name: authentik-proxy-provider
-      namespace: traefik  
-    kind: Rule
-    services:
-    - name: redlib
-      port: 8082
-  tls:
-    secretName: redlib-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: redlib-tls
-spec:
-  secretName: redlib-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "redlib.durp.info"
-  dnsNames:
-  - "redlib.durp.info"  
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: redlib-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
+#apiVersion: v1
+#kind: Service
+#metadata:
+#  name: redlib
+#spec:
+#  ports:
+#  - name: app
+#    port: 8082
+#    protocol: TCP
+#    targetPort: 8082
+#  clusterIP: None
+#  type: ClusterIP
+#
+#---
+#
+#apiVersion: v1
+#kind: Endpoints
+#metadata:
+#  name: redlib
+#subsets:
+#- addresses:
+#  - ip: 192.168.21.200
+#  ports:
+#  - name: app
+#    port: 8082
+#    protocol: TCP
+#
+#---    
+#
+#apiVersion: traefik.io/v1alpha1
+#kind: IngressRoute
+#metadata:
+#  name: redlib-ingress
+#spec:
+#  entryPoints:
+#    - websecure
+#  routes:
+#  - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
+#    middlewares:
+#    - name: authentik-proxy-provider
+#      namespace: traefik  
+#    kind: Rule
+#    services:
+#    - name: redlib
+#      port: 8082
+#  tls:
+#    secretName: redlib-tls
+#
+#---
+#
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: redlib-tls
+#spec:
+#  secretName: redlib-tls
+#  issuerRef:
+#    name: letsencrypt-production
+#    kind: ClusterIssuer
+#  commonName: "redlib.durp.info"
+#  dnsNames:
+#  - "redlib.durp.info"  
+#
+#---
+#
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: redlib-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/internalproxy/templates/registry.yaml

@@ -4,29 +4,27 @@ metadata:
   name: registry
 spec:
   ports:
-  - name: app
-    port: 5000
-    protocol: TCP
-    targetPort: 5000
+    - name: app
+      port: 5000
+      protocol: TCP
+      targetPort: 5000
   clusterIP: None
   type: ClusterIP
 
 ---
-
 apiVersion: v1
 kind: Endpoints
 metadata:
   name: registry
 subsets:
-- addresses:
-  - ip: 192.168.21.200
-  ports:
-  - name: app
-    port: 5000
-    protocol: TCP
-
----    
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 5000
+        protocol: TCP
 
+---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
@@ -35,16 +33,18 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`registry.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    services:
-    - name: registry
-      port: 5000
+    - match: Host(`registry.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      services:
+        - name: registry
+          port: 5000
   tls:
     secretName: registry-tls
 
 ---
-
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -56,16 +56,15 @@ spec:
     kind: ClusterIssuer
   commonName: "registry.durp.info"
   dnsNames:
-  - "registry.durp.info"  
+    - "registry.durp.info"
 
 ---
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: registry-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: registry.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: registry-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: registry.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/internalproxy/templates/speedtest.yaml

@@ -1,74 +1,74 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: speedtest
-spec:
-  ports:
-  - name: app
-    port: 6580
-    protocol: TCP
-    targetPort: 6580
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: speedtest
-subsets:
-- addresses:
-  - ip: 192.168.21.200
-  ports:
-  - name: app
-    port: 6580
-    protocol: TCP
-
----    
-
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: speedtest-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    middlewares:
-    - name: authentik-proxy-provider
-      namespace: traefik 
-    services:
-    - name: speedtest
-      port: 6580
-  tls:
-    secretName: speedtest-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: speedtest-tls
-spec:
-  secretName: speedtest-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "speedtest.durp.info"
-  dnsNames:
-  - "speedtest.durp.info"  
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: speedtest-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
+#apiVersion: v1
+#kind: Service
+#metadata:
+#  name: speedtest
+#spec:
+#  ports:
+#  - name: app
+#    port: 6580
+#    protocol: TCP
+#    targetPort: 6580
+#  clusterIP: None
+#  type: ClusterIP
+#
+#---
+#
+#apiVersion: v1
+#kind: Endpoints
+#metadata:
+#  name: speedtest
+#subsets:
+#- addresses:
+#  - ip: 192.168.21.200
+#  ports:
+#  - name: app
+#    port: 6580
+#    protocol: TCP
+#
+#---    
+#
+#apiVersion: traefik.io/v1alpha1
+#kind: IngressRoute
+#metadata:
+#  name: speedtest-ingress
+#spec:
+#  entryPoints:
+#    - websecure
+#  routes:
+#  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
+#    kind: Rule
+#    middlewares:
+#    - name: authentik-proxy-provider
+#      namespace: traefik 
+#    services:
+#    - name: speedtest
+#      port: 6580
+#  tls:
+#    secretName: speedtest-tls
+#
+#---
+#
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: speedtest-tls
+#spec:
+#  secretName: speedtest-tls
+#  issuerRef:
+#    name: letsencrypt-production
+#    kind: ClusterIssuer
+#  commonName: "speedtest.durp.info"
+#  dnsNames:
+#  - "speedtest.durp.info"  
+#
+#---
+#
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: speedtest-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/istio-system/Chart.yaml

@@ -8,10 +8,10 @@ appVersion: 0.0.1
 dependencies:
   - name: base
     repository: https://istio-release.storage.googleapis.com/charts
-    version: 1.25.1
+    version: 1.26.2
   - name: istiod
     repository: https://istio-release.storage.googleapis.com/charts
-    version: 1.25.1
+    version: 1.26.2
   - name: gateway
     repository: https://istio-release.storage.googleapis.com/charts
-    version: 1.25.1
+    version: 1.26.2

dmz/longhorn/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: longhorn-system
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+- name: longhorn
+  repository: https://charts.longhorn.io
+  version: 1.9.0

dmz/longhorn/templates/ingress.yaml

@@ -0,0 +1,34 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: longhorn-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: vault-issuer
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`longhorn.dmz.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      middlewares:
+        - name: authentik-proxy-provider
+          namespace: traefik
+      services:
+        - name: longhorn-frontend
+          port: 80
+  tls:
+    secretName: longhorn-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: longhorn-tls
+spec:
+  secretName: longhorn-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "longhorn.dmz.durp.info"
+  dnsNames:
+    - "longhorn.dmz.durp.info"

dmz/longhorn/templates/secrets.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+
+---
+
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: external-longhorn-backup-token-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: longhorn-backup-token-secret
+  data:
+  - secretKey: AWS_ACCESS_KEY_ID
+    remoteRef:
+      key: kv/longhorn/backup
+      property: AWS_ACCESS_KEY_ID
+  - secretKey: AWS_ENDPOINTS 
+    remoteRef:
+      key: kv/longhorn/backup
+      property: AWS_ENDPOINTS 
+  - secretKey: AWS_SECRET_ACCESS_KEY
+    remoteRef:
+      key: kv/longhorn/backup
+      property: AWS_SECRET_ACCESS_KEY

dmz/longhorn/values.yaml

@@ -0,0 +1,192 @@
+longhorn: 
+  global:
+    cattle:
+      systemDefaultRegistry: ""
+  
+  image:
+    longhorn:
+      engine:
+        repository: longhornio/longhorn-engine
+      manager:
+        repository: longhornio/longhorn-manager
+      ui:
+        repository: longhornio/longhorn-ui
+      instanceManager:
+        repository: longhornio/longhorn-instance-manager
+      shareManager:
+        repository: longhornio/longhorn-share-manager
+      backingImageManager:
+        repository: longhornio/backing-image-manager
+    csi:
+      attacher:
+        repository: longhornio/csi-attacher
+      provisioner:
+        repository: longhornio/csi-provisioner
+      nodeDriverRegistrar:
+        repository: longhornio/csi-node-driver-registrar
+      resizer:
+        repository: longhornio/csi-resizer
+      snapshotter:
+        repository: longhornio/csi-snapshotter
+    pullPolicy: Always
+  
+  service:
+    ui:
+      type: ClusterIP
+      nodePort: null
+    manager:
+      type: ClusterIP
+      nodePort: ""
+      loadBalancerIP: ""
+      loadBalancerSourceRanges: ""
+  
+  persistence:
+    defaultClass: true
+    defaultFsType: ext4
+    defaultClassReplicaCount: 3
+    defaultDataLocality: disabled # best-effort otherwise
+    reclaimPolicy: Delete
+    migratable: false
+    recurringJobSelector:
+      enable: true
+      jobList: '[
+          {
+            "name":"backup", 
+            "task":"backup", 
+            "cron":"0 0 * * *", 
+            "retain":24
+          }
+        ]'
+    backingImage:
+      enable: false
+      name: ~
+      dataSourceType: ~
+      dataSourceParameters: ~
+      expectedChecksum: ~
+  
+  csi:
+    kubeletRootDir: ~
+    attacherReplicaCount: ~
+    provisionerReplicaCount: ~
+    resizerReplicaCount: ~
+    snapshotterReplicaCount: ~
+  
+  defaultSettings:
+    backupTarget: S3://longhorn-master@us-east-1/
+    backupTargetCredentialSecret: longhorn-backup-token-secret
+    allowRecurringJobWhileVolumeDetached: ~
+    createDefaultDiskLabeledNodes: ~
+    defaultDataPath: ~
+    defaultDataLocality: ~
+    replicaSoftAntiAffinity: ~
+    replicaAutoBalance: ~
+    storageOverProvisioningPercentage: ~
+    storageMinimalAvailablePercentage: ~
+    upgradeChecker: ~
+    defaultReplicaCount: ~
+    defaultLonghornStaticStorageClass: longhorn
+    backupstorePollInterval: ~
+    taintToleration: ~
+    systemManagedComponentsNodeSelector: ~
+    priorityClass: ~
+    autoSalvage: ~
+    autoDeletePodWhenVolumeDetachedUnexpectedly: ~
+    disableSchedulingOnCordonedNode: ~
+    replicaZoneSoftAntiAffinity: ~
+    nodeDownPodDeletionPolicy: ~
+    allowNodeDrainWithLastHealthyReplica: ~
+    mkfsExt4Parameters: ~
+    disableReplicaRebuild: ~
+    replicaReplenishmentWaitInterval: ~
+    concurrentReplicaRebuildPerNodeLimit: ~
+    disableRevisionCounter: ~
+    systemManagedPodsImagePullPolicy: ~
+    allowVolumeCreationWithDegradedAvailability: ~
+    autoCleanupSystemGeneratedSnapshot: ~
+    concurrentAutomaticEngineUpgradePerNodeLimit: ~
+    backingImageCleanupWaitInterval: ~
+    backingImageRecoveryWaitInterval: ~
+    guaranteedEngineManagerCPU: ~
+    guaranteedReplicaManagerCPU: ~
+    kubernetesClusterAutoscalerEnabled: ~
+    orphanAutoDeletion: ~
+    storageNetwork: ~
+  privateRegistry:
+    createSecret: ~
+    registryUrl: ~
+    registryUser: ~
+    registryPasswd: ~
+    registrySecret: ~
+  
+  longhornManager:
+    priorityClass: ~
+    tolerations: []
+    ## If you want to set tolerations for Longhorn Manager DaemonSet, delete the `[]` in the line above
+    ## and uncomment this example block
+    # - key: "key"
+    #   operator: "Equal"
+    #   value: "value"
+    #   effect: "NoSchedule"
+    nodeSelector: {}
+    ## If you want to set node selector for Longhorn Manager DaemonSet, delete the `{}` in the line above
+    ## and uncomment this example block
+    #  label-key1: "label-value1"
+    #  label-key2: "label-value2"
+  
+  longhornDriver:
+    priorityClass: ~
+    tolerations: []
+    ## If you want to set tolerations for Longhorn Driver Deployer Deployment, delete the `[]` in the line above
+    ## and uncomment this example block
+    # - key: "key"
+    #   operator: "Equal"
+    #   value: "value"
+    #   effect: "NoSchedule"
+    nodeSelector: {}
+    ## If you want to set node selector for Longhorn Driver Deployer Deployment, delete the `{}` in the line above
+    ## and uncomment this example block
+    #  label-key1: "label-value1"
+    #  label-key2: "label-value2"
+  
+  longhornUI:
+    priorityClass: ~
+    tolerations: []
+    ## If you want to set tolerations for Longhorn UI Deployment, delete the `[]` in the line above
+    ## and uncomment this example block
+    # - key: "key"
+    #   operator: "Equal"
+    #   value: "value"
+    #   effect: "NoSchedule"
+    nodeSelector: {}
+    ## If you want to set node selector for Longhorn UI Deployment, delete the `{}` in the line above
+    ## and uncomment this example block
+    #  label-key1: "label-value1"
+    #  label-key2: "label-value2"
+  
+  resources: {}
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    # limits:
+    #  cpu: 100m
+    #  memory: 128Mi
+    # requests:
+    #  cpu: 100m
+    #  memory: 128Mi
+    #
+  
+  ingress:
+    enabled: false
+  
+  ## Specify override namespace, specifically this is useful for using longhorn as sub-chart
+  ## and its release namespace is not the `longhorn-system`
+  namespaceOverride: ""
+  
+  # Annotations to add to the Longhorn Manager DaemonSet Pods. Optional.
+  annotations: {}
+  
+  serviceAccount:
+    # Annotations to add to the service account
+    annotations: {}
+  

dmz/metallb-system/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: metallb
   repository: https://metallb.github.io/metallb
-  version: 0.14.9
+  version: 0.15.2

dmz/openspeedtest/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: openspeedtest
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"

dmz/openspeedtest/templates/deployment.yaml

@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: openspeedtest
+  name: openspeedtest
+  labels:
+    app: openspeedtest
+spec:
+  selector:
+    matchLabels:
+      app: openspeedtest
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: openspeedtest
+    spec:
+      containers:
+      - name: openspeedtest
+        image: registry.durp.info/openspeedtest/latest
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 3000
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 3000
+        env:
+        ports:
+        - name: http
+          containerPort: 3000

dmz/openspeedtest/templates/ingress.yaml

@@ -0,0 +1,56 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: openspeedtest-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
+    kind: Rule
+    middlewares:
+    - name: authentik-proxy-provider
+      namespace: traefik  
+    - name: limit-buffering
+    services:
+    - name: openspeedtest
+      port: 3000
+  tls:
+    secretName: openspeedtest-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: openspeedtest-tls
+spec:
+  secretName: openspeedtest-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "speedtest.durp.info"
+  dnsNames:
+  - "speedtest.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: openspeedtest-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: limit-buffering
+spec:
+  buffering:
+    maxRequestBodyBytes: 10000000000

dmz/openspeedtest/templates/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: openspeedtest
+spec:
+  ports:
+  - name: http
+    port: 3000
+    targetPort: 3000
+    protocol: TCP 
+  selector:
+    app: openspeedtest

dmz/redlib/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: redlib
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"

dmz/redlib/templates/deployment.yaml

@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: redlib
+  name: redlib
+  labels:
+    app: redlib
+spec:
+  selector:
+    matchLabels:
+      app: redlib
+  replicas: 3
+  template:
+    metadata:
+      labels:
+        app: redlib
+    spec:
+      containers:
+      - name: redlib
+        image: registry.durp.info/redlib/redlib:latest
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 8080
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8080
+        env:
+        ports:
+        - name: http
+          containerPort: 8080

dmz/redlib/templates/ingress.yaml

@@ -0,0 +1,43 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: redlib-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      middlewares:
+        - name: authentik-proxy-provider
+          namespace: traefik
+      services:
+        - name: redlib
+          port: 8080
+  tls:
+    secretName: redlib-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: redlib-tls
+spec:
+  secretName: redlib-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "redlib.durp.info"
+  dnsNames:
+    - "redlib.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: redlib-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/redlib/templates/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redlib
+spec:
+  ports:
+  - name: http
+    port: 8080
+    targetPort: 8080
+    protocol: TCP 
+  selector:
+    app: redlib

dmz/terraform/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     proxmox = {
       source  = "Telmate/proxmox"
-      version = "3.0.1-rc6"
+      version = "3.0.1-rc9"
     }
   }
 }

dmz/traefik/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: traefik
   repository: https://traefik.github.io/charts
-  version: 34.0.0
+  version: 34.5.0

dmz/traefik/templates/middleware.yaml

@@ -1,11 +1,11 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-    name: authentik-proxy-provider
-    namespace: traefik
+  name: authentik-proxy-provider
+  namespace: traefik
 spec:
   forwardAuth:
-    address: http://ak-outpost-dmz-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri
+    address: http://ak-outpost-authentik-dmz-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri
     trustForwardHeader: true
     authResponseHeaders:
       - X-authentik-username
@@ -21,7 +21,6 @@ spec:
       - X-authentik-meta-version
 
 ---
-
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
@@ -33,3 +32,23 @@ spec:
       - 192.168.0.0/16
       - 172.16.0.0/12
       - 10.0.0.0/8
+
+---
+#apiVersion: traefik.io/v1alpha1
+#kind: Middleware
+#metadata:
+#  name: bouncer
+#  namespace: traefik
+#spec:
+#  plugin:
+#    bouncer:
+#      enabled: true
+#      crowdsecMode: stream
+#      crowdsecLapiScheme: https
+#      crowdsecLapiTLSInsecureVerify: true
+#      crowdsecLapiHost: crowdsec-service.crowdsec:8080
+#      crowdsecLapiKey:
+#        valueFrom:
+#          secretKeyRef:
+#            name: crowdsec-lapi-key
+#            key: lapi-key

dmz/traefik/templates/secrets.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: crowdsec-lapi-key
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: crowdsec-lapi-key
+  data:
+    - secretKey: lapi-key
+      remoteRef:
+        key: kv/crowdsec/api
+        property: key
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dmz/traefik/templates/traefik-dashboard.yaml

@@ -1,34 +1,35 @@
-#apiVersion: traefik.io/v1alpha1
-#kind: IngressRoute
-#metadata:
-#  name: traefik-ingress
-#spec:
-#  entryPoints:
-#    - websecure
-#  routes:
-#  - match: Host(`traefik.durp.info`)
-#    kind: Rule
-#    services:
-#    - name: api@internal
-#      kind: TraefikService
-#  tls:
-#    secretName: traefik-tls  
-#
-#---
-#
-#apiVersion: cert-manager.io/v1
-#kind: Certificate
-#metadata:
-#  name: traefik-tls
-#  namespace: traefik
-#spec:
-#  secretName: traefik-tls
-#  issuerRef:
-#    name: letsencrypt-production
-#    kind: ClusterIssuer
-#  commonName: "traefik.durp.info"
-#  dnsNames:
-#  - "traefik.durp.info"
-#
-#---
-#
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`traefik.dmz.durp.info`)
+      kind: Rule
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+        - name: authentik-proxy-provider
+          namespace: traefik
+      services:
+        - name: api@internal
+          kind: TraefikService
+  tls:
+    secretName: traefik-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: traefik-tls
+  namespace: traefik
+spec:
+  secretName: traefik-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "traefik.dmz.durp.info"
+  dnsNames:
+    - "traefik.dmz.durp.info"

dmz/traefik/values.yaml

@@ -1,10 +1,10 @@
 traefik:
-  image: 
+  image:
     #    registry: registry.durp.info
     #    repository: traefik
     pullPolicy: Always
-  
-  providers:  
+
+  providers:
     kubernetesCRD:
       allowCrossNamespace: true
       allowExternalNameServices: true
@@ -18,40 +18,41 @@ traefik:
   #   - name: traefik-configmap
   #     mountPath: "/config"
   #     type: configMap
-  
+
   ingressRoute:
     dashboard:
       enabled: true
-  
-  additionalArguments: 
+
+  additionalArguments:
     #  - "--providers.file.filename=/config/config.yml"
     - "--serversTransport.insecureSkipVerify=true"
     - "--log.level=DEBUG"
     - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin
     - --experimental.plugins.jwt.version=v0.7.0
-  
+    - --experimental.plugins.bouncer.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
+    - --experimental.plugins.bouncer.version=v1.4.2
+
   autoscaling:
     enabled: true
     minReplicas: 3
     maxReplicas: 10
     metrics:
-    - type: Resource
-      resource:
-        name: cpu
-        target:
-          type: Utilization
-          averageUtilization: 80
+      - type: Resource
+        resource:
+          name: cpu
+          target:
+            type: Utilization
+            averageUtilization: 80
     behavior:
       scaleDown:
         stabilizationWindowSeconds: 300
         policies:
-        - type: Pods
-          value: 1
-          periodSeconds: 60
-  
-  
+          - type: Pods
+            value: 1
+            periodSeconds: 60
+
   # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
-  resources: 
+  resources:
     requests:
       cpu: "100m"
       memory: "512Mi"

dmz/vault/Chart.yaml

@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: vault
   repository: https://helm.releases.hashicorp.com  
-  version: 0.29.1
+  version: 0.30.0
 

dmz/vault/templates/secret-store.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
   name: vault

infra/argocd/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: argo-cd
   repository: https://argoproj.github.io/argo-helm
-  version: 6.11.1
+  version: 8.1.3

infra/argocd/templates/argocd-crossplane.yaml

@@ -0,0 +1,101 @@
+#apiVersion: external-secrets.io/v1
+#kind: ExternalSecret
+#metadata:
+#  name: argocd-secret-crossplane
+#spec:
+#  secretStoreRef:
+#    name: vault
+#    kind: ClusterSecretStore
+#  target:
+#    name: argocd-secret-crossplane
+#  data:
+#    - secretKey: authToken
+#      remoteRef:
+#        key: kv/argocd/provider-argocd
+#        property: token
+#
+#---
+#apiVersion: external-secrets.io/v1
+#kind: ExternalSecret
+#metadata:
+#  name: prod-kubeconfig
+#spec:
+#  secretStoreRef:
+#    name: vault
+#    kind: ClusterSecretStore
+#  target:
+#    name: prod-kubeconfig
+#  data:
+#    - secretKey: kubeconfig
+#      remoteRef:
+#        key: kv/argocd/prd
+#        property: kubeconfig
+#
+#---
+#apiVersion: argocd.crossplane.io/v1alpha1
+#kind: ProviderConfig
+#metadata:
+#  name: argocd-provider
+#spec:
+#  serverAddr: argocd-server.argocd.svc:443
+#  insecure: true
+#  plainText: false
+#  credentials:
+#    source: Secret
+#    secretRef:
+#      namespace: argocd
+#      name: argocd-secret-crossplane
+#      key: authToken
+#
+#---
+#apiVersion: cluster.argocd.crossplane.io/v1alpha1
+#kind: Cluster
+#metadata:
+#  name: prd
+#  labels:
+#    purpose: prd
+#spec:
+#  forProvider:
+#    name: prd
+#    config:
+#      kubeconfigSecretRef:
+#        name: prod-kubeconfig
+#        namespace: argocd
+#        key: kubeconfig
+#  providerConfigRef:
+#    name: argocd-provider
+#
+#---
+#apiVersion: external-secrets.io/v1
+#kind: ExternalSecret
+#metadata:
+#  name: dev-kubeconfig
+#spec:
+#  secretStoreRef:
+#    name: vault
+#    kind: ClusterSecretStore
+#  target:
+#    name: dev-kubeconfig
+#  data:
+#    - secretKey: kubeconfig
+#      remoteRef:
+#        key: kv/argocd/dev
+#        property: kubeconfig
+#
+#---
+#apiVersion: cluster.argocd.crossplane.io/v1alpha1
+#kind: Cluster
+#metadata:
+#  name: dev
+#  labels:
+#    purpose: dev
+#spec:
+#  forProvider:
+#    name: dev
+#    config:
+#      kubeconfigSecretRef:
+#        name: dev-kubeconfig
+#        namespace: argocd
+#        key: kubeconfig
+#  providerConfigRef:
+#    name: argocd-provider

infra/argocd/templates/argocd.yaml

@@ -21,7 +21,7 @@ spec:
 
 ---
 
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: vault-argocd

infra/argocd/templates/authentik.yaml

@@ -18,12 +18,11 @@ spec:
     #    istio-injection: enabled
     automated:
       prune: true
-      selfHeal: true  
+      selfHeal: true
     syncOptions:
-      - CreateNamespace=true 
+      - CreateNamespace=true
 
 ---
-
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -41,7 +40,6 @@ spec:
   syncPolicy:
     automated:
       prune: true
-      selfHeal: true  
+      selfHeal: true
     syncOptions:
-      - CreateNamespace=true 
-
+      - CreateNamespace=true

infra/argocd/templates/crowdsec.yaml

@@ -0,0 +1,20 @@
+#apiVersion: argoproj.io/v1alpha1
+#kind: Application
+#metadata:
+#  name: crowdsec
+#  namespace: argocd
+#spec:
+#  project: default
+#  source:
+#    repoURL: https://gitlab.com/developerdurp/homelab.git
+#    targetRevision: main
+#    path: dmz/crowdsec
+#  destination:
+#    namespace: crowdsec
+#    name: dmz
+#  syncPolicy:
+#    automated:
+#      prune: true
+#      selfHeal: true
+#    syncOptions:
+#      - CreateNamespace=true

infra/argocd/templates/istio.yaml

@@ -18,17 +18,16 @@ spec:
         topology.istio.io/network: network1
     automated:
       prune: true
-      selfHeal: true  
+      selfHeal: true
     syncOptions:
-      - CreateNamespace=true 
+      - CreateNamespace=true
   ignoreDifferences:
-  - group: admissionregistration.k8s.io
-    kind: ValidatingWebhookConfiguration
-    jsonPointers:
-    - /webhooks/0/failurePolicy
+    - group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+      jsonPointers:
+        - /webhooks/0/failurePolicy
 
 ---
-
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -53,7 +52,7 @@ spec:
     syncOptions:
       - CreateNamespace=true
   ignoreDifferences:
-  - group: admissionregistration.k8s.io
-    kind: ValidatingWebhookConfiguration
-    jsonPointers:
-    - /webhooks/0/failurePolicy
+    - group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+      jsonPointers:
+        - /webhooks/0/failurePolicy

infra/argocd/templates/kube-prometheus-stack.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kube-prometheus-stack
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/kube-prometheus-stack
+  destination:
+    namespace: kube-prometheus-stack
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/longhorn.yaml

@@ -15,7 +15,33 @@ spec:
   syncPolicy:
     automated:
       prune: true
-      selfHeal: true  
+      selfHeal: true
     syncOptions:
-      - CreateNamespace=true 
+      - CreateNamespace=true
+  ignoreDifferences:
+    - group: engineimages.longhorn.io
+      jsonPointers:
+        - /spec/preserveUnknownFields
+      kind: CustomResourceDefinition
 
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: longhorn-system-dmz
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/longhorn
+  destination:
+    namespace: longhorn-system
+    name: dmz
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/octopusdeploy.yaml

@@ -20,7 +20,6 @@ spec:
       - CreateNamespace=true
 
 ---
-
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -33,7 +32,7 @@ spec:
     targetRevision: main
     path: infra/octopus-agent
   destination:
-    namespace: octpus-agent
+    namespace: octopus-agent
     name: in-cluster
   syncPolicy:
     automated:
@@ -41,4 +40,3 @@ spec:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
-

infra/argocd/templates/openspeedtest.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openspeedtest
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/openspeedtest
+    directory:
+      recurse: true
+  destination:
+    name: dmz
+    namespace: openspeedtest
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/redlib.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: redlib
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/redlib
+    directory:
+      recurse: true
+  destination:
+    name: dmz
+    namespace: redlib
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/values.yaml

@@ -1,27 +1,26 @@
 argo-cd:
-
   global:
     revisionHistoryLimit: 1
     image:
       repository: registry.durp.info/argoproj/argocd
       imagePullPolicy: Always
 
-  server:
-    #extraArgs:
-    #  - --dex-server-plaintext
-    #  - --dex-server=argocd-dex-server:5556
-    # oidc.config: |
-    #   name: AzureAD
-    #   issuer: https://login.microsoftonline.com/TENANT_ID/v2.0
-    #   clientID: CLIENT_ID
-    #   clientSecret: $oidc.azuread.clientSecret
-    #   requestedIDTokenClaims:
-    #     groups:
-    #       essential: true
-    #   requestedScopes:
-    #     - openid
-    #     - profile
-    #     - email
+  #server:
+  #extraArgs:
+  #  - --dex-server-plaintext
+  #  - --dex-server=argocd-dex-server:5556
+  # oidc.config: |
+  #   name: AzureAD
+  #   issuer: https://login.microsoftonline.com/TENANT_ID/v2.0
+  #   clientID: CLIENT_ID
+  #   clientSecret: $oidc.azuread.clientSecret
+  #   requestedIDTokenClaims:
+  #     groups:
+  #       essential: true
+  #   requestedScopes:
+  #     - openid
+  #     - profile
+  #     - email
 
   dex:
     enabled: true
@@ -35,6 +34,7 @@ argo-cd:
       annotations: {}
       url: https://argocd.infra.durp.info
       oidc.tls.insecure.skip.verify: "true"
+      accounts.provider-argocd: apiKey
       dex.config: |
         connectors:
           - config:
@@ -50,13 +50,15 @@ argo-cd:
             name: authentik
             type: oidc
             id: authentik
+      resource.exclusions: ""
 
     rbac:
       create: true
       policy.csv: |
         g, ArgoCD Admins, role:admin
+        g, provider-argocd, role:admin
       scopes: "[groups]"
 
   server:
-    route: 
-      enabled: false
+    route:
+      enabled: false

infra/authentik/Chart.yaml

@@ -7,6 +7,7 @@ version: 0.1.0
 appVersion: "1.16.0"
 
 dependencies:
-- name: authentik
-  repository: https://charts.goauthentik.io
-  version: 2024.8.3
+  - name: authentik
+    repository: https://charts.goauthentik.io
+    version: 2025.4.1
+

infra/authentik/templates/ingress.yaml

@@ -6,16 +6,20 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`authentik.durp.info`) && PathPrefix(`/`) 
-    kind: Rule
-    services:
-    - name: authentik-server
-      port: 80
+    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: authentik-server
+          port: 80
+    - match: Host(`authentik.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
+      kind: Rule
+      services:
+        - name: ak-outpost-authentik-embedded-outpost
+          port: 9000
   tls:
     secretName: authentik-tls
 
 ---
-
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -27,5 +31,4 @@ spec:
     kind: ClusterIssuer
   commonName: "authentik.durp.info"
   dnsNames:
-  - "authentik.durp.info" 
-
+    - "authentik.durp.info"

infra/authentik/templates/secrets.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: authentik-secret

infra/authentik/values.yaml

@@ -1,6 +1,8 @@
 authentik:
   global:
-    env: 
+    security:
+      allowInsecureImages: true
+    env:
       - name: AUTHENTIK_POSTGRESQL__PASSWORD
         valueFrom:
           secretKeyRef:
@@ -19,7 +21,7 @@ authentik:
     outposts:
       container_image_base: registry.durp.info/goauthentik/%(type)s:%(version)s
     postgresql:
-      host: '{{ .Release.Name }}-postgresql-hl'
+      host: "{{ .Release.Name }}-postgresql-hl"
       name: "authentik"
       user: "authentik"
       port: 5432
@@ -36,7 +38,7 @@ authentik:
       pullPolicy: Always
     postgresqlUsername: "authentik"
     postgresqlDatabase: "authentik"
-    existingSecret: db-pass 
+    existingSecret: db-pass
     persistence:
       enabled: true
       storageClass: longhorn
@@ -47,7 +49,7 @@ authentik:
     enabled: true
     master:
       persistence:
-        enabled: false    
+        enabled: false
     image:
       registry: registry.durp.info
       repository: bitnami/redis

infra/bitwarden/templates/deployment.yaml

@@ -16,35 +16,35 @@ spec:
         app: bitwarden
     spec:
       containers:
-      - name: bitwarden
-        image: registry.durp.info/vaultwarden/server:1.32.7
-        imagePullPolicy: Always
-        volumeMounts:
-        - name: bitwarden-pvc
-          mountPath: /data
-          subPath: bitwaren-data              
-        ports:
-        - name: http
-          containerPort: 80
-        env:
-          - name: SIGNUPS_ALLOWED
-            value: "FALSE"
-          - name: INVITATIONS_ALLOWED
-            value: "FALSE"                      
-          - name: WEBSOCKET_ENABLED
-            value: "TRUE"          
-          - name: ROCKET_ENV
-            value: "staging"              
-          - name: ROCKET_PORT
-            value: "80"            
-          - name: ROCKET_WORKERS
-            value: "10"
-          - name: SECRET_USERNAME
-            valueFrom:
-              secretKeyRef:
-                name: bitwarden-secret
-                key: ADMIN_TOKEN
+        - name: bitwarden
+          image: registry.durp.info/vaultwarden/server:1.34.3
+          imagePullPolicy: Always
+          volumeMounts:
+            - name: bitwarden-pvc
+              mountPath: /data
+              subPath: bitwaren-data
+          ports:
+            - name: http
+              containerPort: 80
+          env:
+            - name: SIGNUPS_ALLOWED
+              value: "FALSE"
+            - name: INVITATIONS_ALLOWED
+              value: "FALSE"
+            - name: WEBSOCKET_ENABLED
+              value: "TRUE"
+            - name: ROCKET_ENV
+              value: "staging"
+            - name: ROCKET_PORT
+              value: "80"
+            - name: ROCKET_WORKERS
+              value: "10"
+            - name: SECRET_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: bitwarden-secret
+                  key: ADMIN_TOKEN
       volumes:
-      - name: bitwarden-pvc
-        persistentVolumeClaim:
-          claimName: bitwarden-pvc             
+        - name: bitwarden-pvc
+          persistentVolumeClaim:
+            claimName: bitwarden-pvc

infra/bitwarden/templates/secrets.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: bitwarden-secret

infra/cert-manager/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: v1.16.3
+  version: v1.17.2

infra/cert-manager/templates/secretvault.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: cloudflare-api-token-secret

infra/external-secrets/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-secrets
   repository: https://charts.external-secrets.io
-  version: 0.15.0
+  version: 0.17.0

infra/external-secrets/values.yaml

@@ -1,7 +1,13 @@
 external-secrets:
-  replicaCount: 3
+  global:
+    security:
+      allowInsecureImages: true
+
+  log:
+    level: debug
+  replicaCount: 1
   revisionHistoryLimit: 1
-  leaderElect: true
+  leaderElect: false
 
   installCRDs: true
   crds:
@@ -16,24 +22,24 @@ external-secrets:
     repository: registry.durp.info/external-secrets/external-secrets
     pullPolicy: Always
 
-  extraVolumes: 
+  extraVolumes:
     - name: ca-pemstore
       configMap:
         name: ca-pemstore
 
-  extraVolumeMounts: 
+  extraVolumeMounts:
     - name: ca-pemstore
       mountPath: /etc/ssl/certs/vault.pem
       subPath: vault.pem
       readOnly: true
 
-  resources: 
-    requests:
-      memory: 32Mi
-      cpu: 10m
-    limits:
-      memory: 32Mi
-      cpu: 10m
+  #  resources:
+  #    requests:
+  #      memory: 32Mi
+  #      cpu: 10m
+  #    limits:
+  #      memory: 32Mi
+  #      cpu: 10m
 
   webhook:
     log:
@@ -42,13 +48,13 @@ external-secrets:
       repository: registry.durp.info/external-secrets/external-secrets
       pullPolicy: Always
 
-    resources: 
-      requests:
-        memory: 32Mi
-        cpu: 10m
-      limits:
-        memory: 32Mi
-        cpu: 10m
+  #    resources:
+  #      requests:
+  #        memory: 32Mi
+  #        cpu: 10m
+  #      limits:
+  #        memory: 32Mi
+  #        cpu: 10m
 
   certController:
     create: false
@@ -61,7 +67,7 @@ external-secrets:
       pullPolicy: Always
       tag: ""
 
-    resources: 
+    resources:
       requests:
         memory: 32Mi
         cpu: 10m

infra/istio-system/Chart.yaml

@@ -8,10 +8,10 @@ appVersion: 0.0.1
 dependencies:
 - name: base
   repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.1
+  version: 1.26.2
 - name: istiod
   repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.1
+  version: 1.26.2
 - name: gateway
   repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.1
+  version: 1.26.2

infra/kube-prometheus-stack/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: kube-prometheus-stack
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+  - name: kube-prometheus-stack
+    repository: https://prometheus-community.github.io/helm-charts
+    version: 77.10.0

infra/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-grafana-oauth
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: grafana-oauth
+  data:
+    - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
+      remoteRef:
+        key: kv/grafana/oauth
+        property: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
+    - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+      remoteRef:
+        key: kv/grafana/oauth
+        property: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-admin-credentials
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: grafana-admin-credentials
+  data:
+    - secretKey: admin-password
+      remoteRef:
+        key: kv/grafana/admin
+        property: password
+    - secretKey: admin-user
+      remoteRef:
+        key: kv/grafana/admin
+        property: user

infra/kube-prometheus-stack/templates/ingress.yaml

@@ -0,0 +1,77 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: grafana-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`grafana.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: grafana
+          port: 80
+  tls:
+    secretName: grafana-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: grafana-tls
+spec:
+  secretName: grafana-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "grafana.durp.info"
+  dnsNames:
+    - "grafana.durp.info"
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: alertmanager-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`alertmanager.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+        - name: authentik-proxy-provider
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: prometheus-alertmanager
+          port: 9093
+  tls:
+    secretName: alertmanager-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: alertmanager-tls
+spec:
+  secretName: alertmanager-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "alertmanager.durp.info"
+  dnsNames:
+    - "alertmanager.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: grafana-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info
+

infra/kube-prometheus-stack/values.yaml

@@ -0,0 +1,203 @@
+kube-prometheus-stack:
+  fullnameOverride: prometheus
+
+  defaultRules:
+    create: true
+    rules:
+      alertmanager: true
+      etcd: true
+      configReloaders: true
+      general: true
+      k8s: true
+      kubeApiserverAvailability: true
+      kubeApiserverBurnrate: true
+      kubeApiserverHistogram: true
+      kubeApiserverSlos: true
+      kubelet: true
+      kubeProxy: true
+      kubePrometheusGeneral: true
+      kubePrometheusNodeRecording: true
+      kubernetesApps: true
+      kubernetesResources: true
+      kubernetesStorage: true
+      kubernetesSystem: true
+      kubeScheduler: true
+      kubeStateMetrics: true
+      network: true
+      node: true
+      nodeExporterAlerting: true
+      nodeExporterRecording: true
+      prometheus: true
+      prometheusOperator: true
+
+  alertmanager:
+    fullnameOverride: alertmanager
+    enabled: true
+    ingress:
+      enabled: false
+  grafana:
+    enabled: true
+    fullnameOverride: grafana
+    forceDeployDatasources: false
+    forceDeployDashboards: false
+    defaultDashboardsEnabled: true
+    defaultDashboardsTimezone: utc
+    plugins:
+      - grafana-polystat-panel
+    serviceMonitor:
+      enabled: true
+    admin:
+      existingSecret: grafana-admin-credentials
+      userKey: admin-user
+      passwordKey: admin-password
+    ingress:
+      enabled: false
+    grafana.ini:
+      server:
+        root_url: https://grafana.durp.info
+      auth.generic_oauth:
+        enabled: true
+        scopes: openid profile email
+        auth_url: https://authentik.durp.info/application/o/authorize/
+        token_url: https://authentik.durp.info/application/o/token/
+        api_url: https://authentik.durp.info/application/o/userinfo/
+    envFromSecret: "grafana-oauth"
+
+  kubeApiServer:
+    enabled: true
+
+  kubelet:
+    enabled: true
+    serviceMonitor:
+      metricRelabelings:
+        - action: replace
+          sourceLabels:
+            - node
+          targetLabel: instance
+
+  kubeControllerManager:
+    enabled: true
+    endpoints: # ips of servers
+      - 192.168.12.11
+      - 192.168.12.12
+      - 192.168.12.13
+
+  coreDns:
+    enabled: false
+
+  kubeDns:
+    enabled: false
+
+  kubeEtcd:
+    enabled: true
+    endpoints: # ips of servers
+      - 192.168.12.11
+      - 192.168.12.12
+      - 192.168.12.13
+    service:
+      enabled: true
+      port: 2381
+      targetPort: 2381
+
+  kubeScheduler:
+    enabled: true
+    endpoints: # ips of servers
+      - 192.168.12.11
+      - 192.168.12.12
+      - 192.168.12.13
+
+  kubeProxy:
+    enabled: true
+    endpoints: # ips of servers
+      - 192.168.12.11
+      - 192.168.12.12
+      - 192.168.12.13
+
+  kubeStateMetrics:
+    enabled: true
+
+  kube-state-metrics:
+    fullnameOverride: kube-state-metrics
+    selfMonitor:
+      enabled: true
+    prometheus:
+      monitor:
+        enabled: true
+        relabelings:
+          - action: replace
+            regex: (.*)
+            replacement: $1
+            sourceLabels:
+              - __meta_kubernetes_pod_node_name
+            targetLabel: kubernetes_node
+
+  nodeExporter:
+    enabled: true
+    serviceMonitor:
+      relabelings:
+        - action: replace
+          regex: (.*)
+          replacement: $1
+          sourceLabels:
+            - __meta_kubernetes_pod_node_name
+          targetLabel: kubernetes_node
+
+  prometheus-node-exporter:
+    fullnameOverride: node-exporter
+    podLabels:
+      jobLabel: node-exporter
+    extraArgs:
+      - --collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/)
+      - --collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$
+    service:
+      portName: http-metrics
+    prometheus:
+      monitor:
+        enabled: true
+        relabelings:
+          - action: replace
+            regex: (.*)
+            replacement: $1
+            sourceLabels:
+              - __meta_kubernetes_pod_node_name
+            targetLabel: kubernetes_node
+    resources:
+      requests:
+        memory: 512Mi
+        cpu: 250m
+      limits:
+        memory: 2048Mi
+
+  prometheusOperator:
+    enabled: true
+    prometheusConfigReloader:
+      resources:
+        requests:
+          cpu: 200m
+          memory: 50Mi
+        limits:
+          memory: 100Mi
+
+  prometheus:
+    enabled: true
+    prometheusSpec:
+      replicas: 1
+      replicaExternalLabelName: "replica"
+      ruleSelectorNilUsesHelmValues: false
+      serviceMonitorSelectorNilUsesHelmValues: false
+      podMonitorSelectorNilUsesHelmValues: false
+      probeSelectorNilUsesHelmValues: false
+      retention: 6h
+      enableAdminAPI: true
+      walCompression: true
+      storageSpec:
+        volumeClaimTemplate:
+          spec:
+            storageClassName: longhorn
+            accessModes: ["ReadWriteMany"]
+            resources:
+              requests:
+                storage: 20Gi
+
+  thanosRuler:
+    enabled: false

infra/longhorn/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: longhorn
   repository: https://charts.longhorn.io
-  version: 1.7.2
+  version: 1.9.0

infra/longhorn/templates/ingress.yaml

@@ -3,21 +3,23 @@ kind: IngressRoute
 metadata:
   name: longhorn-ingress
   annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
+    cert-manager.io/cluster-issuer: vault-issuer
 spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`longhorn.infra.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    services:
-    - name: longhorn-frontend
-      port: 80
+    - match: Host(`longhorn.infra.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      middlewares:
+        - name: authentik-proxy-provider
+          namespace: traefik
+      services:
+        - name: longhorn-frontend
+          port: 80
   tls:
     secretName: longhorn-tls
 
 ---
-
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:

infra/longhorn/templates/secrets.yaml

@@ -5,7 +5,7 @@ metadata:
 
 ---
 
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: external-longhorn-backup-token-secret

infra/metallb-system/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: metallb
   repository: https://metallb.github.io/metallb
-  version: 0.14.9
+  version: 0.15.2

infra/nebula-sync/templates/secrets.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: nebula-sync-secret

infra/octopus-agent/templates/secret.yaml

@@ -5,7 +5,7 @@ metadata:
 
 ---
 
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: agent-token

infra/octopus-agent/values.yaml

@@ -4,7 +4,9 @@ kubernetes-agent:
     acceptEula: "Y"
     serverUrl: "https://octopus.durp.info/"
     serverCommsAddresses:
-      - "https://octopusdeploy-octopus-deploy.octopusdeploy.svc.cluster.local:10943/"
+      - "https://octopus-deploy-node0.octopusdeploy.svc.cluster.local:10943/"
+      - "https://octopus-deploy-node1.octopusdeploy.svc.cluster.local:10943/"
+      - "https://octopus-deploy-node2.octopusdeploy.svc.cluster.local:10943/"
     space: "Default"
     name: "infra"
     deploymentTarget:

infra/octopusdeploy/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
   - name: octopusdeploy-helm
     repository: oci://ghcr.io/octopusdeploy
-    version: 1.3.1
+    version: 1.7.0

infra/octopusdeploy/templates/secrets.yaml

@@ -4,8 +4,7 @@ metadata:
   name: vault
 
 ---
-
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: octopusdeploy-adminpassword
@@ -22,8 +21,7 @@ spec:
         property: adminpassword
 
 ---
-
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: octopusdeploy-adminusername
@@ -40,8 +38,7 @@ spec:
         property: adminusername
 
 ---
-
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: octopusdeploy-connectionstring
@@ -58,8 +55,7 @@ spec:
         property: connectionstring
 
 ---
-
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: octopusdeploy-masterkey
@@ -76,8 +72,7 @@ spec:
         property: masterkey
 
 ---
-
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: octopusdeploy-sapassword
@@ -92,3 +87,20 @@ spec:
       remoteRef:
         key: kv/octopusdeploy
         property: sapassword
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: octopusdeploy-licensekey
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: octopusdeploy-licensekey
+  data:
+    - secretKey: secret
+      remoteRef:
+        key: kv/octopusdeploy
+        property: licensekey

infra/octopusdeploy/values.yaml

@@ -2,7 +2,7 @@ octopusdeploy-helm:
   octopus:
     image:
       repository: registry.durp.info/octopusdeploy/octopusdeploy
-      tag: 2025.1
+      tag: 2025.3
     createSecrets: false
     acceptEula: Y
     replicaCount: 3

infra/openclarity/templates/secret.yaml

@@ -5,7 +5,7 @@ metadata:
 
 ---
 
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: openclarity-postgres-secret

infra/openclarity/values.yaml

@@ -317,7 +317,7 @@ openclarity:
       # -- Gateway service container repository
       repository: nginxinc/nginx-unprivileged
       # -- Gateway service container tag
-      tag: 1.27.3
+      tag: 1.29.0
       # -- Gateway image digest. If set will override the tag.
       digest: ""
       # -- Gateway service container pull policy
@@ -542,7 +542,7 @@ openclarity:
       # -- Trivy Server container repository
       repository: aquasec/trivy
       # -- Trivy Server container tag
-      tag: 0.58.2
+      tag: 0.64.1
       # -- Trivy Server image digest. If set will override the tag.
       digest: ""
       # -- Trivy Server image pull policy
@@ -719,7 +719,7 @@ openclarity:
       # -- Swagger UI container repository
       repository: swaggerapi/swagger-ui
       # -- Swagger UI container tag
-      tag: v5.18.2
+      tag: v5.26.2
       # -- Swagger UI image digest. If set will override the tag.
       digest: ""
       # -- Swagger UI image pull policy

infra/renovate/templates/secrets.yaml

@@ -4,8 +4,7 @@ metadata:
   name: vault
 
 ---
-
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: renovate-config-secret
@@ -16,7 +15,27 @@ spec:
   target:
     name: renovate-config-secret
   data:
-    - secretKey: renovate-config-secret
+    - secretKey: renovate.json
       remoteRef:
         key: kv/renovate
         property: config
+    - secretKey: RENOVATE_AUTODISCOVER
+      remoteRef:
+        key: kv/renovate
+        property: RENOVATE_AUTODISCOVER
+    - secretKey: RENOVATE_ENDPOINT
+      remoteRef:
+        key: kv/renovate
+        property: RENOVATE_ENDPOINT
+    - secretKey: RENOVATE_GIT_AUTHOR
+      remoteRef:
+        key: kv/renovate
+        property: RENOVATE_GIT_AUTHOR
+    - secretKey: RENOVATE_PLATFORM
+      remoteRef:
+        key: kv/renovate
+        property: RENOVATE_PLATFORM
+    - secretKey: RENOVATE_TOKEN
+      remoteRef:
+        key: kv/renovate
+        property: RENOVATE_TOKEN

infra/renovate/values.yaml

@@ -5,20 +5,20 @@ renovate:
     compatibility:
       openshift:
         # --  Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: `auto` (apply if the detected running cluster is Openshift), `force` (perform the adaptation always), `disabled` (do not perform adaptation)
-        adaptSecurityContext: 'auto'
+        adaptSecurityContext: "auto"
 
   # -- Override the name of the chart
-  nameOverride: ''
+  nameOverride: ""
   # -- Override the fully qualified app name
-  fullnameOverride: ''
+  fullnameOverride: ""
   # -- Annotations to add to secret
   secretAnnotations: {}
 
   cronjob:
     # -- Schedules the job to run using cron notation
-    schedule: '0 1 * * *'  # At 01:00 every day
+    schedule: "0 1 * * *" # At 01:00 every day
     # -- You can specify a time zone for a CronJob by setting timeZone to the name of a valid time zone. (starting with k8s 1.27) <https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones>
-    timeZone: ''  # see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for valid names
+    timeZone: "" # see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for valid names
     # -- If it is set to true, all subsequent executions are suspended. This setting does not apply to already started executions.
     suspend: false
     # -- Annotations to set on the cronjob
@@ -26,48 +26,47 @@ renovate:
     # -- Labels to set on the cronjob
     labels: {}
     # -- "Allow" to allow concurrent runs, "Forbid" to skip new runs if a previous run is still running or "Replace" to replace the previous run
-    concurrencyPolicy: ''
+    concurrencyPolicy: ""
     # -- "Number of successful completions is reached to mark the job as complete"
-    completions: ''
+    completions: ""
     # -- "Where the jobs should be NonIndexed or Indexed"
-    completionMode: ''
+    completionMode: ""
     # -- Amount of failed jobs to keep in history
-    failedJobsHistoryLimit: ''
+    failedJobsHistoryLimit: ""
     # -- Amount of completed jobs to keep in history
-    successfulJobsHistoryLimit: ''
+    successfulJobsHistoryLimit: ""
     # -- Set to Never to restart the job when the pod fails or to OnFailure to restart when a container fails
     jobRestartPolicy: Never
     # -- Time to keep the job after it finished before automatically deleting it
-    ttlSecondsAfterFinished: ''
+    ttlSecondsAfterFinished: ""
     # -- Deadline for the job to finish
-    activeDeadlineSeconds: ''
+    activeDeadlineSeconds: ""
     # -- Number of times to retry running the pod before considering the job as being failed
-    jobBackoffLimit: ''
+    jobBackoffLimit: ""
     # -- Maximal number of failures per index
-    backoffLimitPerIndex: ''
+    backoffLimitPerIndex: ""
     # -- Maximal number of failed indexes before terminating the Job execution
-    maxFailedIndexes: ''
+    maxFailedIndexes: ""
     # -- Deadline to start the job, skips execution if job misses it's configured deadline
-    startingDeadlineSeconds: ''
+    startingDeadlineSeconds: ""
     # -- Additional initContainers that can be executed before renovate
     initContainers: []
     # initContainers:
     # - name: INIT_CONTAINER_NAME
     #   image: INIT_CONTAINER_IMAGE
     # -- Number of pods to run in parallel
-    parallelism: ''
+    parallelism: ""
     # -- Custom command to run in the container
     commandOverride: []
     # -- Custom arguments to run in the container
     argsOverride: []
     # -- Prepend shell commands before renovate runs
-    preCommand: ''
-    # preCommand: |
-    #   echo hello
-    #   echo world
+    #preCommand: ''
+    #preCommand: |
+    #  ls /config
+    #  cat /config/renovate.json
 
-    # -- Append shell commands after renovate runs
-    postCommand: ''
+    postCommand: ""
     # postCommand: |
     #   echo hello
     #   echo world
@@ -95,9 +94,18 @@ renovate:
 
   renovate:
     # -- Custom exiting global renovate config
-    existingConfigFile: '/renovate.json'
+    #existingConfigFile: "/config/renovate.json"
     # -- Inline global renovate config.json
-    config: ''
+    config: |
+      {
+        "platform": "gitlab",
+        "endpoint": "https://gitlab.com/api/v4",
+        "autodiscover": "true",
+        "dryRun": false,
+        "printConfig": false,
+        "autodiscoverFilter": ["developerdurp/*", "durfy/*"],
+        "assignees": ["developerdurp"],
+      }
     # See https://docs.renovatebot.com/self-hosted-configuration
     # config: |
     #   {
@@ -145,20 +153,20 @@ renovate:
 
     # Provide .ssh config file contents
     # -- Contents of the id_rsa file
-    id_rsa: ''
+    id_rsa: ""
     # -- Contents of the id_rsa_pub file
-    id_rsa_pub: ''
+    id_rsa_pub: ""
     # -- Contents of the config file
-    config: ''
+    config: ""
 
     # or provide the name of an existing secret to be read instead.
     # -- Name of the existing secret containing a valid .ssh configuration
-    existingSecret: ''
+    existingSecret: ""
 
   # -- Environment variables that should be referenced from a k8s secret, cannot be used when existingSecret is set
   secrets: {}
   # -- k8s secret to reference environment variables from. Overrides secrets if set
-  existingSecret: ''
+  existingSecret: "renovate-config-secret"
 
   # -- Additional configmaps. A generated configMap name is: "renovate.fullname" + "extra" + name(below) e.g. renovate-netrc-config
   extraConfigmaps: []
@@ -175,15 +183,18 @@ renovate:
   #         "key"="value"
   #         "key1"="value1"
 
-  extraVolumes: 
-    - name: renovate-config
-      secretName:
-        name: renovate-config-secret
+  #extraVolumes:
+  #  - name: renovate-config-secret
+  #    secretName:
+  #      name: renovate-config-secret
+  #      items:
+  #        - key: renovate.json
+  #          path: renovate.json
 
-  extraVolumeMounts:
-    - name: renovate-config
-      mountPath: /
-      subPath: renovate.config
+  #extraVolumeMounts:
+  #  - name: renovate-config-secret
+  #    mountPath: /config
+  #    subPath: renovate.json
 
   # -- Additional containers to the pod
   extraContainers: []
@@ -209,10 +220,11 @@ renovate:
     annotations: {}
     # -- The name of the service account to use
     # If not set and create is true, a name is generated using the fullname template
-    name: ''
+    name: ""
 
   # -- Specify resource limits and requests for the renovate container
-  resources: {}
+  resources:
+    {}
     # We usually recommend not to specify default resources and to leave this as a conscious
     # choice for the user. This also increases chances charts run on environments with little
     # resources, such as Minikube. If you do want to specify resources, uncomment the following
@@ -233,7 +245,8 @@ renovate:
   #       name: env-configmap
 
   # -- Environment variables to set on the renovate container
-  env: {}
+  env:
+    RENOVATE_AUTODISCOVER: true
   # env:
   #   VARIABLE_NAME: "value"
 
@@ -253,7 +266,7 @@ renovate:
     enabled: false
 
     # -- Override the prefix of the redisHost
-    nameOverride: ''
+    nameOverride: ""
 
     # -- Disable replication by default
     architecture: standalone
@@ -263,7 +276,7 @@ renovate:
       enabled: false
 
     # -- Override Kubernetes version for redis chart
-    kubeVersion: ''
+    kubeVersion: ""
 
   # -- Override hostname resolution
   hostAliases: []
@@ -292,7 +305,7 @@ renovate:
   # -- Create extra manifests via values. Would be passed through `tpl` for templating
   extraObjects: []
   # extraObjects:
-  #   - apiVersion: external-secrets.io/v1beta1
+  #   - apiVersion: external-secrets.io/v1
   #     kind: ExternalSecret
   #     metadata:
   #       name: '{{ include "renovate.fullname" . }}-token'