Update Helm release crowdsec to v0.21.0

Revert "Merge branch 'renovate/authentik-2025.x' into 'main'"

See merge request developerdurp/homelab!50

.gitlab/.gitlab-ci.yml

@@ -24,3 +24,11 @@ build_dev:
   rules:
     - changes:
         - "dev/terraform/*.tf"
+
+build_prd:
+  stage: triggers
+  trigger:
+    include: prd/.gitlab/.gitlab-ci.yml
+  rules:
+    - changes:
+        - "prd/terraform/*.tf"

ansible/newcluster.yaml

@@ -0,0 +1,2 @@
+argocd login --insecure
+argocd cluster add default --name prd --yes --kubeconfig ~/Documents/config-prd

ansible/roles/base/files/01proxy

@@ -0,0 +1 @@
+Acquire::http::Proxy "http://192.168.21.200:3142";

ansible/roles/base/files/authorized_keys_user

@@ -1 +1,2 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhPVgL8gXdRTw0E2FvlOUoUI4vd794nB0nZVIsc+U5M
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGilcndatMrXg06VxtNKuIo3scoyyXbYX8Z7cOjeA102AAAABHNzaDo= desktop-arch-09-08-2025-yubikey
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINsbNSZ5Wr+50Ahz+IeZxt6F7gZ6wm1J8uKXQLbdbKFaAAAABHNzaDo= desktop-arch-09-08-2025-yubikeyNano

ansible/roles/base/tasks/main.yaml

@@ -1,3 +1,15 @@
+- name: Copy apt proxy
+  copy: 
+    src: files/01proxy
+    dest: /etc/apt/apt.conf.d/01proxy
+    owner: root 
+    group: root 
+    mode: "0644"
+    force: yes
+  when: 
+    - ansible_os_family == "Debian"      
+    - inventory_hostname not in hosts_deny
+
 - name: Update packages
   apt:
     name: '*'

dev/cert-manager/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: v1.16.3
+  version: v1.17.2

dev/cert-manager/templates/secretvault.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: cloudflare-api-token-secret

dev/external-dns/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-dns
   repository: https://charts.bitnami.com/bitnami
-  version: 8.3.8
+  version: 8.9.2

dev/external-dns/templates/secrets.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: external-dns-secret

dev/external-secrets/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-secrets
   repository: https://charts.external-secrets.io
-  version: 0.13.0
+  version: 0.17.0

dev/metallb-system/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: metallb
   repository: https://metallb.github.io/metallb
-  version: 0.14.9
+  version: 0.15.2

dev/metallb-system/templates/config.yaml

@@ -4,7 +4,7 @@ metadata:
   name: cheap
 spec:
   addresses:
-    - 192.168.98.130-192.168.98.140
+    - 192.168.10.130-192.168.10.140
 ---
 apiVersion: metallb.io/v1beta1
 kind: L2Advertisement

dev/terraform/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     proxmox = {
       source  = "Telmate/proxmox"
-      version = "3.0.1-rc6"
+      version = "3.0.1-rc9"
     }
   }
 }
@@ -30,7 +30,7 @@ locals {
     cores   = 2
     memory  = "4096"
     drive   = 20
-    storage = "domains"
+    storage = "cache-domains"
     node    = ["mothership", "overlord", "vanguard"]
     ip      = ["11", "12", "13"]
   }
@@ -41,7 +41,7 @@ locals {
     cores   = 4
     memory  = "8192"
     drive   = 120
-    storage = "domains"
+    storage = "cache-domains"
     node    = ["mothership", "overlord", "vanguard"]
     ip      = ["21", "22", "23"]
   }

dev/traefik/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: traefik
   repository: https://traefik.github.io/charts
-  version: 34.0.0
+  version: 34.5.0

dev/traefik/templates/config.yaml

@@ -1,16 +0,0 @@
-#apiVersion: v1
-#kind: ConfigMap
-#metadata:
-#  name: traefik-configmap
-#data:
-#  config.yml: |
-#    http:
-#      routers:
-#        router0:
-#          service: service0
-#          rule: Host(`testing.durp.info`)
-#      services:
-#        service0:
-#          loadBalancer:
-#            servers:
-#              - url: https://192.168.20.130

dev/traefik/templates/middleware.yaml

@@ -1,35 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-    name: authentik-proxy-provider
-    namespace: traefik
-spec:
-  forwardAuth:
-    address: http://ak-outpost-dmz-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri
-    trustForwardHeader: true
-    authResponseHeaders:
-      - X-authentik-username
-      - X-authentik-groups
-      - X-authentik-email
-      - X-authentik-name
-      - X-authentik-uid
-      - X-authentik-jwt
-      - X-authentik-meta-jwks
-      - X-authentik-meta-outpost
-      - X-authentik-meta-provider
-      - X-authentik-meta-app
-      - X-authentik-meta-version
-
----
-
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: whitelist
-  namespace: traefik
-spec:
-  ipWhiteList:
-    sourceRange:
-      - 192.168.0.0/16
-      - 172.16.0.0/12
-      - 10.0.0.0/8

dev/traefik/templates/traefik-dashboard.yaml

@@ -1,34 +0,0 @@
-#apiVersion: traefik.io/v1alpha1
-#kind: IngressRoute
-#metadata:
-#  name: traefik-ingress
-#spec:
-#  entryPoints:
-#    - websecure
-#  routes:
-#  - match: Host(`traefik.durp.info`)
-#    kind: Rule
-#    services:
-#    - name: api@internal
-#      kind: TraefikService
-#  tls:
-#    secretName: traefik-tls  
-#
-#---
-#
-#apiVersion: cert-manager.io/v1
-#kind: Certificate
-#metadata:
-#  name: traefik-tls
-#  namespace: traefik
-#spec:
-#  secretName: traefik-tls
-#  issuerRef:
-#    name: letsencrypt-production
-#    kind: ClusterIssuer
-#  commonName: "traefik.durp.info"
-#  dnsNames:
-#  - "traefik.durp.info"
-#
-#---
-#

dev/traefik/values.yaml

@@ -1,10 +1,10 @@
 traefik:
-  image: 
+  image:
     #    registry: registry.durp.info
     #    repository: traefik
     pullPolicy: Always
-  
-  providers:  
+
+  providers:
     kubernetesCRD:
       allowCrossNamespace: true
       allowExternalNameServices: true
@@ -18,40 +18,39 @@ traefik:
   #   - name: traefik-configmap
   #     mountPath: "/config"
   #     type: configMap
-  
+
   ingressRoute:
     dashboard:
       enabled: true
-  
-  additionalArguments: 
+
+  additionalArguments:
     #  - "--providers.file.filename=/config/config.yml"
     - "--serversTransport.insecureSkipVerify=true"
     - "--log.level=DEBUG"
     - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin
     - --experimental.plugins.jwt.version=v0.7.0
-  
+
   autoscaling:
     enabled: true
     minReplicas: 3
     maxReplicas: 10
     metrics:
-    - type: Resource
-      resource:
-        name: cpu
-        target:
-          type: Utilization
-          averageUtilization: 80
+      - type: Resource
+        resource:
+          name: cpu
+          target:
+            type: Utilization
+            averageUtilization: 80
     behavior:
       scaleDown:
         stabilizationWindowSeconds: 300
         policies:
-        - type: Pods
-          value: 1
-          periodSeconds: 60
-  
-  
+          - type: Pods
+            value: 1
+            periodSeconds: 60
+
   # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
-  resources: 
+  resources:
     requests:
       cpu: "100m"
       memory: "512Mi"

dev/vault/Chart.yaml

@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: vault
   repository: https://helm.releases.hashicorp.com  
-  version: 0.29.1
+  version: 0.30.0
 

dev/vault/templates/secret-store.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
   name: vault

dmz/authentik/Chart.yaml

@@ -7,6 +7,6 @@ version: 0.1.0
 appVersion: "1.16.0"
 
 dependencies:
-- name: authentik-remote-cluster
-  repository: https://charts.goauthentik.io
-  version: 2.0.0
+  - name: authentik-remote-cluster
+    repository: https://charts.goauthentik.io
+    version: 2.1.0

dmz/authentik/templates/ingress.yaml

@@ -0,0 +1,62 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: authentik-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: authentik-tls
+  commonName: "authentik.durp.info"
+  dnsNames:
+    - "authentik.durp.info"
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: authentik-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: infra-cluster
+          port: 443
+  tls:
+    secretName: authentik-tls
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: authentik-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info
+
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: infra-cluster
+subsets:
+  - addresses:
+      - ip: 192.168.12.130
+    ports:
+      - port: 443
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: infra-cluster
+spec:
+  ports:
+    - protocol: TCP
+      port: 443
+      targetPort: 443

dmz/cert-manager/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: v1.16.3
+  version: v1.17.2

dmz/cert-manager/templates/secretvault.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: cloudflare-api-token-secret

dmz/crowdsec/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: crowdsec
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+  - name: crowdsec
+    repository: https://crowdsecurity.github.io/helm-charts
+    version: 0.21.0

dmz/crowdsec/templates/secrets.yaml

@@ -0,0 +1,29 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: enroll-key
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: enroll-key
+  data:
+    - secretKey: ENROLL_INSTANCE_NAME
+      remoteRef:
+        key: kv/crowdsec/dmz-enroll
+        property: ENROLL_INSTANCE_NAME
+    - secretKey: ENROLL_KEY
+      remoteRef:
+        key: kv/crowdsec/dmz-enroll
+        property: ENROLL_KEY
+    - secretKey: ENROLL_TAGS
+      remoteRef:
+        key: kv/crowdsec/dmz-enroll
+        property: ENROLL_TAGS
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dmz/crowdsec/values.yaml

@@ -0,0 +1,24 @@
+crowdsec:
+  #
+  image:
+    repository: registry.durp.info/crowdsecurity/crowdsec
+    pullPolicy: Always
+
+  # for raw logs format: json or cri (docker|containerd)
+  container_runtime: containerd
+  agent:
+    # Specify each pod whose logs you want to process
+    acquisition:
+      # The namespace where the pod is located
+      - namespace: traefik
+        # The pod name
+        podName: traefik-*
+        # as in crowdsec configuration, we need to specify the program name to find a matching parser
+        program: traefik
+    env:
+      - name: COLLECTIONS
+        value: "crowdsecurity/traefik"
+  lapi:
+    envFrom:
+      - secretRef:
+          name: enroll-key

dmz/external-dns/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-dns
   repository: https://charts.bitnami.com/bitnami
-  version: 8.3.8
+  version: 8.9.2

dmz/external-dns/templates/secrets.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: external-dns-secret

dmz/external-dns/values.yaml

@@ -1,6 +1,8 @@
 external-dns:
   global:
     imageRegistry: "registry.durp.info"
+    security:
+      allowInsecureImages: true
 
   image:
     pullPolicy: Always
@@ -9,10 +11,10 @@ external-dns:
 
   sources:
     - service
-    
+
   provider: cloudflare
   cloudflare:
-    secretName : "external-dns"
+    secretName: "external-dns"
     proxied: false
 
   policy: sync

dmz/external-secrets/Chart.yaml

@@ -6,6 +6,6 @@ version: 0.0.1
 appVersion: 0.0.1
 
 dependencies:
-- name: external-secrets
-  repository: https://charts.external-secrets.io
-  version: 0.15.0
+  - name: external-secrets
+    repository: https://charts.external-secrets.io
+    version: 0.17.0

dmz/external-secrets/values.yaml

@@ -1,7 +1,13 @@
 external-secrets:
-  replicaCount: 3
+  global:
+    security:
+      allowInsecureImages: true
+
+  log:
+    level: debug
+  replicaCount: 1
   revisionHistoryLimit: 1
-  leaderElect: true
+  leaderElect: false
 
   installCRDs: true
   crds:
@@ -16,24 +22,24 @@ external-secrets:
     repository: registry.durp.info/external-secrets/external-secrets
     pullPolicy: Always
 
-  extraVolumes: 
+  extraVolumes:
     - name: ca-pemstore
       configMap:
         name: ca-pemstore
 
-  extraVolumeMounts: 
+  extraVolumeMounts:
     - name: ca-pemstore
       mountPath: /etc/ssl/certs/vault.pem
       subPath: vault.pem
       readOnly: true
 
-  resources: 
-    requests:
-      memory: 32Mi
-      cpu: 10m
-    limits:
-      memory: 32Mi
-      cpu: 10m
+  #  resources:
+  #    requests:
+  #      memory: 32Mi
+  #      cpu: 10m
+  #    limits:
+  #      memory: 32Mi
+  #      cpu: 10m
 
   webhook:
     create: false
@@ -44,24 +50,24 @@ external-secrets:
       repository: registry.durp.info/external-secrets/external-secrets
       pullPolicy: Always
 
-    extraVolumes: 
+    extraVolumes:
       - name: ca-pemstore
         configMap:
           name: ca-pemstore
 
-    extraVolumeMounts: 
+    extraVolumeMounts:
       - name: ca-pemstore
         mountPath: /etc/ssl/certs/vault.pem
         subPath: vault.pem
         readOnly: true
 
-    resources: 
-      requests:
-        memory: 32Mi
-        cpu: 10m
-      limits:
-        memory: 32Mi
-        cpu: 10m
+  #    resources:
+  #      requests:
+  #        memory: 32Mi
+  #        cpu: 10m
+  #      limits:
+  #        memory: 32Mi
+  #        cpu: 10m
 
   certController:
     create: false
@@ -74,7 +80,7 @@ external-secrets:
       pullPolicy: Always
       tag: ""
 
-    resources: 
+    resources:
       requests:
         memory: 32Mi
         cpu: 10m
@@ -82,12 +88,12 @@ external-secrets:
         memory: 32Mi
         cpu: 10m
 
-    extraVolumes: 
+    extraVolumes:
       - name: ca-pemstore
         configMap:
           name: ca-pemstore
 
-    extraVolumeMounts: 
+    extraVolumeMounts:
       - name: ca-pemstore
         mountPath: /etc/ssl/certs/vault.pem
         subPath: vault.pem

dmz/gitlab-runner/Chart.yaml

@@ -8,8 +8,8 @@ appVersion: 0.0.1
 dependencies:
 - name: gitlab-runner
   repository: https://charts.gitlab.io/
-  version: 0.69.0
+  version: 0.77.2
 - name: gitlab-runner
   repository: https://charts.gitlab.io/
-  version: 0.69.0
+  version: 0.77.2
   alias: personal

dmz/gitlab-runner/templates/secrets.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: gitlab-secret
@@ -27,7 +27,7 @@ metadata:
 
 ---
 
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: gitlab-secret-personal

dmz/internalproxy/templates/authentik.yaml

@@ -1,42 +1,40 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: authentik-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`authentik.durp.info`) && PathPrefix(`/`) 
-    kind: Rule
-    services:
-    - name: infra-cluster
-      port: 443
-  tls:
-    secretName: authentik-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: authentik-tls
-spec:
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  secretName: authentik-tls
-  commonName: "authentik.durp.info"
-  dnsNames:
-  - "authentik.durp.info"
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: authentik-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
+#apiVersion: traefik.io/v1alpha1
+#kind: IngressRoute
+#metadata:
+#  name: authentik-ingress
+#spec:
+#  entryPoints:
+#    - websecure
+#  routes:
+#    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
+#      kind: Rule
+#      services:
+#        - name: infra-cluster
+#          port: 443
+#  tls:
+#    secretName: authentik-tls
+#
+#---
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: authentik-tls
+#spec:
+#  issuerRef:
+#    name: letsencrypt-production
+#    kind: ClusterIssuer
+#  secretName: authentik-tls
+#  commonName: "authentik.durp.info"
+#  dnsNames:
+#    - "authentik.durp.info"
+#
+#---
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: authentik-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/internalproxy/templates/bitwarden.yaml

@@ -9,7 +9,7 @@ spec:
   - match: Host(`bitwarden.durp.info`) && PathPrefix(`/`) 
     kind: Rule
     services:
-    - name: master-cluster
+    - name: infra-cluster
       port: 443
   tls:
     secretName: bitwarden-tls

dmz/internalproxy/templates/gitlab.yaml

@@ -0,0 +1,68 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitlab
+spec:
+  ports:
+    - name: app
+      port: 9080
+      protocol: TCP
+      targetPort: 9080
+  clusterIP: None
+  type: ClusterIP
+
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: gitlab
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 9080
+        protocol: TCP
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitlab-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`gitlab.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: gitlab
+          port: 9080
+          scheme: http
+  tls:
+    secretName: gitlab-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitlab-tls
+spec:
+  secretName: gitlab-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "gitlab.durp.info"
+  dnsNames:
+    - "gitlab.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: gitlab-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: gitlab.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/grafana.yaml

@@ -0,0 +1,40 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: grafana-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`grafana.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: infra-cluster
+          port: 443
+  tls:
+    secretName: grafana-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: grafana-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: grafana-tls
+  commonName: "grafana.durp.info"
+  dnsNames:
+    - "grafana.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: grafana-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/invidious.yaml

@@ -0,0 +1,74 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: invidious
+spec:
+  ports:
+  - name: app
+    port: 3000
+    protocol: TCP
+    targetPort: 3000
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: invidious
+subsets:
+- addresses:
+  - ip: 192.168.20.104
+  ports:
+  - name: app
+    port: 3000
+    protocol: TCP
+
+---    
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: invidious-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`invidious.durp.info`) && PathPrefix(`/`)
+    middlewares:
+    - name: authentik-proxy-provider
+      namespace: traefik  
+    kind: Rule
+    services:
+    - name: invidious
+      port: 3000
+  tls:
+    secretName: invidious-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: invidious-tls
+spec:
+  secretName: invidious-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "invidious.durp.info"
+  dnsNames:
+  - "invidious.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: invidious-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: invidious.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/n8n.yaml

@@ -0,0 +1,68 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: n8n
+spec:
+  ports:
+    - name: app
+      port: 5678
+      protocol: TCP
+      targetPort: 5678
+  clusterIP: None
+  type: ClusterIP
+
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: n8n
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 5678
+        protocol: TCP
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: n8n-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`n8n.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: n8n
+          port: 5678
+          scheme: http
+  tls:
+    secretName: n8n-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: n8n-tls
+spec:
+  secretName: n8n-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "n8n.durp.info"
+  dnsNames:
+    - "n8n.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: n8n-dns
+  annotations:
+    dns.alpha.kubernetes.io/hostname: n8n.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/octopus.yaml

@@ -0,0 +1,40 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: octopus-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`octopus.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: infra-cluster
+          port: 443
+  tls:
+    secretName: octopus-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: octopus-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: octopus-tls
+  commonName: "octopus.durp.info"
+  dnsNames:
+    - "octopus.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: octopus-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: octopus.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/ollama.yaml

@@ -1,102 +1,102 @@
-#apiVersion: external-secrets.io/v1beta1
-#kind: ExternalSecret
-#metadata:
-#  name: ollama-secret
-#spec:
-#  secretStoreRef:
-#    name: vault
-#    kind: ClusterSecretStore
-#  target:
-#    name: ollama-secret
-#  data:
-#    - secretKey: users
-#      remoteRef:
-#        key: kv/ollama
-#        property: users
-#
-#---
-#
-#apiVersion: traefik.io/v1alpha1
-#kind: Middleware
-#metadata:
-#  name: ollama-basic-auth
-#spec:
-#  basicAuth:
-#    headerField: x-api-key
-#    secret: ollama-secret
-#
-#---
-#
-#apiVersion: v1
-#kind: Service
-#metadata:
-#  name: ollama
-#spec:
-#  ports:
-#    - name: app
-#      port: 11435
-#      protocol: TCP
-#      targetPort: 11435
-#  clusterIP: None
-#  type: ClusterIP
-#
-#---
-#
-#apiVersion: v1
-#kind: Endpoints
-#metadata:
-#  name: ollama
-#subsets:
-#  - addresses:
-#      - ip: 192.168.20.104
-#    ports:
-#      - name: app
-#        port: 11435
-#        protocol: TCP
-#
-#---
-#
-#apiVersion: traefik.io/v1alpha1
-#kind: IngressRoute
-#metadata:
-#  name: ollama-ingress
-#spec:
-#  entryPoints:
-#    - websecure
-#  routes:
-#    - match: Host(`ollama.durp.info`) && PathPrefix(`/`)
-#      middlewares:
-#        - name: ollama-basic-auth
-#      kind: Rule
-#      services:
-#        - name: ollama
-#          port: 11435
-#  tls:
-#    secretName: ollama-tls
-#
-#---
-#
-#apiVersion: cert-manager.io/v1
-#kind: Certificate
-#metadata:
-#  name: ollama-tls
-#spec:
-#  secretName: ollama-tls
-#  issuerRef:
-#    name: letsencrypt-production
-#    kind: ClusterIssuer
-#  commonName: "ollama.durp.info"
-#  dnsNames:
-#    - "ollama.durp.info"
-#
-#---
-#
-#kind: Service
-#apiVersion: v1
-#metadata:
-#  name: ollama-external-dns
-#  annotations:
-#    external-dns.alpha.kubernetes.io/hostname: ollama.durp.info
-#spec:
-#  type: ExternalName
-#  externalName: durp.info
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: ollama-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: ollama-secret
+  data:
+    - secretKey: users
+      remoteRef:
+        key: kv/ollama
+        property: users
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: ollama-basic-auth
+spec:
+  basicAuth:
+    headerField: x-api-key
+    secret: ollama-secret
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: ollama
+spec:
+  ports:
+    - name: app
+      port: 11435
+      protocol: TCP
+      targetPort: 11435
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: ollama
+subsets:
+  - addresses:
+      - ip: 192.168.20.104
+    ports:
+      - name: app
+        port: 11435
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ollama-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`ollama.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: ollama-basic-auth
+      kind: Rule
+      services:
+        - name: ollama
+          port: 11435
+  tls:
+    secretName: ollama-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ollama-tls
+spec:
+  secretName: ollama-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "ollama.durp.info"
+  dnsNames:
+    - "ollama.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: ollama-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: ollama.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/redlib.yaml

@@ -1,74 +1,74 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: redlib
-spec:
-  ports:
-  - name: app
-    port: 8082
-    protocol: TCP
-    targetPort: 8082
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: redlib
-subsets:
-- addresses:
-  - ip: 192.168.21.200
-  ports:
-  - name: app
-    port: 8082
-    protocol: TCP
-
----    
-
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: redlib-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
-    middlewares:
-    - name: authentik-proxy-provider
-      namespace: traefik  
-    kind: Rule
-    services:
-    - name: redlib
-      port: 8082
-  tls:
-    secretName: redlib-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: redlib-tls
-spec:
-  secretName: redlib-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "redlib.durp.info"
-  dnsNames:
-  - "redlib.durp.info"  
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: redlib-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
+#apiVersion: v1
+#kind: Service
+#metadata:
+#  name: redlib
+#spec:
+#  ports:
+#  - name: app
+#    port: 8082
+#    protocol: TCP
+#    targetPort: 8082
+#  clusterIP: None
+#  type: ClusterIP
+#
+#---
+#
+#apiVersion: v1
+#kind: Endpoints
+#metadata:
+#  name: redlib
+#subsets:
+#- addresses:
+#  - ip: 192.168.21.200
+#  ports:
+#  - name: app
+#    port: 8082
+#    protocol: TCP
+#
+#---    
+#
+#apiVersion: traefik.io/v1alpha1
+#kind: IngressRoute
+#metadata:
+#  name: redlib-ingress
+#spec:
+#  entryPoints:
+#    - websecure
+#  routes:
+#  - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
+#    middlewares:
+#    - name: authentik-proxy-provider
+#      namespace: traefik  
+#    kind: Rule
+#    services:
+#    - name: redlib
+#      port: 8082
+#  tls:
+#    secretName: redlib-tls
+#
+#---
+#
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: redlib-tls
+#spec:
+#  secretName: redlib-tls
+#  issuerRef:
+#    name: letsencrypt-production
+#    kind: ClusterIssuer
+#  commonName: "redlib.durp.info"
+#  dnsNames:
+#  - "redlib.durp.info"  
+#
+#---
+#
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: redlib-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/internalproxy/templates/registry.yaml

@@ -4,29 +4,27 @@ metadata:
   name: registry
 spec:
   ports:
-  - name: app
-    port: 5000
-    protocol: TCP
-    targetPort: 5000
+    - name: app
+      port: 5000
+      protocol: TCP
+      targetPort: 5000
   clusterIP: None
   type: ClusterIP
 
 ---
-
 apiVersion: v1
 kind: Endpoints
 metadata:
   name: registry
 subsets:
-- addresses:
-  - ip: 192.168.21.200
-  ports:
-  - name: app
-    port: 5000
-    protocol: TCP
-
----    
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 5000
+        protocol: TCP
 
+---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
@@ -35,16 +33,18 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`registry.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    services:
-    - name: registry
-      port: 5000
+    - match: Host(`registry.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      services:
+        - name: registry
+          port: 5000
   tls:
     secretName: registry-tls
 
 ---
-
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -56,16 +56,15 @@ spec:
     kind: ClusterIssuer
   commonName: "registry.durp.info"
   dnsNames:
-  - "registry.durp.info"  
+    - "registry.durp.info"
 
 ---
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: registry-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: registry.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: registry-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: registry.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/internalproxy/templates/s3.yaml

@@ -61,7 +61,7 @@ spec:
   commonName: "s3.internal.durp.info"
   dnsNames:
     - "s3.internal.durp.info"
-    -
+
 ---
 
 apiVersion: traefik.io/v1alpha1

dmz/internalproxy/templates/speedtest.yaml

@@ -1,74 +1,74 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: speedtest
-spec:
-  ports:
-  - name: app
-    port: 6580
-    protocol: TCP
-    targetPort: 6580
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: speedtest
-subsets:
-- addresses:
-  - ip: 192.168.21.200
-  ports:
-  - name: app
-    port: 6580
-    protocol: TCP
-
----    
-
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: speedtest-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    middlewares:
-    - name: authentik-proxy-provider
-      namespace: traefik 
-    services:
-    - name: speedtest
-      port: 6580
-  tls:
-    secretName: speedtest-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: speedtest-tls
-spec:
-  secretName: speedtest-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "speedtest.durp.info"
-  dnsNames:
-  - "speedtest.durp.info"  
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: speedtest-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
+#apiVersion: v1
+#kind: Service
+#metadata:
+#  name: speedtest
+#spec:
+#  ports:
+#  - name: app
+#    port: 6580
+#    protocol: TCP
+#    targetPort: 6580
+#  clusterIP: None
+#  type: ClusterIP
+#
+#---
+#
+#apiVersion: v1
+#kind: Endpoints
+#metadata:
+#  name: speedtest
+#subsets:
+#- addresses:
+#  - ip: 192.168.21.200
+#  ports:
+#  - name: app
+#    port: 6580
+#    protocol: TCP
+#
+#---    
+#
+#apiVersion: traefik.io/v1alpha1
+#kind: IngressRoute
+#metadata:
+#  name: speedtest-ingress
+#spec:
+#  entryPoints:
+#    - websecure
+#  routes:
+#  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
+#    kind: Rule
+#    middlewares:
+#    - name: authentik-proxy-provider
+#      namespace: traefik 
+#    services:
+#    - name: speedtest
+#      port: 6580
+#  tls:
+#    secretName: speedtest-tls
+#
+#---
+#
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: speedtest-tls
+#spec:
+#  secretName: speedtest-tls
+#  issuerRef:
+#    name: letsencrypt-production
+#    kind: ClusterIssuer
+#  commonName: "speedtest.durp.info"
+#  dnsNames:
+#  - "speedtest.durp.info"  
+#
+#---
+#
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: speedtest-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/istio-system/Chart.yaml

@@ -6,12 +6,12 @@ version: 0.0.1
 appVersion: 0.0.1
 
 dependencies:
-- name: base
-  repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.0
-- name: istiod
-  repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.0
-- name: gateway
-  repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.0
+  - name: base
+    repository: https://istio-release.storage.googleapis.com/charts
+    version: 1.26.2
+  - name: istiod
+    repository: https://istio-release.storage.googleapis.com/charts
+    version: 1.26.2
+  - name: gateway
+    repository: https://istio-release.storage.googleapis.com/charts
+    version: 1.26.2

dmz/istio-system/templates/annotate.yaml

@@ -1,13 +1,14 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  annotations:
-    topology.istio.io/controlPlaneClusters: cluster1
-  labels:
-    kubernetes.io/metadata.name: istio-system
-  name: istio-system
-spec:
-  finalizers:
-  - kubernetes
-status:
-  phase: Active
+#apiVersion: v1
+#kind: Namespace
+#metadata:
+#  annotations:
+#    topology.istio.io/controlPlaneClusters: cluster1
+#  labels:
+#    kubernetes.io/metadata.name: istio-system
+#  name: istio-system
+#spec:
+#  finalizers:
+#  - kubernetes
+#status:
+#  phase: Active
+#

dmz/istio-system/templates/expose.yaml

@@ -0,0 +1,16 @@
+apiVersion: networking.istio.io/v1
+kind: Gateway
+metadata:
+  name: cross-network-gateway
+spec:
+  selector:
+    istio: eastwestgateway
+  servers:
+    - port:
+        number: 15443
+        name: tls
+        protocol: TLS
+      tls:
+        mode: AUTO_PASSTHROUGH
+      hosts:
+        - "*.local"

dmz/istio-system/values.yaml

@@ -1,725 +1,10 @@
 istiod:
-  profile: remote
-  autoscaleEnabled: true
-  autoscaleMin: 1
-  autoscaleMax: 5
-  autoscaleBehavior: {}
-  replicaCount: 1
-  rollingMaxSurge: 100%
-  rollingMaxUnavailable: 25%
-
-  hub: ""
-  tag: ""
-  variant: ""
-
-  # Can be a full hub/image:tag
-  image: pilot
-  traceSampling: 1.0
-
-  # Resources for a small pilot install
-  resources:
-    requests:
-      cpu: 500m
-      memory: 2048Mi
-
-  # Set to `type: RuntimeDefault` to use the default profile if available.
-  seccompProfile: {}
-
-  # Whether to use an existing CNI installation
-  cni:
-    enabled: false
-    provider: default
-
-  # Additional container arguments
-  extraContainerArgs: []
-
-  env: {}
-
-  # Settings related to the untaint controller
-  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
-  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
-  taint:
-    # Controls whether or not the untaint controller is active
-    enabled: false
-    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
-    namespace: ""
-
-  affinity: {}
-
-  tolerations: []
-
-  cpu:
-    targetAverageUtilization: 80
-  memory: {}
-    # targetAverageUtilization: 80
-
-  # Additional volumeMounts to the istiod container
-  volumeMounts: []
-
-  # Additional volumes to the istiod pod
-  volumes: []
-
-  # Inject initContainers into the istiod pod
-  initContainers: []
-
-  nodeSelector: {}
-  podAnnotations: {}
-  serviceAnnotations: {}
-  serviceAccountAnnotations: {}
-  sidecarInjectorWebhookAnnotations: {}
-
-  topologySpreadConstraints: []
-
-  # You can use jwksResolverExtraRootCA to provide a root certificate
-  # in PEM format. This will then be trusted by pilot when resolving
-  # JWKS URIs.
-  jwksResolverExtraRootCA: ""
-
-  # The following is used to limit how long a sidecar can be connected
-  # to a pilot. It balances out load across pilot instances at the cost of
-  # increasing system churn.
-  keepaliveMaxServerConnectionAge: 30m
-
-  # Additional labels to apply to the deployment.
-  deploymentLabels: {}
-
-  ## Mesh config settings
-
-  # Install the mesh config map, generated from values.yaml.
-  # If false, pilot wil use default values (by default) or user-supplied values.
-  configMap: true
-
-  # Additional labels to apply on the pod level for monitoring and logging configuration.
-  podLabels: {}
-
-  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
-  ipFamilyPolicy: ""
-  ipFamilies: []
-
-  # Ambient mode only.
-  # Set this if you install ztunnel to a different namespace from `istiod`.
-  # If set, `istiod` will allow connections from trusted node proxy ztunnels
-  # in the provided namespace.
-  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
-  # in the same namespace as itself.
-  trustedZtunnelNamespace: ""
-
-  sidecarInjectorWebhook:
-    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
-    # always skip the injection on pods that match that label selector, regardless of the global policy.
-    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
-    neverInjectSelector: []
-    alwaysInjectSelector: []
-
-    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
-    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
-    #
-    # annotations:
-    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
-    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
-    #
-    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
-    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
-    # injectedAnnotations:
-    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
-    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
-    injectedAnnotations: {}
-
-    # This enables injection of sidecar in all namespaces,
-    # with the exception of namespaces with "istio-injection:disabled" annotation
-    # Only one environment should have this enabled.
-    enableNamespacesByDefault: false
-
-    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
-    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
-    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
-    reinvocationPolicy: Never
-
-    rewriteAppHTTPProbe: true
-
-    # Templates defines a set of custom injection templates that can be used. For example, defining:
-    #
-    # templates:
-    #   hello: |
-    #     metadata:
-    #       labels:
-    #         hello: world
-    #
-    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
-    # being injected with the hello=world labels.
-    # This is intended for advanced configuration only; most users should use the built in template
-    templates: {}
-
-    # Default templates specifies a set of default templates that are used in sidecar injection.
-    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
-    # To inject other additional templates, define it using the `templates` option, and add it to
-    # the default templates list.
-    # For example:
-    #
-    # templates:
-    #   hello: |
-    #     metadata:
-    #       labels:
-    #         hello: world
-    #
-    # defaultTemplates: ["sidecar", "hello"]
-    defaultTemplates: []
-  istiodRemote:
-    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
-    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
-    # to utilize a remote instance.
-    enabled: false
-    # Sidecar injector mutating webhook configuration clientConfig.url value.
-    # For example: https://$remotePilotAddress:15017/inject
-    # The host should not refer to a service running in the cluster; use a service reference by specifying
-    # the clientConfig.service field instead.
-    injectionURL: ""
-
-    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
-    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
-    injectionPath: "/inject/cluster/cluster2/net/network1"
-
-    injectionCABundle: ""
-  telemetry:
-    enabled: true
-    v2:
-      # For Null VM case now.
-      # This also enables metadata exchange.
-      enabled: true
-      # Indicate if prometheus stats filter is enabled or not
-      prometheus:
-        enabled: true
-      # stackdriver filter settings.
-      stackdriver:
-        enabled: false
-  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
-  revision: ""
-
-  # Revision tags are aliases to Istio control plane revisions
-  revisionTags: []
-
-  # For Helm compatibility.
-  ownerName: ""
-
-  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
-  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
-  meshConfig:
-    enablePrometheusMerge: true
-
-  experimental:
-    stableValidationPolicy: false
-
   global:
-    # Used to locate istiod.
-    istioNamespace: istio-system
-    # List of cert-signers to allow "approve" action in the istio cluster role
-    #
-    # certSigners:
-    #   - clusterissuers.cert-manager.io/istio-ca
-    certSigners: []
-    # enable pod disruption budget for the control plane, which is used to
-    # ensure Istio control plane components are gradually upgraded or recovered.
-    defaultPodDisruptionBudget:
-      enabled: true
-      # The values aren't mutable due to a current PodDisruptionBudget limitation
-      # minAvailable: 1
-
-    # A minimal set of requested resources to applied to all deployments so that
-    # Horizontal Pod Autoscaler will be able to function (if set).
-    # Each component can overwrite these default values by adding its own resources
-    # block in the relevant section below and setting the desired resources values.
-    defaultResources:
-      requests:
-        cpu: 10m
-      #   memory: 128Mi
-      # limits:
-      #   cpu: 100m
-      #   memory: 128Mi
-
-    # Default hub for Istio images.
-    # Releases are published to docker hub under 'istio' project.
-    # Dev builds from prow are on gcr.io
-    hub: docker.io/istio
-    # Default tag for Istio images.
-    tag: 1.25.0
-    # Variant of the image to use.
-    # Currently supported are: [debug, distroless]
-    variant: ""
-
-    # Specify image pull policy if default behavior isn't desired.
-    # Default behavior: latest images will be Always else IfNotPresent.
-    imagePullPolicy: ""
-
-    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
-    # to use for pulling any images in pods that reference this ServiceAccount.
-    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
-    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
-    # Must be set for any cluster configured with private docker registry.
-    imagePullSecrets: []
-    # - private-registry-key
-
-    # Enabled by default in master for maximising testing.
-    istiod:
-      enableAnalysis: false
-
-    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
-    logAsJson: false
-
-    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
-    # The control plane has different scopes depending on component, but can configure default log level across all components
-    # If empty, default scope and level will be used as configured in code
-    logging:
-      level: "default:info"
-
-    omitSidecarInjectorConfigMap: false
-
-    # Configure whether Operator manages webhook configurations. The current behavior
-    # of Istiod is to manage its own webhook configurations.
-    # When this option is set as true, Istio Operator, instead of webhooks, manages the
-    # webhook configurations. When this option is set as false, webhooks manage their
-    # own webhook configurations.
-    operatorManageWebhooks: false
-
-    # Custom DNS config for the pod to resolve names of services in other
-    # clusters. Use this to add additional search domains, and other settings.
-    # see
-    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
-    # This does not apply to gateway pods as they typically need a different
-    # set of DNS settings than the normal application pods (e.g., in
-    # multicluster scenarios).
-    # NOTE: If using templates, follow the pattern in the commented example below.
-    #podDNSSearchNamespaces:
-    #- global
-    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
-
-    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
-    # system-node-critical, it is better to configure this in order to make sure your Istio pods
-    # will not be killed because of low priority class.
-    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
-    # for more detail.
-    priorityClassName: ""
-
-    proxy:
-      image: proxyv2
-
-      # This controls the 'policy' in the sidecar injector.
-      autoInject: enabled
-
-      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
-      # cluster domain. Default value is "cluster.local".
-      clusterDomain: "cluster.local"
-
-      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
-      # not set, then the global "logLevel" will be used.
-      componentLogLevel: "misc:error"
-
-      # istio ingress capture allowlist
-      # examples:
-      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
-      excludeInboundPorts: ""
-      includeInboundPorts: "*"
-
-      # istio egress capture allowlist
-      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
-      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
-      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
-      # be allowed by the sidecar
-      includeIPRanges: "*"
-      excludeIPRanges: ""
-      includeOutboundPorts: ""
-      excludeOutboundPorts: ""
-
-      # Log level for proxy, applies to gateways and sidecars.
-      # Expected values are: trace|debug|info|warning|error|critical|off
-      logLevel: warning
-
-      # Specify the path to the outlier event log.
-      # Example: /dev/stdout
-      outlierLogPath: ""
-
-      #If set to true, istio-proxy container will have privileged securityContext
-      privileged: false
-
-      # The number of successive failed probes before indicating readiness failure.
-      readinessFailureThreshold: 4
-
-      # The initial delay for readiness probes in seconds.
-      readinessInitialDelaySeconds: 0
-
-      # The period between readiness probes.
-      readinessPeriodSeconds: 15
-
-      # Enables or disables a startup probe.
-      # For optimal startup times, changing this should be tied to the readiness probe values.
-      #
-      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
-      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
-      # and doesn't spam the readiness endpoint too much
-      #
-      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
-      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
-      startupProbe:
-        enabled: true
-        failureThreshold: 600 # 10 minutes
-
-      # Resources for the sidecar.
-      resources:
-        requests:
-          cpu: 100m
-          memory: 128Mi
-        limits:
-          cpu: 2000m
-          memory: 1024Mi
-
-      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
-      statusPort: 15020
-
-      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
-      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
-      tracer: "none"
-
-    proxy_init:
-      # Base name for the proxy_init container, used to configure iptables.
-      image: proxyv2
-      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
-      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
-      forceApplyIptables: false
-
-    # configure remote pilot and istiod service and endpoint
-    remotePilotAddress: "192.168.12.131"
-
-    ##############################################################################################
-    # The following values are found in other charts. To effectively modify these values, make   #
-    # make sure they are consistent across your Istio helm charts                                #
-    ##############################################################################################
-
-    # The customized CA address to retrieve certificates for the pods in the cluster.
-    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
-    # If not set explicitly, default to the Istio discovery address.
-    caAddress: ""
-
-    # Enable control of remote clusters.
-    externalIstiod: false
-
-    # Configure a remote cluster as the config cluster for an external istiod.
-    configCluster: true
-
-    # configValidation enables the validation webhook for Istio configuration.
-    configValidation: true
-
-    # Mesh ID means Mesh Identifier. It should be unique within the scope where
-    # meshes will interact with each other, but it is not required to be
-    # globally/universally unique. For example, if any of the following are true,
-    # then two meshes must have different Mesh IDs:
-    # - Meshes will have their telemetry aggregated in one place
-    # - Meshes will be federated together
-    # - Policy will be written referencing one mesh from the other
-    #
-    # If an administrator expects that any of these conditions may become true in
-    # the future, they should ensure their meshes have different Mesh IDs
-    # assigned.
-    #
-    # Within a multicluster mesh, each cluster must be (manually or auto)
-    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
-    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
-    # of migration TBD, and it may be a disruptive operation to change the Mesh
-    # ID post-install.
-    #
-    # If the mesh admin does not specify a value, Istio will use the value of the
-    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
-    # value.
-    meshID: ""
-
-    # Configure the mesh networks to be used by the Split Horizon EDS.
-    #
-    # The following example defines two networks with different endpoints association methods.
-    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
-    # mapped to network1. The gateway for this network example is specified by its public IP
-    # address and port.
-    # The second network, `network2`, in this example is defined differently with all endpoints
-    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
-    # gateway is also defined differently with the name of the gateway service on the remote
-    # cluster. The public IP for the gateway will be determined from that remote service (only
-    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
-    # it still need to be configured manually).
-    #
-    # meshNetworks:
-    #   network1:
-    #     endpoints:
-    #     - fromCidr: "192.168.0.1/24"
-    #     gateways:
-    #     - address: 1.1.1.1
-    #       port: 80
-    #   network2:
-    #     endpoints:
-    #     - fromRegistry: reg1
-    #     gateways:
-    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
-    #       port: 443
-    #
-    meshNetworks: {}
-
-    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
-    mountMtlsCerts: false
-
+    network: network2
+    meshID: mesh1
     multiCluster:
-      # Set to true to connect two kubernetes clusters via their respective
-      # ingressgateway services when pods in each cluster cannot directly
-      # talk to one another. All clusters should be using Istio mTLS and must
-      # have a shared root CA for this model to work.
-      enabled: false
-      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
-      # to properly label proxies
-      clusterName: "dmz"
-
-    # Network defines the network this cluster belong to. This name
-    # corresponds to the networks in the map of mesh networks.
-    network: ""
-
-    # Configure the certificate provider for control plane communication.
-    # Currently, two providers are supported: "kubernetes" and "istiod".
-    # As some platforms may not have kubernetes signing APIs,
-    # Istiod is the default
-    pilotCertProvider: istiod
-
-    sds:
-      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
-      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
-      # JWT is intended for the CA.
-      token:
-        aud: istio-ca
-
-    sts:
-      # The service port used by Security Token Service (STS) server to handle token exchange requests.
-      # Setting this port to a non-zero value enables STS server.
-      servicePort: 0
-
-    # The name of the CA for workload certificates.
-    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
-    # will be used as the certificates for workloads.
-    # The default value is "" and when caName="", the CA will be configured by other
-    # mechanisms (e.g., environmental variable CA_PROVIDER).
-    caName: ""
-
-    waypoint:
-      # Resources for the waypoint proxy.
-      resources:
-        requests:
-          cpu: 100m
-          memory: 128Mi
-        limits:
-          cpu: "2"
-          memory: 1Gi
-
-      # If specified, affinity defines the scheduling constraints of waypoint pods.
-      affinity: {}
-
-      # Topology Spread Constraints for the waypoint proxy.
-      topologySpreadConstraints: []
-
-      # Node labels for the waypoint proxy.
-      nodeSelector: {}
-
-      # Tolerations for the waypoint proxy.
-      tolerations: []
-
-  base:
-    # For istioctl usage to disable istio config crds in base
-    enableIstioConfigCRDs: true
-
-  # Gateway Settings
-  gateways:
-    # Define the security context for the pod.
-    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
-    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
-    securityContext: {}
-
-    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
-    seccompProfile: {}
-base:
-  profile: remote
-  global:
-    imagePullSecrets: []
-
-    istioNamespace: istio-system
-  base:
-    excludedCRDs: []
-    enableCRDTemplates: true
-
-    validationURL: ""
-    validationCABundle: ""
-
-    enableIstioConfigCRDs: true
-
-  defaultRevision: "default"
-  experimental:
-    stableValidationPolicy: false
+      clusterName: dmz
 
 gateway:
-  # Name allows overriding the release name. Generally this should not be set
-  name: "istio-eastwestgateway"
-  # revision declares which revision this gateway is a part of
-  revision: ""
-
-  # Controls the spec.replicas setting for the Gateway deployment if set.
-  # Otherwise defaults to Kubernetes Deployment default (1).
-  replicaCount:
-
-  kind: Deployment
-
-  rbac:
-    # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
-    # when using http://gateway-api.org/.
-    enabled: true
-
-  serviceAccount:
-    # If set, a service account will be created. Otherwise, the default is used
-    create: true
-    # Annotations to add to the service account
-    annotations: {}
-    # The name of the service account to use.
-    # If not set, the release name is used
-    name: ""
-
-  podAnnotations:
-    prometheus.io/port: "15020"
-    prometheus.io/scrape: "true"
-    prometheus.io/path: "/stats/prometheus"
-    inject.istio.io/templates: "gateway"
-    sidecar.istio.io/inject: "true"
-
-  # Define the security context for the pod.
-  # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
-  # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
-  securityContext: {}
-  containerSecurityContext: {}
-
-  service:
-    # Type of service. Set to "None" to disable the service entirely
-    type: LoadBalancer
-    ports:
-    - name: status-port
-      port: 15021
-      protocol: TCP
-      targetPort: 15021
-    - name: http2
-      port: 80
-      protocol: TCP
-      targetPort: 80
-    - name: https
-      port: 443
-      protocol: TCP
-      targetPort: 443
-    annotations: {}
-    loadBalancerIP: ""
-    loadBalancerSourceRanges: []
-    externalTrafficPolicy: ""
-    externalIPs: []
-    ipFamilyPolicy: ""
-    ipFamilies: []
-    ## Whether to automatically allocate NodePorts (only for LoadBalancers).
-    # allocateLoadBalancerNodePorts: false
-    ## Set LoadBalancer class (only for LoadBalancers).
-    # loadBalancerClass: ""
-
-  resources:
-    requests:
-      cpu: 100m
-      memory: 128Mi
-    limits:
-      cpu: 2000m
-      memory: 1024Mi
-
-  autoscaling:
-    enabled: true
-    minReplicas: 1
-    maxReplicas: 5
-    targetCPUUtilizationPercentage: 80
-    targetMemoryUtilizationPercentage: {}
-    autoscaleBehavior: {}
-
-  # Pod environment variables
-  env: {}
-
-  # Deployment Update strategy
-  strategy: {}
-  
-  # Sets the Deployment minReadySeconds value
-  minReadySeconds:
-  
-  # Optionally configure a custom readinessProbe. By default the control plane
-  # automatically injects the readinessProbe. If you wish to override that
-  # behavior, you may define your own readinessProbe here.
-  readinessProbe: {}
-
-  # Labels to apply to all resources
-  labels:
-    # By default, don't enroll gateways into the ambient dataplane
-    "istio.io/dataplane-mode": none
-
-  # Annotations to apply to all resources
-  annotations: {}
-
-  nodeSelector: {}
-
-  tolerations: []
-
-  topologySpreadConstraints: []
-
-  affinity: {}
-
-  # If specified, the gateway will act as a network gateway for the given network.
-  networkGateway: "network1"
-
-  # Specify image pull policy if default behavior isn't desired.
-  # Default behavior: latest images will be Always else IfNotPresent
-  imagePullPolicy: ""
-
-  imagePullSecrets: []
-
-  # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
-  #
-  # By default, the `podDisruptionBudget` is disabled (set to `{}`),
-  # which means that no PodDisruptionBudget resource will be created.
-  #
-  # To enable the PodDisruptionBudget, configure it by specifying the
-  # `minAvailable` or `maxUnavailable`. For example, to set the
-  # minimum number of available replicas to 1, you can update this value as follows:
-  #
-  # podDisruptionBudget:
-  #   minAvailable: 1
-  #
-  # Or, to allow a maximum of 1 unavailable replica, you can set:
-  #
-  # podDisruptionBudget:
-  #   maxUnavailable: 1
-  #
-  # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
-  # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
-  #
-  # podDisruptionBudget:
-  #   minAvailable: 1
-  #   unhealthyPodEvictionPolicy: AlwaysAllow
-  #
-  # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
-  #
-  # podDisruptionBudget: {}
-  #
-  podDisruptionBudget: {}
-
-  # Sets the per-pod terminationGracePeriodSeconds setting.
-  terminationGracePeriodSeconds: 30
-
-  # A list of `Volumes` added into the Gateway Pods. See
-  # https://kubernetes.io/docs/concepts/storage/volumes/.
-  volumes: []
-
-  # A list of `VolumeMounts` added into the Gateway Pods. See
-  # https://kubernetes.io/docs/concepts/storage/volumes/.
-  volumeMounts: []
-
-  # Configure this to a higher priority class in order to make sure your Istio gateway pods
-  # will not be killed because of low priority class.
-  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
-  # for more detail.
-  priorityClassName: ""
+  name: istio-eastwestgateway
+  networkGateway: network2

dmz/littlelink/templates/deployment.yaml

@@ -0,0 +1,101 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: littlelink
+  name: littlelink
+  labels:
+    app: littlelink
+spec:
+  selector:
+    matchLabels:
+      app: littlelink
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: littlelink
+    spec:
+      containers:
+      - name: littlelink
+        image: registry.durp.info/techno-tim/littlelink-server:latest
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /healthcheck
+            port: 3000
+        readinessProbe:
+          httpGet:
+            path: /healthcheck
+            port: 3000            
+        env:
+          - name: META_TITLE
+            value: DeveloperDurp
+          - name: META_DESCRIPTION
+            value: The Durpy Developer
+          - name: META_AUTHOR
+            value: DeveloperDurp
+          - name: LANG
+            value: en
+          - name: META_INDEX_STATUS
+            value: all
+          - name: OG_TITLE
+            value: DeveloperDurp
+          - name: OG_DESCRIPTION
+            value: DeveloperDurp
+          - name: OG_URL
+            value: https://gitlab.com/developerdurp
+          - name: OG_IMAGE
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png
+          - name : OG_IMAGE_WIDTH
+            value: "400"
+          - name : OG_IMAGE_HEIGHT
+            value: "400"
+          - name : THEME
+            value: Dark 
+          - name : FAVICON_URL
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png
+          - name : AVATAR_URL
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png
+          - name : AVATAR_2X_URL
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png   
+          - name : AVATAR_ALT
+            value: DeveloperDurp Profile Pic
+          - name : NAME
+            value: DeveloperDurp
+          - name : BIO
+            value: Sup Nerd,
+          - name : BUTTON_ORDER
+            value: GITHUB,GITLAB,YOUTUBE,INSTAGRAM,TWITTER,BLUESKY,COFFEE,EMAIL
+          - name : TWITTER
+            value: https://twitter.com/developerdurp                
+          - name : GITHUB
+            value: https://github.com/DeveloperDurp
+          - name: INSTAGRAM
+            value: https://instagram.com/developerdurp
+          - name : GITLAB
+            value: https://gitlab.com/developerdurp
+          - name: YOUTUBE
+            value: https://www.youtube.com/channel/UC1rGa6s6kER_gLpIQsxeMVQ
+          - name : EMAIL
+            value: DeveloperDurp@durp.info
+          - name : EMAIL_TEXT
+            value: DeveloperDurp@durp.info            
+          - name : FOOTER
+            value: DeveloperDurp © 2022         
+          - name: CUSTOM_BUTTON_TEXT
+            value: BuyMeACoffee,BlueSky
+          - name: CUSTOM_BUTTON_URL
+            value: https://www.buymeacoffee.com/DeveloperDurp,https://bsky.app/profile/durp.info
+          - name: CUSTOM_BUTTON_COLOR
+            value: '#ffdd00,#1185fe'
+          - name: CUSTOM_BUTTON_TEXT_COLOR
+            value: '#000000,#FFFFFF'
+          - name: CUSTOM_BUTTON_ALT_TEXT
+            value: Support,BlueSky
+          - name: CUSTOM_BUTTON_NAME
+            value: COFFEE,BLUESKY
+          - name: CUSTOM_BUTTON_ICON
+            value: fa-solid fa-cup-togo
+        ports:
+        - name: http
+          containerPort: 3000          

dmz/littlelink/templates/ingress.yaml

@@ -0,0 +1,42 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: littlelink-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`links.durp.info`) && PathPrefix(`/`)
+    kind: Rule
+    services:
+    - name: littlelink
+      port: 80
+  tls:
+    secretName: littlelink-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: littlelink-tls
+spec:
+  secretName: littlelink-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "links.durp.info"
+  dnsNames:
+  - "links.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: links-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: links.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/littlelink/templates/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: littlelink
+spec:
+  ports:
+  - name: http
+    port: 80
+    targetPort: 3000
+    protocol: TCP 
+  selector:
+    app: littlelink

dmz/longhorn/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: longhorn-system
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+- name: longhorn
+  repository: https://charts.longhorn.io
+  version: 1.9.0

dmz/longhorn/templates/ingress.yaml

@@ -0,0 +1,34 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: longhorn-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: vault-issuer
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`longhorn.dmz.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      middlewares:
+        - name: authentik-proxy-provider
+          namespace: traefik
+      services:
+        - name: longhorn-frontend
+          port: 80
+  tls:
+    secretName: longhorn-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: longhorn-tls
+spec:
+  secretName: longhorn-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "longhorn.dmz.durp.info"
+  dnsNames:
+    - "longhorn.dmz.durp.info"

dmz/longhorn/templates/secrets.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+
+---
+
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: external-longhorn-backup-token-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: longhorn-backup-token-secret
+  data:
+  - secretKey: AWS_ACCESS_KEY_ID
+    remoteRef:
+      key: kv/longhorn/backup
+      property: AWS_ACCESS_KEY_ID
+  - secretKey: AWS_ENDPOINTS 
+    remoteRef:
+      key: kv/longhorn/backup
+      property: AWS_ENDPOINTS 
+  - secretKey: AWS_SECRET_ACCESS_KEY
+    remoteRef:
+      key: kv/longhorn/backup
+      property: AWS_SECRET_ACCESS_KEY

dmz/longhorn/values.yaml

@@ -0,0 +1,192 @@
+longhorn: 
+  global:
+    cattle:
+      systemDefaultRegistry: ""
+  
+  image:
+    longhorn:
+      engine:
+        repository: longhornio/longhorn-engine
+      manager:
+        repository: longhornio/longhorn-manager
+      ui:
+        repository: longhornio/longhorn-ui
+      instanceManager:
+        repository: longhornio/longhorn-instance-manager
+      shareManager:
+        repository: longhornio/longhorn-share-manager
+      backingImageManager:
+        repository: longhornio/backing-image-manager
+    csi:
+      attacher:
+        repository: longhornio/csi-attacher
+      provisioner:
+        repository: longhornio/csi-provisioner
+      nodeDriverRegistrar:
+        repository: longhornio/csi-node-driver-registrar
+      resizer:
+        repository: longhornio/csi-resizer
+      snapshotter:
+        repository: longhornio/csi-snapshotter
+    pullPolicy: Always
+  
+  service:
+    ui:
+      type: ClusterIP
+      nodePort: null
+    manager:
+      type: ClusterIP
+      nodePort: ""
+      loadBalancerIP: ""
+      loadBalancerSourceRanges: ""
+  
+  persistence:
+    defaultClass: true
+    defaultFsType: ext4
+    defaultClassReplicaCount: 3
+    defaultDataLocality: disabled # best-effort otherwise
+    reclaimPolicy: Delete
+    migratable: false
+    recurringJobSelector:
+      enable: true
+      jobList: '[
+          {
+            "name":"backup", 
+            "task":"backup", 
+            "cron":"0 0 * * *", 
+            "retain":24
+          }
+        ]'
+    backingImage:
+      enable: false
+      name: ~
+      dataSourceType: ~
+      dataSourceParameters: ~
+      expectedChecksum: ~
+  
+  csi:
+    kubeletRootDir: ~
+    attacherReplicaCount: ~
+    provisionerReplicaCount: ~
+    resizerReplicaCount: ~
+    snapshotterReplicaCount: ~
+  
+  defaultSettings:
+    backupTarget: S3://longhorn-master@us-east-1/
+    backupTargetCredentialSecret: longhorn-backup-token-secret
+    allowRecurringJobWhileVolumeDetached: ~
+    createDefaultDiskLabeledNodes: ~
+    defaultDataPath: ~
+    defaultDataLocality: ~
+    replicaSoftAntiAffinity: ~
+    replicaAutoBalance: ~
+    storageOverProvisioningPercentage: ~
+    storageMinimalAvailablePercentage: ~
+    upgradeChecker: ~
+    defaultReplicaCount: ~
+    defaultLonghornStaticStorageClass: longhorn
+    backupstorePollInterval: ~
+    taintToleration: ~
+    systemManagedComponentsNodeSelector: ~
+    priorityClass: ~
+    autoSalvage: ~
+    autoDeletePodWhenVolumeDetachedUnexpectedly: ~
+    disableSchedulingOnCordonedNode: ~
+    replicaZoneSoftAntiAffinity: ~
+    nodeDownPodDeletionPolicy: ~
+    allowNodeDrainWithLastHealthyReplica: ~
+    mkfsExt4Parameters: ~
+    disableReplicaRebuild: ~
+    replicaReplenishmentWaitInterval: ~
+    concurrentReplicaRebuildPerNodeLimit: ~
+    disableRevisionCounter: ~
+    systemManagedPodsImagePullPolicy: ~
+    allowVolumeCreationWithDegradedAvailability: ~
+    autoCleanupSystemGeneratedSnapshot: ~
+    concurrentAutomaticEngineUpgradePerNodeLimit: ~
+    backingImageCleanupWaitInterval: ~
+    backingImageRecoveryWaitInterval: ~
+    guaranteedEngineManagerCPU: ~
+    guaranteedReplicaManagerCPU: ~
+    kubernetesClusterAutoscalerEnabled: ~
+    orphanAutoDeletion: ~
+    storageNetwork: ~
+  privateRegistry:
+    createSecret: ~
+    registryUrl: ~
+    registryUser: ~
+    registryPasswd: ~
+    registrySecret: ~
+  
+  longhornManager:
+    priorityClass: ~
+    tolerations: []
+    ## If you want to set tolerations for Longhorn Manager DaemonSet, delete the `[]` in the line above
+    ## and uncomment this example block
+    # - key: "key"
+    #   operator: "Equal"
+    #   value: "value"
+    #   effect: "NoSchedule"
+    nodeSelector: {}
+    ## If you want to set node selector for Longhorn Manager DaemonSet, delete the `{}` in the line above
+    ## and uncomment this example block
+    #  label-key1: "label-value1"
+    #  label-key2: "label-value2"
+  
+  longhornDriver:
+    priorityClass: ~
+    tolerations: []
+    ## If you want to set tolerations for Longhorn Driver Deployer Deployment, delete the `[]` in the line above
+    ## and uncomment this example block
+    # - key: "key"
+    #   operator: "Equal"
+    #   value: "value"
+    #   effect: "NoSchedule"
+    nodeSelector: {}
+    ## If you want to set node selector for Longhorn Driver Deployer Deployment, delete the `{}` in the line above
+    ## and uncomment this example block
+    #  label-key1: "label-value1"
+    #  label-key2: "label-value2"
+  
+  longhornUI:
+    priorityClass: ~
+    tolerations: []
+    ## If you want to set tolerations for Longhorn UI Deployment, delete the `[]` in the line above
+    ## and uncomment this example block
+    # - key: "key"
+    #   operator: "Equal"
+    #   value: "value"
+    #   effect: "NoSchedule"
+    nodeSelector: {}
+    ## If you want to set node selector for Longhorn UI Deployment, delete the `{}` in the line above
+    ## and uncomment this example block
+    #  label-key1: "label-value1"
+    #  label-key2: "label-value2"
+  
+  resources: {}
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    # limits:
+    #  cpu: 100m
+    #  memory: 128Mi
+    # requests:
+    #  cpu: 100m
+    #  memory: 128Mi
+    #
+  
+  ingress:
+    enabled: false
+  
+  ## Specify override namespace, specifically this is useful for using longhorn as sub-chart
+  ## and its release namespace is not the `longhorn-system`
+  namespaceOverride: ""
+  
+  # Annotations to add to the Longhorn Manager DaemonSet Pods. Optional.
+  annotations: {}
+  
+  serviceAccount:
+    # Annotations to add to the service account
+    annotations: {}
+  

dmz/metallb-system/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: metallb
   repository: https://metallb.github.io/metallb
-  version: 0.14.9
+  version: 0.15.2

dmz/openspeedtest/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: openspeedtest
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"

dmz/openspeedtest/templates/deployment.yaml

@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: openspeedtest
+  name: openspeedtest
+  labels:
+    app: openspeedtest
+spec:
+  selector:
+    matchLabels:
+      app: openspeedtest
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: openspeedtest
+    spec:
+      containers:
+      - name: openspeedtest
+        image: registry.durp.info/openspeedtest/latest
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 3000
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 3000
+        env:
+        ports:
+        - name: http
+          containerPort: 3000

dmz/openspeedtest/templates/ingress.yaml

@@ -0,0 +1,56 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: openspeedtest-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
+    kind: Rule
+    middlewares:
+    - name: authentik-proxy-provider
+      namespace: traefik  
+    - name: limit-buffering
+    services:
+    - name: openspeedtest
+      port: 3000
+  tls:
+    secretName: openspeedtest-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: openspeedtest-tls
+spec:
+  secretName: openspeedtest-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "speedtest.durp.info"
+  dnsNames:
+  - "speedtest.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: openspeedtest-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: limit-buffering
+spec:
+  buffering:
+    maxRequestBodyBytes: 10000000000

dmz/openspeedtest/templates/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: openspeedtest
+spec:
+  ports:
+  - name: http
+    port: 3000
+    targetPort: 3000
+    protocol: TCP 
+  selector:
+    app: openspeedtest

dmz/redlib/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: redlib
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"

dmz/redlib/templates/deployment.yaml

@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: redlib
+  name: redlib
+  labels:
+    app: redlib
+spec:
+  selector:
+    matchLabels:
+      app: redlib
+  replicas: 3
+  template:
+    metadata:
+      labels:
+        app: redlib
+    spec:
+      containers:
+      - name: redlib
+        image: registry.durp.info/redlib/redlib:latest
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 8080
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8080
+        env:
+        ports:
+        - name: http
+          containerPort: 8080

dmz/redlib/templates/ingress.yaml

@@ -0,0 +1,43 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: redlib-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      middlewares:
+        - name: authentik-proxy-provider
+          namespace: traefik
+      services:
+        - name: redlib
+          port: 8080
+  tls:
+    secretName: redlib-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: redlib-tls
+spec:
+  secretName: redlib-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "redlib.durp.info"
+  dnsNames:
+    - "redlib.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: redlib-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/redlib/templates/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redlib
+spec:
+  ports:
+  - name: http
+    port: 8080
+    targetPort: 8080
+    protocol: TCP 
+  selector:
+    app: redlib

dmz/terraform/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     proxmox = {
       source  = "Telmate/proxmox"
-      version = "3.0.1-rc6"
+      version = "3.0.1-rc9"
     }
   }
 }

dmz/traefik/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: traefik
   repository: https://traefik.github.io/charts
-  version: 34.0.0
+  version: 34.5.0

dmz/traefik/templates/middleware.yaml

@@ -1,11 +1,11 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-    name: authentik-proxy-provider
-    namespace: traefik
+  name: authentik-proxy-provider
+  namespace: traefik
 spec:
   forwardAuth:
-    address: http://ak-outpost-dmz-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri
+    address: http://ak-outpost-authentik-dmz-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri
     trustForwardHeader: true
     authResponseHeaders:
       - X-authentik-username
@@ -21,7 +21,6 @@ spec:
       - X-authentik-meta-version
 
 ---
-
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
@@ -33,3 +32,23 @@ spec:
       - 192.168.0.0/16
       - 172.16.0.0/12
       - 10.0.0.0/8
+
+---
+#apiVersion: traefik.io/v1alpha1
+#kind: Middleware
+#metadata:
+#  name: bouncer
+#  namespace: traefik
+#spec:
+#  plugin:
+#    bouncer:
+#      enabled: true
+#      crowdsecMode: stream
+#      crowdsecLapiScheme: https
+#      crowdsecLapiTLSInsecureVerify: true
+#      crowdsecLapiHost: crowdsec-service.crowdsec:8080
+#      crowdsecLapiKey:
+#        valueFrom:
+#          secretKeyRef:
+#            name: crowdsec-lapi-key
+#            key: lapi-key

dmz/traefik/templates/secrets.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: crowdsec-lapi-key
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: crowdsec-lapi-key
+  data:
+    - secretKey: lapi-key
+      remoteRef:
+        key: kv/crowdsec/api
+        property: key
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dmz/traefik/templates/traefik-dashboard.yaml

@@ -1,34 +1,35 @@
-#apiVersion: traefik.io/v1alpha1
-#kind: IngressRoute
-#metadata:
-#  name: traefik-ingress
-#spec:
-#  entryPoints:
-#    - websecure
-#  routes:
-#  - match: Host(`traefik.durp.info`)
-#    kind: Rule
-#    services:
-#    - name: api@internal
-#      kind: TraefikService
-#  tls:
-#    secretName: traefik-tls  
-#
-#---
-#
-#apiVersion: cert-manager.io/v1
-#kind: Certificate
-#metadata:
-#  name: traefik-tls
-#  namespace: traefik
-#spec:
-#  secretName: traefik-tls
-#  issuerRef:
-#    name: letsencrypt-production
-#    kind: ClusterIssuer
-#  commonName: "traefik.durp.info"
-#  dnsNames:
-#  - "traefik.durp.info"
-#
-#---
-#
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`traefik.dmz.durp.info`)
+      kind: Rule
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+        - name: authentik-proxy-provider
+          namespace: traefik
+      services:
+        - name: api@internal
+          kind: TraefikService
+  tls:
+    secretName: traefik-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: traefik-tls
+  namespace: traefik
+spec:
+  secretName: traefik-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "traefik.dmz.durp.info"
+  dnsNames:
+    - "traefik.dmz.durp.info"

dmz/traefik/values.yaml

@@ -1,10 +1,10 @@
 traefik:
-  image: 
+  image:
     #    registry: registry.durp.info
     #    repository: traefik
     pullPolicy: Always
-  
-  providers:  
+
+  providers:
     kubernetesCRD:
       allowCrossNamespace: true
       allowExternalNameServices: true
@@ -18,40 +18,41 @@ traefik:
   #   - name: traefik-configmap
   #     mountPath: "/config"
   #     type: configMap
-  
+
   ingressRoute:
     dashboard:
       enabled: true
-  
-  additionalArguments: 
+
+  additionalArguments:
     #  - "--providers.file.filename=/config/config.yml"
     - "--serversTransport.insecureSkipVerify=true"
     - "--log.level=DEBUG"
     - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin
     - --experimental.plugins.jwt.version=v0.7.0
-  
+    - --experimental.plugins.bouncer.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
+    - --experimental.plugins.bouncer.version=v1.4.2
+
   autoscaling:
     enabled: true
     minReplicas: 3
     maxReplicas: 10
     metrics:
-    - type: Resource
-      resource:
-        name: cpu
-        target:
-          type: Utilization
-          averageUtilization: 80
+      - type: Resource
+        resource:
+          name: cpu
+          target:
+            type: Utilization
+            averageUtilization: 80
     behavior:
       scaleDown:
         stabilizationWindowSeconds: 300
         policies:
-        - type: Pods
-          value: 1
-          periodSeconds: 60
-  
-  
+          - type: Pods
+            value: 1
+            periodSeconds: 60
+
   # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
-  resources: 
+  resources:
     requests:
       cpu: "100m"
       memory: "512Mi"

dmz/vault/Chart.yaml

@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: vault
   repository: https://helm.releases.hashicorp.com  
-  version: 0.29.1
+  version: 0.30.0
 

dmz/vault/templates/secret-store.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
   name: vault

infra/argocd/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: argo-cd
   repository: https://argoproj.github.io/argo-helm
-  version: 6.11.1
+  version: 8.1.3

infra/argocd/templates/argocd-crossplane.yaml

@@ -0,0 +1,101 @@
+#apiVersion: external-secrets.io/v1
+#kind: ExternalSecret
+#metadata:
+#  name: argocd-secret-crossplane
+#spec:
+#  secretStoreRef:
+#    name: vault
+#    kind: ClusterSecretStore
+#  target:
+#    name: argocd-secret-crossplane
+#  data:
+#    - secretKey: authToken
+#      remoteRef:
+#        key: kv/argocd/provider-argocd
+#        property: token
+#
+#---
+#apiVersion: external-secrets.io/v1
+#kind: ExternalSecret
+#metadata:
+#  name: prod-kubeconfig
+#spec:
+#  secretStoreRef:
+#    name: vault
+#    kind: ClusterSecretStore
+#  target:
+#    name: prod-kubeconfig
+#  data:
+#    - secretKey: kubeconfig
+#      remoteRef:
+#        key: kv/argocd/prd
+#        property: kubeconfig
+#
+#---
+#apiVersion: argocd.crossplane.io/v1alpha1
+#kind: ProviderConfig
+#metadata:
+#  name: argocd-provider
+#spec:
+#  serverAddr: argocd-server.argocd.svc:443
+#  insecure: true
+#  plainText: false
+#  credentials:
+#    source: Secret
+#    secretRef:
+#      namespace: argocd
+#      name: argocd-secret-crossplane
+#      key: authToken
+#
+#---
+#apiVersion: cluster.argocd.crossplane.io/v1alpha1
+#kind: Cluster
+#metadata:
+#  name: prd
+#  labels:
+#    purpose: prd
+#spec:
+#  forProvider:
+#    name: prd
+#    config:
+#      kubeconfigSecretRef:
+#        name: prod-kubeconfig
+#        namespace: argocd
+#        key: kubeconfig
+#  providerConfigRef:
+#    name: argocd-provider
+#
+#---
+#apiVersion: external-secrets.io/v1
+#kind: ExternalSecret
+#metadata:
+#  name: dev-kubeconfig
+#spec:
+#  secretStoreRef:
+#    name: vault
+#    kind: ClusterSecretStore
+#  target:
+#    name: dev-kubeconfig
+#  data:
+#    - secretKey: kubeconfig
+#      remoteRef:
+#        key: kv/argocd/dev
+#        property: kubeconfig
+#
+#---
+#apiVersion: cluster.argocd.crossplane.io/v1alpha1
+#kind: Cluster
+#metadata:
+#  name: dev
+#  labels:
+#    purpose: dev
+#spec:
+#  forProvider:
+#    name: dev
+#    config:
+#      kubeconfigSecretRef:
+#        name: dev-kubeconfig
+#        namespace: argocd
+#        key: kubeconfig
+#  providerConfigRef:
+#    name: argocd-provider

infra/argocd/templates/argocd.yaml

@@ -21,7 +21,7 @@ spec:
 
 ---
 
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: vault-argocd

infra/argocd/templates/authentik.yaml

@@ -13,17 +13,16 @@ spec:
     namespace: authentik
     name: in-cluster
   syncPolicy:
-    managedNamespaceMetadata:
-      labels:
-        istio-injection: enabled
+    #managedNamespaceMetadata:
+    #  labels:
+    #    istio-injection: enabled
     automated:
       prune: true
-      selfHeal: true  
+      selfHeal: true
     syncOptions:
-      - CreateNamespace=true 
+      - CreateNamespace=true
 
 ---
-
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -41,7 +40,6 @@ spec:
   syncPolicy:
     automated:
       prune: true
-      selfHeal: true  
+      selfHeal: true
     syncOptions:
-      - CreateNamespace=true 
-
+      - CreateNamespace=true

infra/argocd/templates/bitwarden.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: bitwarden
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/bitwarden
+  destination:
+    namespace: bitwarden
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/crowdsec.yaml

@@ -0,0 +1,20 @@
+#apiVersion: argoproj.io/v1alpha1
+#kind: Application
+#metadata:
+#  name: crowdsec
+#  namespace: argocd
+#spec:
+#  project: default
+#  source:
+#    repoURL: https://gitlab.com/developerdurp/homelab.git
+#    targetRevision: main
+#    path: dmz/crowdsec
+#  destination:
+#    namespace: crowdsec
+#    name: dmz
+#  syncPolicy:
+#    automated:
+#      prune: true
+#      selfHeal: true
+#    syncOptions:
+#      - CreateNamespace=true

infra/argocd/templates/istio.yaml

@@ -13,41 +13,46 @@ spec:
     namespace: istio-system
     name: in-cluster
   syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        topology.istio.io/network: network1
     automated:
       prune: true
-      selfHeal: true  
+      selfHeal: true
     syncOptions:
-      - CreateNamespace=true 
+      - CreateNamespace=true
   ignoreDifferences:
-  - group: admissionregistration.k8s.io
-    kind: ValidatingWebhookConfiguration
-    jsonPointers:
-    - /webhooks/0/failurePolicy
+    - group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+      jsonPointers:
+        - /webhooks/0/failurePolicy
 
 ---
-
-#apiVersion: argoproj.io/v1alpha1
-#kind: Application
-#metadata:
-#  name: istio-system-dmz
-#  namespace: argocd
-#spec:
-#  project: default
-#  source:
-#    repoURL: https://gitlab.com/developerdurp/homelab.git
-#    targetRevision: main
-#    path: dmz/istio-system
-#  destination:
-#    namespace: istio-system
-#    name: dmz
-#  syncPolicy:
-#    automated:
-#      prune: true
-#      selfHeal: true  
-#    syncOptions:
-#      - CreateNamespace=true 
-#  ignoreDifferences:
-#  - group: admissionregistration.k8s.io
-#    kind: ValidatingWebhookConfiguration
-#    jsonPointers:
-#    - /webhooks/0/failurePolicy
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: istio-system-dmz
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/istio-system
+  destination:
+    namespace: istio-system
+    name: dmz
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        topology.istio.io/network: network2
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+    - group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+      jsonPointers:
+        - /webhooks/0/failurePolicy

infra/argocd/templates/kube-prometheus-stack.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kube-prometheus-stack
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/kube-prometheus-stack
+  destination:
+    namespace: kube-prometheus-stack
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/litellm.yaml

@@ -1,20 +1,20 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: litellm
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: infra/litellm
-  destination:
-    namespace: litellm
-    name: in-cluster
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true  
-    syncOptions:
-      - CreateNamespace=true 
+#apiVersion: argoproj.io/v1alpha1
+#kind: Application
+#metadata:
+#  name: litellm
+#  namespace: argocd
+#spec:
+#  project: default
+#  source:
+#    repoURL: https://gitlab.com/developerdurp/homelab.git
+#    targetRevision: main
+#    path: infra/litellm
+#  destination:
+#    namespace: litellm
+#    name: in-cluster
+#  syncPolicy:
+#    automated:
+#      prune: true
+#      selfHeal: true
+#    syncOptions:
+#      - CreateNamespace=true

infra/argocd/templates/littlelink.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: littlelink
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/littlelink
+    directory:
+      recurse: true
+  destination:
+    name: dmz
+    namespace: littlelink
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/longhorn.yaml

@@ -15,7 +15,33 @@ spec:
   syncPolicy:
     automated:
       prune: true
-      selfHeal: true  
+      selfHeal: true
     syncOptions:
-      - CreateNamespace=true 
+      - CreateNamespace=true
+  ignoreDifferences:
+    - group: engineimages.longhorn.io
+      jsonPointers:
+        - /spec/preserveUnknownFields
+      kind: CustomResourceDefinition
 
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: longhorn-system-dmz
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/longhorn
+  destination:
+    namespace: longhorn-system
+    name: dmz
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/metallb-system.yaml

@@ -42,3 +42,25 @@ spec:
     syncOptions:
       - CreateNamespace=true 
 
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: metallb-system-dev
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dev/metallb-system
+  destination:
+    namespace: metallb-system
+    name: dev
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 

infra/argocd/templates/nfs.yaml

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nfs
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/nfs
+  destination:
+    namespace: kube-system
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  

infra/argocd/templates/octopusdeploy.yaml

@@ -0,0 +1,42 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: octopusdeploy
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/octopusdeploy
+  destination:
+    namespace: octopusdeploy
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: octopusdeploy-agent
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/octopus-agent
+  destination:
+    namespace: octopus-agent
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/openclarity.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openclarity
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/openclarity
+  destination:
+    namespace: openclarity
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/openspeedtest.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openspeedtest
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/openspeedtest
+    directory:
+      recurse: true
+  destination:
+    name: dmz
+    namespace: openspeedtest
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/redlib.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: redlib
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/redlib
+    directory:
+      recurse: true
+  destination:
+    name: dmz
+    namespace: redlib
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/renovate.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: renovate
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/renovate
+  destination:
+    namespace: renovate
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/traefik.yaml

@@ -48,3 +48,29 @@ spec:
     syncOptions:
       - CreateNamespace=true 
 
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: traefik-dev
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dev/traefik
+  destination:
+    namespace: traefik
+    name: dev
+  syncPolicy:
+    #    managedNamespaceMetadata:
+    #      labels:
+    #        istio-injection: enabled
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+

infra/argocd/values.yaml

@@ -1,27 +1,26 @@
 argo-cd:
-
   global:
     revisionHistoryLimit: 1
     image:
       repository: registry.durp.info/argoproj/argocd
       imagePullPolicy: Always
 
-  server:
-    #extraArgs:
-    #  - --dex-server-plaintext
-    #  - --dex-server=argocd-dex-server:5556
-    # oidc.config: |
-    #   name: AzureAD
-    #   issuer: https://login.microsoftonline.com/TENANT_ID/v2.0
-    #   clientID: CLIENT_ID
-    #   clientSecret: $oidc.azuread.clientSecret
-    #   requestedIDTokenClaims:
-    #     groups:
-    #       essential: true
-    #   requestedScopes:
-    #     - openid
-    #     - profile
-    #     - email
+  #server:
+  #extraArgs:
+  #  - --dex-server-plaintext
+  #  - --dex-server=argocd-dex-server:5556
+  # oidc.config: |
+  #   name: AzureAD
+  #   issuer: https://login.microsoftonline.com/TENANT_ID/v2.0
+  #   clientID: CLIENT_ID
+  #   clientSecret: $oidc.azuread.clientSecret
+  #   requestedIDTokenClaims:
+  #     groups:
+  #       essential: true
+  #   requestedScopes:
+  #     - openid
+  #     - profile
+  #     - email
 
   dex:
     enabled: true
@@ -35,6 +34,7 @@ argo-cd:
       annotations: {}
       url: https://argocd.infra.durp.info
       oidc.tls.insecure.skip.verify: "true"
+      accounts.provider-argocd: apiKey
       dex.config: |
         connectors:
           - config:
@@ -50,13 +50,15 @@ argo-cd:
             name: authentik
             type: oidc
             id: authentik
+      resource.exclusions: ""
 
     rbac:
       create: true
       policy.csv: |
         g, ArgoCD Admins, role:admin
+        g, provider-argocd, role:admin
       scopes: "[groups]"
 
   server:
-    route: 
-      enabled: false
+    route:
+      enabled: false

infra/authentik/Chart.yaml

@@ -7,6 +7,7 @@ version: 0.1.0
 appVersion: "1.16.0"
 
 dependencies:
-- name: authentik
-  repository: https://charts.goauthentik.io
-  version: 2024.8.3
+  - name: authentik
+    repository: https://charts.goauthentik.io
+    version: 2025.4.1
+

infra/authentik/templates/ingress.yaml

@@ -6,16 +6,20 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`authentik.durp.info`) && PathPrefix(`/`) 
-    kind: Rule
-    services:
-    - name: authentik-server
-      port: 80
+    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: authentik-server
+          port: 80
+    - match: Host(`authentik.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
+      kind: Rule
+      services:
+        - name: ak-outpost-authentik-embedded-outpost
+          port: 9000
   tls:
     secretName: authentik-tls
 
 ---
-
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -27,5 +31,4 @@ spec:
     kind: ClusterIssuer
   commonName: "authentik.durp.info"
   dnsNames:
-  - "authentik.durp.info" 
-
+    - "authentik.durp.info"

infra/authentik/templates/secrets.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: authentik-secret

infra/authentik/values.yaml

@@ -1,6 +1,8 @@
 authentik:
   global:
-    env: 
+    security:
+      allowInsecureImages: true
+    env:
       - name: AUTHENTIK_POSTGRESQL__PASSWORD
         valueFrom:
           secretKeyRef:
@@ -19,7 +21,7 @@ authentik:
     outposts:
       container_image_base: registry.durp.info/goauthentik/%(type)s:%(version)s
     postgresql:
-      host: '{{ .Release.Name }}-postgresql-hl'
+      host: "{{ .Release.Name }}-postgresql-hl"
       name: "authentik"
       user: "authentik"
       port: 5432
@@ -36,7 +38,7 @@ authentik:
       pullPolicy: Always
     postgresqlUsername: "authentik"
     postgresqlDatabase: "authentik"
-    existingSecret: db-pass 
+    existingSecret: db-pass
     persistence:
       enabled: true
       storageClass: longhorn
@@ -47,7 +49,7 @@ authentik:
     enabled: true
     master:
       persistence:
-        enabled: false    
+        enabled: false
     image:
       registry: registry.durp.info
       repository: bitnami/redis