Update Helm release gitlab-runner to v0.83.3

update n8n
add gitlab
2025-11-29 07:03:21 +00:00 · 2025-10-22 05:23:07 -05:00 · 2025-10-09 06:25:05 -05:00 · 2025-09-20 09:24:21 -05:00 · 2025-09-20 08:05:50 -05:00 · 2025-09-20 07:56:57 -05:00
202 changed files with 5325 additions and 2421 deletions
--- a/.gitlab/.gitlab-ci.yml
+++ b/.gitlab/.gitlab-ci.yml
@@ -24,3 +24,11 @@ build_dev:
  rules:
    - changes:
        - "dev/terraform/*.tf"
 build_prd:
  stage: triggers
  trigger:
    include: prd/.gitlab/.gitlab-ci.yml
  rules:
    - changes:
        - "prd/terraform/*.tf"
--- a/ansible/newcluster.yaml
+++ b/ansible/newcluster.yaml
@@ -0,0 +1,2 @@
 argocd login --insecure
 argocd cluster add default --name prd --yes --kubeconfig ~/Documents/config-prd
--- a/ansible/roles/base/files/01proxy
+++ b/ansible/roles/base/files/01proxy
@@ -0,0 +1 @@
 Acquire::http::Proxy "http://192.168.21.200:3142";
--- a/ansible/roles/base/files/authorized_keys_user
+++ b/ansible/roles/base/files/authorized_keys_user
@@ -1 +1,2 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhPVgL8gXdRTw0E2FvlOUoUI4vd794nB0nZVIsc+U5M
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGilcndatMrXg06VxtNKuIo3scoyyXbYX8Z7cOjeA102AAAABHNzaDo= desktop-arch-09-08-2025-yubikey
 sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINsbNSZ5Wr+50Ahz+IeZxt6F7gZ6wm1J8uKXQLbdbKFaAAAABHNzaDo= desktop-arch-09-08-2025-yubikeyNano
--- a/ansible/roles/base/tasks/main.yaml
+++ b/ansible/roles/base/tasks/main.yaml
@@ -1,3 +1,15 @@
 - name: Copy apt proxy
  copy: 
    src: files/01proxy
    dest: /etc/apt/apt.conf.d/01proxy
    owner: root 
    group: root 
    mode: "0644"
    force: yes
  when: 
    - ansible_os_family == "Debian"      
    - inventory_hostname not in hosts_deny
 - name: Update packages
  apt:
    name: '*'
--- a/dev/cert-manager/Chart.yaml
+++ b/dev/cert-manager/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
  repository: https://charts.jetstack.io
-  version: v1.16.3
+  version: v1.17.2
--- a/dev/cert-manager/templates/secretvault.yaml
+++ b/dev/cert-manager/templates/secretvault.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: cloudflare-api-token-secret
--- a/dev/external-dns/Chart.yaml
+++ b/dev/external-dns/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-dns
  repository: https://charts.bitnami.com/bitnami
-  version: 8.3.8
+  version: 8.9.2
--- a/dev/external-dns/templates/secrets.yaml
+++ b/dev/external-dns/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: external-dns-secret
--- a/dev/external-secrets/Chart.yaml
+++ b/dev/external-secrets/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-secrets
  repository: https://charts.external-secrets.io
-  version: 0.13.0
+  version: 0.17.0
--- a/dev/metallb-system/Chart.yaml
+++ b/dev/metallb-system/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: metallb
  repository: https://metallb.github.io/metallb
-  version: 0.14.9
+  version: 0.15.2
--- a/dev/metallb-system/templates/config.yaml
+++ b/dev/metallb-system/templates/config.yaml
@@ -4,7 +4,7 @@ metadata:
  name: cheap
 spec:
  addresses:
-    - 192.168.98.130-192.168.98.140
+    - 192.168.10.130-192.168.10.140
 ---
 apiVersion: metallb.io/v1beta1
 kind: L2Advertisement
--- a/dev/terraform/main.tf
+++ b/dev/terraform/main.tf
@@ -3,7 +3,7 @@ terraform {
  required_providers {
    proxmox = {
      source  = "Telmate/proxmox"
-      version = "3.0.1-rc6"
+      version = "3.0.1-rc9"
    }
  }
 }
@@ -30,7 +30,7 @@ locals {
    cores   = 2
    memory  = "4096"
    drive   = 20
-    storage = "domains"
+    storage = "cache-domains"
    node    = ["mothership", "overlord", "vanguard"]
    ip      = ["11", "12", "13"]
  }
@@ -41,7 +41,7 @@ locals {
    cores   = 4
    memory  = "8192"
    drive   = 120
-    storage = "domains"
+    storage = "cache-domains"
    node    = ["mothership", "overlord", "vanguard"]
    ip      = ["21", "22", "23"]
  }
--- a/dev/traefik/Chart.yaml
+++ b/dev/traefik/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: traefik
  repository: https://traefik.github.io/charts
-  version: 34.0.0
+  version: 34.5.0
--- a/dev/traefik/templates/config.yaml
+++ b/dev/traefik/templates/config.yaml
@@ -1,16 +0,0 @@
 #apiVersion: v1
 #kind: ConfigMap
 #metadata:
 #  name: traefik-configmap
 #data:
 #  config.yml: |
 #    http:
 #      routers:
 #        router0:
 #          service: service0
 #          rule: Host(`testing.durp.info`)
 #      services:
 #        service0:
 #          loadBalancer:
 #            servers:
 #              - url: https://192.168.20.130
--- a/dev/traefik/templates/middleware.yaml
+++ b/dev/traefik/templates/middleware.yaml
@@ -1,35 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
    name: authentik-proxy-provider
    namespace: traefik
 spec:
  forwardAuth:
    address: http://ak-outpost-dmz-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri
    trustForwardHeader: true
    authResponseHeaders:
      - X-authentik-username
      - X-authentik-groups
      - X-authentik-email
      - X-authentik-name
      - X-authentik-uid
      - X-authentik-jwt
      - X-authentik-meta-jwks
      - X-authentik-meta-outpost
      - X-authentik-meta-provider
      - X-authentik-meta-app
      - X-authentik-meta-version
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: whitelist
  namespace: traefik
 spec:
  ipWhiteList:
    sourceRange:
      - 192.168.0.0/16
      - 172.16.0.0/12
      - 10.0.0.0/8
--- a/dev/traefik/templates/traefik-dashboard.yaml
+++ b/dev/traefik/templates/traefik-dashboard.yaml
@@ -1,34 +0,0 @@
 #apiVersion: traefik.io/v1alpha1
 #kind: IngressRoute
 #metadata:
 #  name: traefik-ingress
 #spec:
 #  entryPoints:
 #    - websecure
 #  routes:
 #  - match: Host(`traefik.durp.info`)
 #    kind: Rule
 #    services:
 #    - name: api@internal
 #      kind: TraefikService
 #  tls:
 #    secretName: traefik-tls  
 #
 #---
 #
 #apiVersion: cert-manager.io/v1
 #kind: Certificate
 #metadata:
 #  name: traefik-tls
 #  namespace: traefik
 #spec:
 #  secretName: traefik-tls
 #  issuerRef:
 #    name: letsencrypt-production
 #    kind: ClusterIssuer
 #  commonName: "traefik.durp.info"
 #  dnsNames:
 #  - "traefik.durp.info"
 #
 #---
 #
--- a/dev/traefik/values.yaml
+++ b/dev/traefik/values.yaml
@@ -1,10 +1,10 @@
 traefik:
-  image: 
+  image:
    #    registry: registry.durp.info
    #    repository: traefik
    pullPolicy: Always
-  
+
-  providers:  
+  providers:
    kubernetesCRD:
      allowCrossNamespace: true
      allowExternalNameServices: true
@@ -18,40 +18,39 @@ traefik:
  #   - name: traefik-configmap
  #     mountPath: "/config"
  #     type: configMap
-  
+
  ingressRoute:
    dashboard:
      enabled: true
-  
+
-  additionalArguments: 
+  additionalArguments:
    #  - "--providers.file.filename=/config/config.yml"
    - "--serversTransport.insecureSkipVerify=true"
    - "--log.level=DEBUG"
    - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin
    - --experimental.plugins.jwt.version=v0.7.0
-  
+
  autoscaling:
    enabled: true
    minReplicas: 3
    maxReplicas: 10
    metrics:
-    - type: Resource
+      - type: Resource
-      resource:
+        resource:
-        name: cpu
+          name: cpu
-        target:
+          target:
-          type: Utilization
+            type: Utilization
-          averageUtilization: 80
+            averageUtilization: 80
    behavior:
      scaleDown:
        stabilizationWindowSeconds: 300
        policies:
-        - type: Pods
+          - type: Pods
-          value: 1
+            value: 1
-          periodSeconds: 60
+            periodSeconds: 60
-  
+
  # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
-  resources: 
+  resources:
    requests:
      cpu: "100m"
      memory: "512Mi"
--- a/dev/vault/Chart.yaml
+++ b/dev/vault/Chart.yaml
@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: vault
  repository: https://helm.releases.hashicorp.com  
-  version: 0.29.1
+  version: 0.30.0
--- a/dev/vault/templates/secret-store.yaml
+++ b/dev/vault/templates/secret-store.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
  name: vault
--- a/dmz/authentik/Chart.yaml
+++ b/dmz/authentik/Chart.yaml
@@ -7,6 +7,6 @@ version: 0.1.0
 appVersion: "1.16.0"
 dependencies:
- name: authentik-remote-cluster
+  - name: authentik-remote-cluster
-  repository: https://charts.goauthentik.io
+    repository: https://charts.goauthentik.io
-  version: 2.0.0
+    version: 2.1.0
--- a/dmz/authentik/templates/ingress.yaml
+++ b/dmz/authentik/templates/ingress.yaml
@@ -0,0 +1,62 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: authentik-tls
 spec:
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  secretName: authentik-tls
  commonName: "authentik.durp.info"
  dnsNames:
    - "authentik.durp.info"
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: authentik-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: infra-cluster
          port: 443
  tls:
    secretName: authentik-tls
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: authentik-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
 ---
 apiVersion: v1
 kind: Endpoints
 metadata:
  name: infra-cluster
 subsets:
  - addresses:
      - ip: 192.168.12.130
    ports:
      - port: 443
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: infra-cluster
 spec:
  ports:
    - protocol: TCP
      port: 443
      targetPort: 443
--- a/dmz/cert-manager/Chart.yaml
+++ b/dmz/cert-manager/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
  repository: https://charts.jetstack.io
-  version: v1.16.3
+  version: v1.17.2
--- a/dmz/cert-manager/templates/secretvault.yaml
+++ b/dmz/cert-manager/templates/secretvault.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: cloudflare-api-token-secret
--- a/dmz/crowdsec/Chart.yaml
+++ b/dmz/crowdsec/Chart.yaml
@@ -0,0 +1,11 @@
 apiVersion: v2
 name: crowdsec
 description: A Helm chart for Kubernetes
 type: application
 version: 0.0.1
 appVersion: 0.0.1
 dependencies:
  - name: crowdsec
    repository: https://crowdsecurity.github.io/helm-charts
    version: 0.19.4
--- a/dmz/crowdsec/templates/secrets.yaml
+++ b/dmz/crowdsec/templates/secrets.yaml
@@ -0,0 +1,29 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: enroll-key
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: enroll-key
  data:
    - secretKey: ENROLL_INSTANCE_NAME
      remoteRef:
        key: kv/crowdsec/dmz-enroll
        property: ENROLL_INSTANCE_NAME
    - secretKey: ENROLL_KEY
      remoteRef:
        key: kv/crowdsec/dmz-enroll
        property: ENROLL_KEY
    - secretKey: ENROLL_TAGS
      remoteRef:
        key: kv/crowdsec/dmz-enroll
        property: ENROLL_TAGS
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault
--- a/dmz/crowdsec/values.yaml
+++ b/dmz/crowdsec/values.yaml
@@ -0,0 +1,24 @@
 crowdsec:
  #
  image:
    repository: registry.durp.info/crowdsecurity/crowdsec
    pullPolicy: Always
  # for raw logs format: json or cri (docker|containerd)
  container_runtime: containerd
  agent:
    # Specify each pod whose logs you want to process
    acquisition:
      # The namespace where the pod is located
      - namespace: traefik
        # The pod name
        podName: traefik-*
        # as in crowdsec configuration, we need to specify the program name to find a matching parser
        program: traefik
    env:
      - name: COLLECTIONS
        value: "crowdsecurity/traefik"
  lapi:
    envFrom:
      - secretRef:
          name: enroll-key
--- a/dmz/external-dns/Chart.yaml
+++ b/dmz/external-dns/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-dns
  repository: https://charts.bitnami.com/bitnami
-  version: 8.3.8
+  version: 8.9.2
--- a/dmz/external-dns/templates/secrets.yaml
+++ b/dmz/external-dns/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: external-dns-secret
--- a/dmz/external-dns/values.yaml
+++ b/dmz/external-dns/values.yaml
@@ -1,6 +1,8 @@
 external-dns:
  global:
    imageRegistry: "registry.durp.info"
    security:
      allowInsecureImages: true
  image:
    pullPolicy: Always
@@ -9,10 +11,10 @@ external-dns:
  sources:
    - service
-    
+
  provider: cloudflare
  cloudflare:
-    secretName : "external-dns"
+    secretName: "external-dns"
    proxied: false
  policy: sync
--- a/dmz/external-secrets/Chart.yaml
+++ b/dmz/external-secrets/Chart.yaml
@@ -6,6 +6,6 @@ version: 0.0.1
 appVersion: 0.0.1
 dependencies:
- name: external-secrets
+  - name: external-secrets
-  repository: https://charts.external-secrets.io
+    repository: https://charts.external-secrets.io
-  version: 0.15.0
+    version: 0.17.0
--- a/dmz/external-secrets/values.yaml
+++ b/dmz/external-secrets/values.yaml
@@ -1,7 +1,13 @@
 external-secrets:
-  replicaCount: 3
+  global:
    security:
      allowInsecureImages: true
  log:
    level: debug
  replicaCount: 1
  revisionHistoryLimit: 1
-  leaderElect: true
+  leaderElect: false
  installCRDs: true
  crds:
@@ -16,24 +22,24 @@ external-secrets:
    repository: registry.durp.info/external-secrets/external-secrets
    pullPolicy: Always
-  extraVolumes: 
+  extraVolumes:
    - name: ca-pemstore
      configMap:
        name: ca-pemstore
-  extraVolumeMounts: 
+  extraVolumeMounts:
    - name: ca-pemstore
      mountPath: /etc/ssl/certs/vault.pem
      subPath: vault.pem
      readOnly: true
-  resources: 
+  #  resources:
-    requests:
+  #    requests:
-      memory: 32Mi
+  #      memory: 32Mi
-      cpu: 10m
+  #      cpu: 10m
-    limits:
+  #    limits:
-      memory: 32Mi
+  #      memory: 32Mi
-      cpu: 10m
+  #      cpu: 10m
  webhook:
    create: false
@@ -44,24 +50,24 @@ external-secrets:
      repository: registry.durp.info/external-secrets/external-secrets
      pullPolicy: Always
-    extraVolumes: 
+    extraVolumes:
      - name: ca-pemstore
        configMap:
          name: ca-pemstore
-    extraVolumeMounts: 
+    extraVolumeMounts:
      - name: ca-pemstore
        mountPath: /etc/ssl/certs/vault.pem
        subPath: vault.pem
        readOnly: true
-    resources: 
+  #    resources:
-      requests:
+  #      requests:
-        memory: 32Mi
+  #        memory: 32Mi
-        cpu: 10m
+  #        cpu: 10m
-      limits:
+  #      limits:
-        memory: 32Mi
+  #        memory: 32Mi
-        cpu: 10m
+  #        cpu: 10m
  certController:
    create: false
@@ -74,7 +80,7 @@ external-secrets:
      pullPolicy: Always
      tag: ""
-    resources: 
+    resources:
      requests:
        memory: 32Mi
        cpu: 10m
@@ -82,12 +88,12 @@ external-secrets:
        memory: 32Mi
        cpu: 10m
-    extraVolumes: 
+    extraVolumes:
      - name: ca-pemstore
        configMap:
          name: ca-pemstore
-    extraVolumeMounts: 
+    extraVolumeMounts:
      - name: ca-pemstore
        mountPath: /etc/ssl/certs/vault.pem
        subPath: vault.pem
--- a/dmz/gitlab-runner/Chart.yaml
+++ b/dmz/gitlab-runner/Chart.yaml
@@ -8,8 +8,8 @@ appVersion: 0.0.1
 dependencies:
 - name: gitlab-runner
  repository: https://charts.gitlab.io/
-  version: 0.69.0
+  version: 0.83.3
 - name: gitlab-runner
  repository: https://charts.gitlab.io/
-  version: 0.69.0
+  version: 0.83.3
  alias: personal
--- a/dmz/gitlab-runner/templates/secrets.yaml
+++ b/dmz/gitlab-runner/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: gitlab-secret
@@ -27,7 +27,7 @@ metadata:
 ---
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: gitlab-secret-personal
--- a/dmz/internalproxy/templates/authentik.yaml
+++ b/dmz/internalproxy/templates/authentik.yaml
@@ -1,42 +1,40 @@
-apiVersion: traefik.io/v1alpha1
+#apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
+#kind: IngressRoute
-metadata:
+#metadata:
-  name: authentik-ingress
+#  name: authentik-ingress
-spec:
+#spec:
-  entryPoints:
+#  entryPoints:
-    - websecure
+#    - websecure
-  routes:
+#  routes:
-  - match: Host(`authentik.durp.info`) && PathPrefix(`/`) 
+#    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
-    kind: Rule
+#      kind: Rule
-    services:
+#      services:
-    - name: infra-cluster
+#        - name: infra-cluster
-      port: 443
+#          port: 443
-  tls:
+#  tls:
-    secretName: authentik-tls
+#    secretName: authentik-tls
-
+#
---
+#---
-
+#apiVersion: cert-manager.io/v1
-apiVersion: cert-manager.io/v1
+#kind: Certificate
-kind: Certificate
+#metadata:
-metadata:
+#  name: authentik-tls
-  name: authentik-tls
+#spec:
-spec:
+#  issuerRef:
-  issuerRef:
+#    name: letsencrypt-production
-    name: letsencrypt-production
+#    kind: ClusterIssuer
-    kind: ClusterIssuer
+#  secretName: authentik-tls
-  secretName: authentik-tls
+#  commonName: "authentik.durp.info"
-  commonName: "authentik.durp.info"
+#  dnsNames:
-  dnsNames:
+#    - "authentik.durp.info"
-  - "authentik.durp.info"
+#
-
+#---
---
+#kind: Service
-
+#apiVersion: v1
-kind: Service
+#metadata:
-apiVersion: v1
+#  name: authentik-external-dns
-metadata:
+#  annotations:
-  name: authentik-external-dns
+#    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
-  annotations:
+#spec:
-    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
+#  type: ExternalName
-spec:
+#  externalName: durp.info
  type: ExternalName
  externalName: durp.info
--- a/dmz/internalproxy/templates/bitwarden.yaml
+++ b/dmz/internalproxy/templates/bitwarden.yaml
@@ -9,7 +9,7 @@ spec:
  - match: Host(`bitwarden.durp.info`) && PathPrefix(`/`) 
    kind: Rule
    services:
-    - name: master-cluster
+    - name: infra-cluster
      port: 443
  tls:
    secretName: bitwarden-tls
--- a/dmz/internalproxy/templates/gitlab.yaml
+++ b/dmz/internalproxy/templates/gitlab.yaml
@@ -0,0 +1,68 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: gitlab
 spec:
  ports:
    - name: app
      port: 9080
      protocol: TCP
      targetPort: 9080
  clusterIP: None
  type: ClusterIP
 ---
 apiVersion: v1
 kind: Endpoints
 metadata:
  name: gitlab
 subsets:
  - addresses:
      - ip: 192.168.21.200
    ports:
      - name: app
        port: 9080
        protocol: TCP
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: gitlab-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`gitlab.durp.info`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: gitlab
          port: 9080
          scheme: http
  tls:
    secretName: gitlab-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: gitlab-tls
 spec:
  secretName: gitlab-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "gitlab.durp.info"
  dnsNames:
    - "gitlab.durp.info"
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: gitlab-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: gitlab.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/dmz/internalproxy/templates/grafana.yaml
+++ b/dmz/internalproxy/templates/grafana.yaml
@@ -0,0 +1,40 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: grafana-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`grafana.durp.info`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: infra-cluster
          port: 443
  tls:
    secretName: grafana-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: grafana-tls
 spec:
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  secretName: grafana-tls
  commonName: "grafana.durp.info"
  dnsNames:
    - "grafana.durp.info"
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: grafana-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/dmz/internalproxy/templates/invidious.yaml
+++ b/dmz/internalproxy/templates/invidious.yaml
@@ -0,0 +1,74 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: invidious
 spec:
  ports:
  - name: app
    port: 3000
    protocol: TCP
    targetPort: 3000
  clusterIP: None
  type: ClusterIP
 ---
 apiVersion: v1
 kind: Endpoints
 metadata:
  name: invidious
 subsets:
 - addresses:
  - ip: 192.168.20.104
  ports:
  - name: app
    port: 3000
    protocol: TCP
 ---    
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: invidious-ingress
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`invidious.durp.info`) && PathPrefix(`/`)
    middlewares:
    - name: authentik-proxy-provider
      namespace: traefik  
    kind: Rule
    services:
    - name: invidious
      port: 3000
  tls:
    secretName: invidious-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: invidious-tls
 spec:
  secretName: invidious-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "invidious.durp.info"
  dnsNames:
  - "invidious.durp.info"  
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: invidious-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: invidious.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/dmz/internalproxy/templates/n8n.yaml
+++ b/dmz/internalproxy/templates/n8n.yaml
@@ -0,0 +1,68 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: n8n
 spec:
  ports:
    - name: app
      port: 5678
      protocol: TCP
      targetPort: 5678
  clusterIP: None
  type: ClusterIP
 ---
 apiVersion: v1
 kind: Endpoints
 metadata:
  name: n8n
 subsets:
  - addresses:
      - ip: 192.168.21.200
    ports:
      - name: app
        port: 5678
        protocol: TCP
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: n8n-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`n8n.durp.info`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: n8n
          port: 5678
          scheme: http
  tls:
    secretName: n8n-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: n8n-tls
 spec:
  secretName: n8n-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "n8n.durp.info"
  dnsNames:
    - "n8n.durp.info"
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: n8n-dns
  annotations:
    dns.alpha.kubernetes.io/hostname: n8n.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/dmz/internalproxy/templates/octopus.yaml
+++ b/dmz/internalproxy/templates/octopus.yaml
@@ -0,0 +1,40 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: octopus-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`octopus.durp.info`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: infra-cluster
          port: 443
  tls:
    secretName: octopus-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: octopus-tls
 spec:
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  secretName: octopus-tls
  commonName: "octopus.durp.info"
  dnsNames:
    - "octopus.durp.info"
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: octopus-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: octopus.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/dmz/internalproxy/templates/ollama.yaml
+++ b/dmz/internalproxy/templates/ollama.yaml
@@ -1,102 +1,102 @@
-#apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
-#kind: ExternalSecret
+kind: ExternalSecret
-#metadata:
+metadata:
-#  name: ollama-secret
+  name: ollama-secret
-#spec:
+spec:
-#  secretStoreRef:
+  secretStoreRef:
-#    name: vault
+    name: vault
-#    kind: ClusterSecretStore
+    kind: ClusterSecretStore
-#  target:
+  target:
-#    name: ollama-secret
+    name: ollama-secret
-#  data:
+  data:
-#    - secretKey: users
+    - secretKey: users
-#      remoteRef:
+      remoteRef:
-#        key: kv/ollama
+        key: kv/ollama
-#        property: users
+        property: users
-#
+
-#---
+---
-#
+
-#apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.io/v1alpha1
-#kind: Middleware
+kind: Middleware
-#metadata:
+metadata:
-#  name: ollama-basic-auth
+  name: ollama-basic-auth
-#spec:
+spec:
-#  basicAuth:
+  basicAuth:
-#    headerField: x-api-key
+    headerField: x-api-key
-#    secret: ollama-secret
+    secret: ollama-secret
-#
+
-#---
+---
-#
+
-#apiVersion: v1
+apiVersion: v1
-#kind: Service
+kind: Service
-#metadata:
+metadata:
-#  name: ollama
+  name: ollama
-#spec:
+spec:
-#  ports:
+  ports:
-#    - name: app
+    - name: app
-#      port: 11435
+      port: 11435
-#      protocol: TCP
+      protocol: TCP
-#      targetPort: 11435
+      targetPort: 11435
-#  clusterIP: None
+  clusterIP: None
-#  type: ClusterIP
+  type: ClusterIP
-#
+
-#---
+---
-#
+
-#apiVersion: v1
+apiVersion: v1
-#kind: Endpoints
+kind: Endpoints
-#metadata:
+metadata:
-#  name: ollama
+  name: ollama
-#subsets:
+subsets:
-#  - addresses:
+  - addresses:
-#      - ip: 192.168.20.104
+      - ip: 192.168.20.104
-#    ports:
+    ports:
-#      - name: app
+      - name: app
-#        port: 11435
+        port: 11435
-#        protocol: TCP
+        protocol: TCP
-#
+
-#---
+---
-#
+
-#apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.io/v1alpha1
-#kind: IngressRoute
+kind: IngressRoute
-#metadata:
+metadata:
-#  name: ollama-ingress
+  name: ollama-ingress
-#spec:
+spec:
-#  entryPoints:
+  entryPoints:
-#    - websecure
+    - websecure
-#  routes:
+  routes:
-#    - match: Host(`ollama.durp.info`) && PathPrefix(`/`)
+    - match: Host(`ollama.durp.info`) && PathPrefix(`/`)
-#      middlewares:
+      middlewares:
-#        - name: ollama-basic-auth
+        - name: ollama-basic-auth
-#      kind: Rule
+      kind: Rule
-#      services:
+      services:
-#        - name: ollama
+        - name: ollama
-#          port: 11435
+          port: 11435
-#  tls:
+  tls:
-#    secretName: ollama-tls
+    secretName: ollama-tls
-#
+
-#---
+---
-#
+
-#apiVersion: cert-manager.io/v1
+apiVersion: cert-manager.io/v1
-#kind: Certificate
+kind: Certificate
-#metadata:
+metadata:
-#  name: ollama-tls
+  name: ollama-tls
-#spec:
+spec:
-#  secretName: ollama-tls
+  secretName: ollama-tls
-#  issuerRef:
+  issuerRef:
-#    name: letsencrypt-production
+    name: letsencrypt-production
-#    kind: ClusterIssuer
+    kind: ClusterIssuer
-#  commonName: "ollama.durp.info"
+  commonName: "ollama.durp.info"
-#  dnsNames:
+  dnsNames:
-#    - "ollama.durp.info"
+    - "ollama.durp.info"
-#
+
-#---
+---
-#
+
-#kind: Service
+kind: Service
-#apiVersion: v1
+apiVersion: v1
-#metadata:
+metadata:
-#  name: ollama-external-dns
+  name: ollama-external-dns
-#  annotations:
+  annotations:
-#    external-dns.alpha.kubernetes.io/hostname: ollama.durp.info
+    external-dns.alpha.kubernetes.io/hostname: ollama.durp.info
-#spec:
+spec:
-#  type: ExternalName
+  type: ExternalName
-#  externalName: durp.info
+  externalName: durp.info
--- a/dmz/internalproxy/templates/redlib.yaml
+++ b/dmz/internalproxy/templates/redlib.yaml
@@ -1,74 +1,74 @@
-apiVersion: v1
+#apiVersion: v1
-kind: Service
+#kind: Service
-metadata:
+#metadata:
-  name: redlib
+#  name: redlib
-spec:
+#spec:
-  ports:
+#  ports:
-  - name: app
+#  - name: app
-    port: 8082
+#    port: 8082
-    protocol: TCP
+#    protocol: TCP
-    targetPort: 8082
+#    targetPort: 8082
-  clusterIP: None
+#  clusterIP: None
-  type: ClusterIP
+#  type: ClusterIP
-
+#
---
+#---
-
+#
-apiVersion: v1
+#apiVersion: v1
-kind: Endpoints
+#kind: Endpoints
-metadata:
+#metadata:
-  name: redlib
+#  name: redlib
-subsets:
+#subsets:
- addresses:
+#- addresses:
-  - ip: 192.168.21.200
+#  - ip: 192.168.21.200
-  ports:
+#  ports:
-  - name: app
+#  - name: app
-    port: 8082
+#    port: 8082
-    protocol: TCP
+#    protocol: TCP
-
+#
---    
+#---    
-
+#
-apiVersion: traefik.io/v1alpha1
+#apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
+#kind: IngressRoute
-metadata:
+#metadata:
-  name: redlib-ingress
+#  name: redlib-ingress
-spec:
+#spec:
-  entryPoints:
+#  entryPoints:
-    - websecure
+#    - websecure
-  routes:
+#  routes:
-  - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
+#  - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
-    middlewares:
+#    middlewares:
-    - name: authentik-proxy-provider
+#    - name: authentik-proxy-provider
-      namespace: traefik  
+#      namespace: traefik  
-    kind: Rule
+#    kind: Rule
-    services:
+#    services:
-    - name: redlib
+#    - name: redlib
-      port: 8082
+#      port: 8082
-  tls:
+#  tls:
-    secretName: redlib-tls
+#    secretName: redlib-tls
-
+#
---
+#---
-
+#
-apiVersion: cert-manager.io/v1
+#apiVersion: cert-manager.io/v1
-kind: Certificate
+#kind: Certificate
-metadata:
+#metadata:
-  name: redlib-tls
+#  name: redlib-tls
-spec:
+#spec:
-  secretName: redlib-tls
+#  secretName: redlib-tls
-  issuerRef:
+#  issuerRef:
-    name: letsencrypt-production
+#    name: letsencrypt-production
-    kind: ClusterIssuer
+#    kind: ClusterIssuer
-  commonName: "redlib.durp.info"
+#  commonName: "redlib.durp.info"
-  dnsNames:
+#  dnsNames:
-  - "redlib.durp.info"  
+#  - "redlib.durp.info"  
-
+#
---
+#---
-
+#
-kind: Service
+#kind: Service
-apiVersion: v1
+#apiVersion: v1
-metadata:
+#metadata:
-  name: redlib-external-dns
+#  name: redlib-external-dns
-  annotations:
+#  annotations:
-    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
+#    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
-spec:
+#spec:
-  type: ExternalName
+#  type: ExternalName
-  externalName: durp.info
+#  externalName: durp.info
--- a/dmz/internalproxy/templates/registry.yaml
+++ b/dmz/internalproxy/templates/registry.yaml
@@ -4,29 +4,27 @@ metadata:
  name: registry
 spec:
  ports:
-  - name: app
+    - name: app
-    port: 5000
+      port: 5000
-    protocol: TCP
+      protocol: TCP
-    targetPort: 5000
+      targetPort: 5000
  clusterIP: None
  type: ClusterIP
 ---
 apiVersion: v1
 kind: Endpoints
 metadata:
  name: registry
 subsets:
- addresses:
+  - addresses:
-  - ip: 192.168.21.200
+      - ip: 192.168.21.200
-  ports:
+    ports:
-  - name: app
+      - name: app
-    port: 5000
+        port: 5000
-    protocol: TCP
+        protocol: TCP
 ---    
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
@@ -35,16 +33,18 @@ spec:
  entryPoints:
    - websecure
  routes:
-  - match: Host(`registry.durp.info`) && PathPrefix(`/`)
+    - match: Host(`registry.durp.info`) && PathPrefix(`/`)
-    kind: Rule
+      kind: Rule
-    services:
+      middlewares:
-    - name: registry
+        - name: whitelist
-      port: 5000
+          namespace: traefik
      services:
        - name: registry
          port: 5000
  tls:
    secretName: registry-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -56,16 +56,15 @@ spec:
    kind: ClusterIssuer
  commonName: "registry.durp.info"
  dnsNames:
-  - "registry.durp.info"  
+    - "registry.durp.info"
 ---
-
+#kind: Service
-kind: Service
+#apiVersion: v1
-apiVersion: v1
+#metadata:
-metadata:
+#  name: registry-external-dns
-  name: registry-external-dns
+#  annotations:
-  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: registry.durp.info
-    external-dns.alpha.kubernetes.io/hostname: registry.durp.info
+#spec:
-spec:
+#  type: ExternalName
-  type: ExternalName
+#  externalName: durp.info
  externalName: durp.info
--- a/dmz/internalproxy/templates/s3.yaml
+++ b/dmz/internalproxy/templates/s3.yaml
@@ -61,7 +61,7 @@ spec:
  commonName: "s3.internal.durp.info"
  dnsNames:
    - "s3.internal.durp.info"
-    -
+
 ---
 apiVersion: traefik.io/v1alpha1
--- a/dmz/internalproxy/templates/speedtest.yaml
+++ b/dmz/internalproxy/templates/speedtest.yaml
@@ -1,74 +1,74 @@
-apiVersion: v1
+#apiVersion: v1
-kind: Service
+#kind: Service
-metadata:
+#metadata:
-  name: speedtest
+#  name: speedtest
-spec:
+#spec:
-  ports:
+#  ports:
-  - name: app
+#  - name: app
-    port: 6580
+#    port: 6580
-    protocol: TCP
+#    protocol: TCP
-    targetPort: 6580
+#    targetPort: 6580
-  clusterIP: None
+#  clusterIP: None
-  type: ClusterIP
+#  type: ClusterIP
-
+#
---
+#---
-
+#
-apiVersion: v1
+#apiVersion: v1
-kind: Endpoints
+#kind: Endpoints
-metadata:
+#metadata:
-  name: speedtest
+#  name: speedtest
-subsets:
+#subsets:
- addresses:
+#- addresses:
-  - ip: 192.168.21.200
+#  - ip: 192.168.21.200
-  ports:
+#  ports:
-  - name: app
+#  - name: app
-    port: 6580
+#    port: 6580
-    protocol: TCP
+#    protocol: TCP
-
+#
---    
+#---    
-
+#
-apiVersion: traefik.io/v1alpha1
+#apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
+#kind: IngressRoute
-metadata:
+#metadata:
-  name: speedtest-ingress
+#  name: speedtest-ingress
-spec:
+#spec:
-  entryPoints:
+#  entryPoints:
-    - websecure
+#    - websecure
-  routes:
+#  routes:
-  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
+#  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
-    kind: Rule
+#    kind: Rule
-    middlewares:
+#    middlewares:
-    - name: authentik-proxy-provider
+#    - name: authentik-proxy-provider
-      namespace: traefik 
+#      namespace: traefik 
-    services:
+#    services:
-    - name: speedtest
+#    - name: speedtest
-      port: 6580
+#      port: 6580
-  tls:
+#  tls:
-    secretName: speedtest-tls
+#    secretName: speedtest-tls
-
+#
---
+#---
-
+#
-apiVersion: cert-manager.io/v1
+#apiVersion: cert-manager.io/v1
-kind: Certificate
+#kind: Certificate
-metadata:
+#metadata:
-  name: speedtest-tls
+#  name: speedtest-tls
-spec:
+#spec:
-  secretName: speedtest-tls
+#  secretName: speedtest-tls
-  issuerRef:
+#  issuerRef:
-    name: letsencrypt-production
+#    name: letsencrypt-production
-    kind: ClusterIssuer
+#    kind: ClusterIssuer
-  commonName: "speedtest.durp.info"
+#  commonName: "speedtest.durp.info"
-  dnsNames:
+#  dnsNames:
-  - "speedtest.durp.info"  
+#  - "speedtest.durp.info"  
-
+#
---
+#---
-
+#
-kind: Service
+#kind: Service
-apiVersion: v1
+#apiVersion: v1
-metadata:
+#metadata:
-  name: speedtest-external-dns
+#  name: speedtest-external-dns
-  annotations:
+#  annotations:
-    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
+#    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
-spec:
+#spec:
-  type: ExternalName
+#  type: ExternalName
-  externalName: durp.info
+#  externalName: durp.info
--- a/dmz/istio-system/Chart.yaml
+++ b/dmz/istio-system/Chart.yaml
@@ -6,12 +6,12 @@ version: 0.0.1
 appVersion: 0.0.1
 dependencies:
- name: base
+  - name: base
-  repository: https://istio-release.storage.googleapis.com/charts
+    repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.0
+    version: 1.26.2
- name: istiod
+  - name: istiod
-  repository: https://istio-release.storage.googleapis.com/charts
+    repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.0
+    version: 1.26.2
- name: gateway
+  - name: gateway
-  repository: https://istio-release.storage.googleapis.com/charts
+    repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.0
+    version: 1.26.2
--- a/dmz/istio-system/templates/annotate.yaml
+++ b/dmz/istio-system/templates/annotate.yaml
@@ -1,13 +1,14 @@
-apiVersion: v1
+#apiVersion: v1
-kind: Namespace
+#kind: Namespace
-metadata:
+#metadata:
-  annotations:
+#  annotations:
-    topology.istio.io/controlPlaneClusters: cluster1
+#    topology.istio.io/controlPlaneClusters: cluster1
-  labels:
+#  labels:
-    kubernetes.io/metadata.name: istio-system
+#    kubernetes.io/metadata.name: istio-system
-  name: istio-system
+#  name: istio-system
-spec:
+#spec:
-  finalizers:
+#  finalizers:
-  - kubernetes
+#  - kubernetes
-status:
+#status:
-  phase: Active
+#  phase: Active
 #
--- a/dmz/istio-system/templates/expose.yaml
+++ b/dmz/istio-system/templates/expose.yaml
@@ -0,0 +1,16 @@
 apiVersion: networking.istio.io/v1
 kind: Gateway
 metadata:
  name: cross-network-gateway
 spec:
  selector:
    istio: eastwestgateway
  servers:
    - port:
        number: 15443
        name: tls
        protocol: TLS
      tls:
        mode: AUTO_PASSTHROUGH
      hosts:
        - "*.local"
--- a/dmz/istio-system/values.yaml
+++ b/dmz/istio-system/values.yaml
@@ -1,725 +1,10 @@
 istiod:
  profile: remote
  autoscaleEnabled: true
  autoscaleMin: 1
  autoscaleMax: 5
  autoscaleBehavior: {}
  replicaCount: 1
  rollingMaxSurge: 100%
  rollingMaxUnavailable: 25%
  hub: ""
  tag: ""
  variant: ""
  # Can be a full hub/image:tag
  image: pilot
  traceSampling: 1.0
  # Resources for a small pilot install
  resources:
    requests:
      cpu: 500m
      memory: 2048Mi
  # Set to `type: RuntimeDefault` to use the default profile if available.
  seccompProfile: {}
  # Whether to use an existing CNI installation
  cni:
    enabled: false
    provider: default
  # Additional container arguments
  extraContainerArgs: []
  env: {}
  # Settings related to the untaint controller
  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
  taint:
    # Controls whether or not the untaint controller is active
    enabled: false
    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
    namespace: ""
  affinity: {}
  tolerations: []
  cpu:
    targetAverageUtilization: 80
  memory: {}
    # targetAverageUtilization: 80
  # Additional volumeMounts to the istiod container
  volumeMounts: []
  # Additional volumes to the istiod pod
  volumes: []
  # Inject initContainers into the istiod pod
  initContainers: []
  nodeSelector: {}
  podAnnotations: {}
  serviceAnnotations: {}
  serviceAccountAnnotations: {}
  sidecarInjectorWebhookAnnotations: {}
  topologySpreadConstraints: []
  # You can use jwksResolverExtraRootCA to provide a root certificate
  # in PEM format. This will then be trusted by pilot when resolving
  # JWKS URIs.
  jwksResolverExtraRootCA: ""
  # The following is used to limit how long a sidecar can be connected
  # to a pilot. It balances out load across pilot instances at the cost of
  # increasing system churn.
  keepaliveMaxServerConnectionAge: 30m
  # Additional labels to apply to the deployment.
  deploymentLabels: {}
  ## Mesh config settings
  # Install the mesh config map, generated from values.yaml.
  # If false, pilot wil use default values (by default) or user-supplied values.
  configMap: true
  # Additional labels to apply on the pod level for monitoring and logging configuration.
  podLabels: {}
  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
  ipFamilyPolicy: ""
  ipFamilies: []
  # Ambient mode only.
  # Set this if you install ztunnel to a different namespace from `istiod`.
  # If set, `istiod` will allow connections from trusted node proxy ztunnels
  # in the provided namespace.
  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
  # in the same namespace as itself.
  trustedZtunnelNamespace: ""
  sidecarInjectorWebhook:
    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
    # always skip the injection on pods that match that label selector, regardless of the global policy.
    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
    neverInjectSelector: []
    alwaysInjectSelector: []
    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
    #
    # annotations:
    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
    #
    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
    # injectedAnnotations:
    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
    injectedAnnotations: {}
    # This enables injection of sidecar in all namespaces,
    # with the exception of namespaces with "istio-injection:disabled" annotation
    # Only one environment should have this enabled.
    enableNamespacesByDefault: false
    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
    reinvocationPolicy: Never
    rewriteAppHTTPProbe: true
    # Templates defines a set of custom injection templates that can be used. For example, defining:
    #
    # templates:
    #   hello: |
    #     metadata:
    #       labels:
    #         hello: world
    #
    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
    # being injected with the hello=world labels.
    # This is intended for advanced configuration only; most users should use the built in template
    templates: {}
    # Default templates specifies a set of default templates that are used in sidecar injection.
    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
    # To inject other additional templates, define it using the `templates` option, and add it to
    # the default templates list.
    # For example:
    #
    # templates:
    #   hello: |
    #     metadata:
    #       labels:
    #         hello: world
    #
    # defaultTemplates: ["sidecar", "hello"]
    defaultTemplates: []
  istiodRemote:
    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
    # to utilize a remote instance.
    enabled: false
    # Sidecar injector mutating webhook configuration clientConfig.url value.
    # For example: https://$remotePilotAddress:15017/inject
    # The host should not refer to a service running in the cluster; use a service reference by specifying
    # the clientConfig.service field instead.
    injectionURL: ""
    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
    injectionPath: "/inject/cluster/cluster2/net/network1"
    injectionCABundle: ""
  telemetry:
    enabled: true
    v2:
      # For Null VM case now.
      # This also enables metadata exchange.
      enabled: true
      # Indicate if prometheus stats filter is enabled or not
      prometheus:
        enabled: true
      # stackdriver filter settings.
      stackdriver:
        enabled: false
  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
  revision: ""
  # Revision tags are aliases to Istio control plane revisions
  revisionTags: []
  # For Helm compatibility.
  ownerName: ""
  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
  meshConfig:
    enablePrometheusMerge: true
  experimental:
    stableValidationPolicy: false
  global:
-    # Used to locate istiod.
+    network: network2
-    istioNamespace: istio-system
+    meshID: mesh1
    # List of cert-signers to allow "approve" action in the istio cluster role
    #
    # certSigners:
    #   - clusterissuers.cert-manager.io/istio-ca
    certSigners: []
    # enable pod disruption budget for the control plane, which is used to
    # ensure Istio control plane components are gradually upgraded or recovered.
    defaultPodDisruptionBudget:
      enabled: true
      # The values aren't mutable due to a current PodDisruptionBudget limitation
      # minAvailable: 1
    # A minimal set of requested resources to applied to all deployments so that
    # Horizontal Pod Autoscaler will be able to function (if set).
    # Each component can overwrite these default values by adding its own resources
    # block in the relevant section below and setting the desired resources values.
    defaultResources:
      requests:
        cpu: 10m
      #   memory: 128Mi
      # limits:
      #   cpu: 100m
      #   memory: 128Mi
    # Default hub for Istio images.
    # Releases are published to docker hub under 'istio' project.
    # Dev builds from prow are on gcr.io
    hub: docker.io/istio
    # Default tag for Istio images.
    tag: 1.25.0
    # Variant of the image to use.
    # Currently supported are: [debug, distroless]
    variant: ""
    # Specify image pull policy if default behavior isn't desired.
    # Default behavior: latest images will be Always else IfNotPresent.
    imagePullPolicy: ""
    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
    # to use for pulling any images in pods that reference this ServiceAccount.
    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
    # Must be set for any cluster configured with private docker registry.
    imagePullSecrets: []
    # - private-registry-key
    # Enabled by default in master for maximising testing.
    istiod:
      enableAnalysis: false
    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
    logAsJson: false
    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
    # The control plane has different scopes depending on component, but can configure default log level across all components
    # If empty, default scope and level will be used as configured in code
    logging:
      level: "default:info"
    omitSidecarInjectorConfigMap: false
    # Configure whether Operator manages webhook configurations. The current behavior
    # of Istiod is to manage its own webhook configurations.
    # When this option is set as true, Istio Operator, instead of webhooks, manages the
    # webhook configurations. When this option is set as false, webhooks manage their
    # own webhook configurations.
    operatorManageWebhooks: false
    # Custom DNS config for the pod to resolve names of services in other
    # clusters. Use this to add additional search domains, and other settings.
    # see
    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
    # This does not apply to gateway pods as they typically need a different
    # set of DNS settings than the normal application pods (e.g., in
    # multicluster scenarios).
    # NOTE: If using templates, follow the pattern in the commented example below.
    #podDNSSearchNamespaces:
    #- global
    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
    # system-node-critical, it is better to configure this in order to make sure your Istio pods
    # will not be killed because of low priority class.
    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
    # for more detail.
    priorityClassName: ""
    proxy:
      image: proxyv2
      # This controls the 'policy' in the sidecar injector.
      autoInject: enabled
      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
      # cluster domain. Default value is "cluster.local".
      clusterDomain: "cluster.local"
      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
      # not set, then the global "logLevel" will be used.
      componentLogLevel: "misc:error"
      # istio ingress capture allowlist
      # examples:
      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
      excludeInboundPorts: ""
      includeInboundPorts: "*"
      # istio egress capture allowlist
      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
      # be allowed by the sidecar
      includeIPRanges: "*"
      excludeIPRanges: ""
      includeOutboundPorts: ""
      excludeOutboundPorts: ""
      # Log level for proxy, applies to gateways and sidecars.
      # Expected values are: trace|debug|info|warning|error|critical|off
      logLevel: warning
      # Specify the path to the outlier event log.
      # Example: /dev/stdout
      outlierLogPath: ""
      #If set to true, istio-proxy container will have privileged securityContext
      privileged: false
      # The number of successive failed probes before indicating readiness failure.
      readinessFailureThreshold: 4
      # The initial delay for readiness probes in seconds.
      readinessInitialDelaySeconds: 0
      # The period between readiness probes.
      readinessPeriodSeconds: 15
      # Enables or disables a startup probe.
      # For optimal startup times, changing this should be tied to the readiness probe values.
      #
      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
      # and doesn't spam the readiness endpoint too much
      #
      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
      startupProbe:
        enabled: true
        failureThreshold: 600 # 10 minutes
      # Resources for the sidecar.
      resources:
        requests:
          cpu: 100m
          memory: 128Mi
        limits:
          cpu: 2000m
          memory: 1024Mi
      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
      statusPort: 15020
      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
      tracer: "none"
    proxy_init:
      # Base name for the proxy_init container, used to configure iptables.
      image: proxyv2
      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
      forceApplyIptables: false
    # configure remote pilot and istiod service and endpoint
    remotePilotAddress: "192.168.12.131"
    ##############################################################################################
    # The following values are found in other charts. To effectively modify these values, make   #
    # make sure they are consistent across your Istio helm charts                                #
    ##############################################################################################
    # The customized CA address to retrieve certificates for the pods in the cluster.
    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
    # If not set explicitly, default to the Istio discovery address.
    caAddress: ""
    # Enable control of remote clusters.
    externalIstiod: false
    # Configure a remote cluster as the config cluster for an external istiod.
    configCluster: true
    # configValidation enables the validation webhook for Istio configuration.
    configValidation: true
    # Mesh ID means Mesh Identifier. It should be unique within the scope where
    # meshes will interact with each other, but it is not required to be
    # globally/universally unique. For example, if any of the following are true,
    # then two meshes must have different Mesh IDs:
    # - Meshes will have their telemetry aggregated in one place
    # - Meshes will be federated together
    # - Policy will be written referencing one mesh from the other
    #
    # If an administrator expects that any of these conditions may become true in
    # the future, they should ensure their meshes have different Mesh IDs
    # assigned.
    #
    # Within a multicluster mesh, each cluster must be (manually or auto)
    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
    # of migration TBD, and it may be a disruptive operation to change the Mesh
    # ID post-install.
    #
    # If the mesh admin does not specify a value, Istio will use the value of the
    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
    # value.
    meshID: ""
    # Configure the mesh networks to be used by the Split Horizon EDS.
    #
    # The following example defines two networks with different endpoints association methods.
    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
    # mapped to network1. The gateway for this network example is specified by its public IP
    # address and port.
    # The second network, `network2`, in this example is defined differently with all endpoints
    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
    # gateway is also defined differently with the name of the gateway service on the remote
    # cluster. The public IP for the gateway will be determined from that remote service (only
    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
    # it still need to be configured manually).
    #
    # meshNetworks:
    #   network1:
    #     endpoints:
    #     - fromCidr: "192.168.0.1/24"
    #     gateways:
    #     - address: 1.1.1.1
    #       port: 80
    #   network2:
    #     endpoints:
    #     - fromRegistry: reg1
    #     gateways:
    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
    #       port: 443
    #
    meshNetworks: {}
    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
    mountMtlsCerts: false
    multiCluster:
-      # Set to true to connect two kubernetes clusters via their respective
+      clusterName: dmz
      # ingressgateway services when pods in each cluster cannot directly
      # talk to one another. All clusters should be using Istio mTLS and must
      # have a shared root CA for this model to work.
      enabled: false
      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
      # to properly label proxies
      clusterName: "dmz"
    # Network defines the network this cluster belong to. This name
    # corresponds to the networks in the map of mesh networks.
    network: ""
    # Configure the certificate provider for control plane communication.
    # Currently, two providers are supported: "kubernetes" and "istiod".
    # As some platforms may not have kubernetes signing APIs,
    # Istiod is the default
    pilotCertProvider: istiod
    sds:
      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
      # JWT is intended for the CA.
      token:
        aud: istio-ca
    sts:
      # The service port used by Security Token Service (STS) server to handle token exchange requests.
      # Setting this port to a non-zero value enables STS server.
      servicePort: 0
    # The name of the CA for workload certificates.
    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
    # will be used as the certificates for workloads.
    # The default value is "" and when caName="", the CA will be configured by other
    # mechanisms (e.g., environmental variable CA_PROVIDER).
    caName: ""
    waypoint:
      # Resources for the waypoint proxy.
      resources:
        requests:
          cpu: 100m
          memory: 128Mi
        limits:
          cpu: "2"
          memory: 1Gi
      # If specified, affinity defines the scheduling constraints of waypoint pods.
      affinity: {}
      # Topology Spread Constraints for the waypoint proxy.
      topologySpreadConstraints: []
      # Node labels for the waypoint proxy.
      nodeSelector: {}
      # Tolerations for the waypoint proxy.
      tolerations: []
  base:
    # For istioctl usage to disable istio config crds in base
    enableIstioConfigCRDs: true
  # Gateway Settings
  gateways:
    # Define the security context for the pod.
    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
    securityContext: {}
    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
    seccompProfile: {}
 base:
  profile: remote
  global:
    imagePullSecrets: []
    istioNamespace: istio-system
  base:
    excludedCRDs: []
    enableCRDTemplates: true
    validationURL: ""
    validationCABundle: ""
    enableIstioConfigCRDs: true
  defaultRevision: "default"
  experimental:
    stableValidationPolicy: false
 gateway:
-  # Name allows overriding the release name. Generally this should not be set
+  name: istio-eastwestgateway
-  name: "istio-eastwestgateway"
+  networkGateway: network2
  # revision declares which revision this gateway is a part of
  revision: ""
  # Controls the spec.replicas setting for the Gateway deployment if set.
  # Otherwise defaults to Kubernetes Deployment default (1).
  replicaCount:
  kind: Deployment
  rbac:
    # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
    # when using http://gateway-api.org/.
    enabled: true
  serviceAccount:
    # If set, a service account will be created. Otherwise, the default is used
    create: true
    # Annotations to add to the service account
    annotations: {}
    # The name of the service account to use.
    # If not set, the release name is used
    name: ""
  podAnnotations:
    prometheus.io/port: "15020"
    prometheus.io/scrape: "true"
    prometheus.io/path: "/stats/prometheus"
    inject.istio.io/templates: "gateway"
    sidecar.istio.io/inject: "true"
  # Define the security context for the pod.
  # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
  # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
  securityContext: {}
  containerSecurityContext: {}
  service:
    # Type of service. Set to "None" to disable the service entirely
    type: LoadBalancer
    ports:
    - name: status-port
      port: 15021
      protocol: TCP
      targetPort: 15021
    - name: http2
      port: 80
      protocol: TCP
      targetPort: 80
    - name: https
      port: 443
      protocol: TCP
      targetPort: 443
    annotations: {}
    loadBalancerIP: ""
    loadBalancerSourceRanges: []
    externalTrafficPolicy: ""
    externalIPs: []
    ipFamilyPolicy: ""
    ipFamilies: []
    ## Whether to automatically allocate NodePorts (only for LoadBalancers).
    # allocateLoadBalancerNodePorts: false
    ## Set LoadBalancer class (only for LoadBalancers).
    # loadBalancerClass: ""
  resources:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 2000m
      memory: 1024Mi
  autoscaling:
    enabled: true
    minReplicas: 1
    maxReplicas: 5
    targetCPUUtilizationPercentage: 80
    targetMemoryUtilizationPercentage: {}
    autoscaleBehavior: {}
  # Pod environment variables
  env: {}
  # Deployment Update strategy
  strategy: {}
  # Sets the Deployment minReadySeconds value
  minReadySeconds:
  # Optionally configure a custom readinessProbe. By default the control plane
  # automatically injects the readinessProbe. If you wish to override that
  # behavior, you may define your own readinessProbe here.
  readinessProbe: {}
  # Labels to apply to all resources
  labels:
    # By default, don't enroll gateways into the ambient dataplane
    "istio.io/dataplane-mode": none
  # Annotations to apply to all resources
  annotations: {}
  nodeSelector: {}
  tolerations: []
  topologySpreadConstraints: []
  affinity: {}
  # If specified, the gateway will act as a network gateway for the given network.
  networkGateway: "network1"
  # Specify image pull policy if default behavior isn't desired.
  # Default behavior: latest images will be Always else IfNotPresent
  imagePullPolicy: ""
  imagePullSecrets: []
  # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
  #
  # By default, the `podDisruptionBudget` is disabled (set to `{}`),
  # which means that no PodDisruptionBudget resource will be created.
  #
  # To enable the PodDisruptionBudget, configure it by specifying the
  # `minAvailable` or `maxUnavailable`. For example, to set the
  # minimum number of available replicas to 1, you can update this value as follows:
  #
  # podDisruptionBudget:
  #   minAvailable: 1
  #
  # Or, to allow a maximum of 1 unavailable replica, you can set:
  #
  # podDisruptionBudget:
  #   maxUnavailable: 1
  #
  # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
  # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
  #
  # podDisruptionBudget:
  #   minAvailable: 1
  #   unhealthyPodEvictionPolicy: AlwaysAllow
  #
  # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
  #
  # podDisruptionBudget: {}
  #
  podDisruptionBudget: {}
  # Sets the per-pod terminationGracePeriodSeconds setting.
  terminationGracePeriodSeconds: 30
  # A list of `Volumes` added into the Gateway Pods. See
  # https://kubernetes.io/docs/concepts/storage/volumes/.
  volumes: []
  # A list of `VolumeMounts` added into the Gateway Pods. See
  # https://kubernetes.io/docs/concepts/storage/volumes/.
  volumeMounts: []
  # Configure this to a higher priority class in order to make sure your Istio gateway pods
  # will not be killed because of low priority class.
  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
  # for more detail.
  priorityClassName: ""
--- a/dmz/littlelink/Chart.yaml
+++ b/dmz/littlelink/Chart.yaml
--- a/dmz/littlelink/templates/deployment.yaml
+++ b/dmz/littlelink/templates/deployment.yaml
@@ -0,0 +1,101 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  namespace: littlelink
  name: littlelink
  labels:
    app: littlelink
 spec:
  selector:
    matchLabels:
      app: littlelink
  replicas: 1
  template:
    metadata:
      labels:
        app: littlelink
    spec:
      containers:
      - name: littlelink
        image: registry.durp.info/techno-tim/littlelink-server:latest
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
            path: /healthcheck
            port: 3000
        readinessProbe:
          httpGet:
            path: /healthcheck
            port: 3000            
        env:
          - name: META_TITLE
            value: DeveloperDurp
          - name: META_DESCRIPTION
            value: The Durpy Developer
          - name: META_AUTHOR
            value: DeveloperDurp
          - name: LANG
            value: en
          - name: META_INDEX_STATUS
            value: all
          - name: OG_TITLE
            value: DeveloperDurp
          - name: OG_DESCRIPTION
            value: DeveloperDurp
          - name: OG_URL
            value: https://gitlab.com/developerdurp
          - name: OG_IMAGE
            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png
          - name : OG_IMAGE_WIDTH
            value: "400"
          - name : OG_IMAGE_HEIGHT
            value: "400"
          - name : THEME
            value: Dark 
          - name : FAVICON_URL
            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png
          - name : AVATAR_URL
            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png
          - name : AVATAR_2X_URL
            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png   
          - name : AVATAR_ALT
            value: DeveloperDurp Profile Pic
          - name : NAME
            value: DeveloperDurp
          - name : BIO
            value: Sup Nerd,
          - name : BUTTON_ORDER
            value: GITHUB,GITLAB,YOUTUBE,INSTAGRAM,TWITTER,BLUESKY,COFFEE,EMAIL
          - name : TWITTER
            value: https://twitter.com/developerdurp                
          - name : GITHUB
            value: https://github.com/DeveloperDurp
          - name: INSTAGRAM
            value: https://instagram.com/developerdurp
          - name : GITLAB
            value: https://gitlab.com/developerdurp
          - name: YOUTUBE
            value: https://www.youtube.com/channel/UC1rGa6s6kER_gLpIQsxeMVQ
          - name : EMAIL
            value: DeveloperDurp@durp.info
          - name : EMAIL_TEXT
            value: DeveloperDurp@durp.info            
          - name : FOOTER
            value: DeveloperDurp © 2022         
          - name: CUSTOM_BUTTON_TEXT
            value: BuyMeACoffee,BlueSky
          - name: CUSTOM_BUTTON_URL
            value: https://www.buymeacoffee.com/DeveloperDurp,https://bsky.app/profile/durp.info
          - name: CUSTOM_BUTTON_COLOR
            value: '#ffdd00,#1185fe'
          - name: CUSTOM_BUTTON_TEXT_COLOR
            value: '#000000,#FFFFFF'
          - name: CUSTOM_BUTTON_ALT_TEXT
            value: Support,BlueSky
          - name: CUSTOM_BUTTON_NAME
            value: COFFEE,BLUESKY
          - name: CUSTOM_BUTTON_ICON
            value: fa-solid fa-cup-togo
        ports:
        - name: http
          containerPort: 3000          
--- a/dmz/littlelink/templates/ingress.yaml
+++ b/dmz/littlelink/templates/ingress.yaml
@@ -0,0 +1,42 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: littlelink-ingress
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`links.durp.info`) && PathPrefix(`/`)
    kind: Rule
    services:
    - name: littlelink
      port: 80
  tls:
    secretName: littlelink-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: littlelink-tls
 spec:
  secretName: littlelink-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "links.durp.info"
  dnsNames:
  - "links.durp.info"  
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: links-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: links.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/dmz/littlelink/templates/service.yaml
+++ b/dmz/littlelink/templates/service.yaml
@@ -0,0 +1,12 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: littlelink
 spec:
  ports:
  - name: http
    port: 80
    targetPort: 3000
    protocol: TCP 
  selector:
    app: littlelink
--- a/dmz/longhorn/Chart.yaml
+++ b/dmz/longhorn/Chart.yaml
@@ -0,0 +1,12 @@
 apiVersion: v2
 name: longhorn-system
 description: A Helm chart for Kubernetes
 type: application
 version: 0.1.0
 appVersion: "1.16.0"
 dependencies:
 - name: longhorn
  repository: https://charts.longhorn.io
  version: 1.9.0
--- a/dmz/longhorn/templates/ingress.yaml
+++ b/dmz/longhorn/templates/ingress.yaml
@@ -0,0 +1,34 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: longhorn-ingress
  annotations:
    cert-manager.io/cluster-issuer: vault-issuer
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`longhorn.dmz.durp.info`) && PathPrefix(`/`)
      kind: Rule
      middlewares:
        - name: authentik-proxy-provider
          namespace: traefik
      services:
        - name: longhorn-frontend
          port: 80
  tls:
    secretName: longhorn-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: longhorn-tls
 spec:
  secretName: longhorn-tls
  issuerRef:
    name: vault-issuer
    kind: ClusterIssuer
  commonName: "longhorn.dmz.durp.info"
  dnsNames:
    - "longhorn.dmz.durp.info"
--- a/dmz/longhorn/templates/secrets.yaml
+++ b/dmz/longhorn/templates/secrets.yaml
@@ -0,0 +1,30 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: external-longhorn-backup-token-secret
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: longhorn-backup-token-secret
  data:
  - secretKey: AWS_ACCESS_KEY_ID
    remoteRef:
      key: kv/longhorn/backup
      property: AWS_ACCESS_KEY_ID
  - secretKey: AWS_ENDPOINTS 
    remoteRef:
      key: kv/longhorn/backup
      property: AWS_ENDPOINTS 
  - secretKey: AWS_SECRET_ACCESS_KEY
    remoteRef:
      key: kv/longhorn/backup
      property: AWS_SECRET_ACCESS_KEY
--- a/dmz/longhorn/values.yaml
+++ b/dmz/longhorn/values.yaml
@@ -0,0 +1,192 @@
 longhorn: 
  global:
    cattle:
      systemDefaultRegistry: ""
  image:
    longhorn:
      engine:
        repository: longhornio/longhorn-engine
      manager:
        repository: longhornio/longhorn-manager
      ui:
        repository: longhornio/longhorn-ui
      instanceManager:
        repository: longhornio/longhorn-instance-manager
      shareManager:
        repository: longhornio/longhorn-share-manager
      backingImageManager:
        repository: longhornio/backing-image-manager
    csi:
      attacher:
        repository: longhornio/csi-attacher
      provisioner:
        repository: longhornio/csi-provisioner
      nodeDriverRegistrar:
        repository: longhornio/csi-node-driver-registrar
      resizer:
        repository: longhornio/csi-resizer
      snapshotter:
        repository: longhornio/csi-snapshotter
    pullPolicy: Always
  service:
    ui:
      type: ClusterIP
      nodePort: null
    manager:
      type: ClusterIP
      nodePort: ""
      loadBalancerIP: ""
      loadBalancerSourceRanges: ""
  persistence:
    defaultClass: true
    defaultFsType: ext4
    defaultClassReplicaCount: 3
    defaultDataLocality: disabled # best-effort otherwise
    reclaimPolicy: Delete
    migratable: false
    recurringJobSelector:
      enable: true
      jobList: '[
          {
            "name":"backup", 
            "task":"backup", 
            "cron":"0 0 * * *", 
            "retain":24
          }
        ]'
    backingImage:
      enable: false
      name: ~
      dataSourceType: ~
      dataSourceParameters: ~
      expectedChecksum: ~
  csi:
    kubeletRootDir: ~
    attacherReplicaCount: ~
    provisionerReplicaCount: ~
    resizerReplicaCount: ~
    snapshotterReplicaCount: ~
  defaultSettings:
    backupTarget: S3://longhorn-master@us-east-1/
    backupTargetCredentialSecret: longhorn-backup-token-secret
    allowRecurringJobWhileVolumeDetached: ~
    createDefaultDiskLabeledNodes: ~
    defaultDataPath: ~
    defaultDataLocality: ~
    replicaSoftAntiAffinity: ~
    replicaAutoBalance: ~
    storageOverProvisioningPercentage: ~
    storageMinimalAvailablePercentage: ~
    upgradeChecker: ~
    defaultReplicaCount: ~
    defaultLonghornStaticStorageClass: longhorn
    backupstorePollInterval: ~
    taintToleration: ~
    systemManagedComponentsNodeSelector: ~
    priorityClass: ~
    autoSalvage: ~
    autoDeletePodWhenVolumeDetachedUnexpectedly: ~
    disableSchedulingOnCordonedNode: ~
    replicaZoneSoftAntiAffinity: ~
    nodeDownPodDeletionPolicy: ~
    allowNodeDrainWithLastHealthyReplica: ~
    mkfsExt4Parameters: ~
    disableReplicaRebuild: ~
    replicaReplenishmentWaitInterval: ~
    concurrentReplicaRebuildPerNodeLimit: ~
    disableRevisionCounter: ~
    systemManagedPodsImagePullPolicy: ~
    allowVolumeCreationWithDegradedAvailability: ~
    autoCleanupSystemGeneratedSnapshot: ~
    concurrentAutomaticEngineUpgradePerNodeLimit: ~
    backingImageCleanupWaitInterval: ~
    backingImageRecoveryWaitInterval: ~
    guaranteedEngineManagerCPU: ~
    guaranteedReplicaManagerCPU: ~
    kubernetesClusterAutoscalerEnabled: ~
    orphanAutoDeletion: ~
    storageNetwork: ~
  privateRegistry:
    createSecret: ~
    registryUrl: ~
    registryUser: ~
    registryPasswd: ~
    registrySecret: ~
  longhornManager:
    priorityClass: ~
    tolerations: []
    ## If you want to set tolerations for Longhorn Manager DaemonSet, delete the `[]` in the line above
    ## and uncomment this example block
    # - key: "key"
    #   operator: "Equal"
    #   value: "value"
    #   effect: "NoSchedule"
    nodeSelector: {}
    ## If you want to set node selector for Longhorn Manager DaemonSet, delete the `{}` in the line above
    ## and uncomment this example block
    #  label-key1: "label-value1"
    #  label-key2: "label-value2"
  longhornDriver:
    priorityClass: ~
    tolerations: []
    ## If you want to set tolerations for Longhorn Driver Deployer Deployment, delete the `[]` in the line above
    ## and uncomment this example block
    # - key: "key"
    #   operator: "Equal"
    #   value: "value"
    #   effect: "NoSchedule"
    nodeSelector: {}
    ## If you want to set node selector for Longhorn Driver Deployer Deployment, delete the `{}` in the line above
    ## and uncomment this example block
    #  label-key1: "label-value1"
    #  label-key2: "label-value2"
  longhornUI:
    priorityClass: ~
    tolerations: []
    ## If you want to set tolerations for Longhorn UI Deployment, delete the `[]` in the line above
    ## and uncomment this example block
    # - key: "key"
    #   operator: "Equal"
    #   value: "value"
    #   effect: "NoSchedule"
    nodeSelector: {}
    ## If you want to set node selector for Longhorn UI Deployment, delete the `{}` in the line above
    ## and uncomment this example block
    #  label-key1: "label-value1"
    #  label-key2: "label-value2"
  resources: {}
    # We usually recommend not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
    # resources, such as Minikube. If you do want to specify resources, uncomment the following
    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #  cpu: 100m
    #  memory: 128Mi
    # requests:
    #  cpu: 100m
    #  memory: 128Mi
    #
  ingress:
    enabled: false
  ## Specify override namespace, specifically this is useful for using longhorn as sub-chart
  ## and its release namespace is not the `longhorn-system`
  namespaceOverride: ""
  # Annotations to add to the Longhorn Manager DaemonSet Pods. Optional.
  annotations: {}
  serviceAccount:
    # Annotations to add to the service account
    annotations: {}
--- a/dmz/metallb-system/Chart.yaml
+++ b/dmz/metallb-system/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: metallb
  repository: https://metallb.github.io/metallb
-  version: 0.14.9
+  version: 0.15.2
--- a/dmz/openspeedtest/Chart.yaml
+++ b/dmz/openspeedtest/Chart.yaml
@@ -0,0 +1,7 @@
 apiVersion: v2
 name: openspeedtest
 description: A Helm chart for Kubernetes
 type: application
 version: 0.1.0
 appVersion: "1.16.0"
--- a/dmz/openspeedtest/templates/deployment.yaml
+++ b/dmz/openspeedtest/templates/deployment.yaml
@@ -0,0 +1,33 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  namespace: openspeedtest
  name: openspeedtest
  labels:
    app: openspeedtest
 spec:
  selector:
    matchLabels:
      app: openspeedtest
  replicas: 1
  template:
    metadata:
      labels:
        app: openspeedtest
    spec:
      containers:
      - name: openspeedtest
        image: registry.durp.info/openspeedtest/latest
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
            path: /
            port: 3000
        readinessProbe:
          httpGet:
            path: /
            port: 3000
        env:
        ports:
        - name: http
          containerPort: 3000
--- a/dmz/openspeedtest/templates/ingress.yaml
+++ b/dmz/openspeedtest/templates/ingress.yaml
@@ -0,0 +1,56 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: openspeedtest-ingress
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
    kind: Rule
    middlewares:
    - name: authentik-proxy-provider
      namespace: traefik  
    - name: limit-buffering
    services:
    - name: openspeedtest
      port: 3000
  tls:
    secretName: openspeedtest-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: openspeedtest-tls
 spec:
  secretName: openspeedtest-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "speedtest.durp.info"
  dnsNames:
  - "speedtest.durp.info"  
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: openspeedtest-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: limit-buffering
 spec:
  buffering:
    maxRequestBodyBytes: 10000000000
--- a/dmz/openspeedtest/templates/service.yaml
+++ b/dmz/openspeedtest/templates/service.yaml
@@ -0,0 +1,12 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: openspeedtest
 spec:
  ports:
  - name: http
    port: 3000
    targetPort: 3000
    protocol: TCP 
  selector:
    app: openspeedtest
--- a/dmz/redlib/Chart.yaml
+++ b/dmz/redlib/Chart.yaml
@@ -0,0 +1,7 @@
 apiVersion: v2
 name: redlib
 description: A Helm chart for Kubernetes
 type: application
 version: 0.1.0
 appVersion: "1.16.0"
--- a/dmz/redlib/templates/deployment.yaml
+++ b/dmz/redlib/templates/deployment.yaml
@@ -0,0 +1,33 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  namespace: redlib
  name: redlib
  labels:
    app: redlib
 spec:
  selector:
    matchLabels:
      app: redlib
  replicas: 3
  template:
    metadata:
      labels:
        app: redlib
    spec:
      containers:
      - name: redlib
        image: registry.durp.info/redlib/redlib:latest
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
            path: /
            port: 8080
        readinessProbe:
          httpGet:
            path: /
            port: 8080
        env:
        ports:
        - name: http
          containerPort: 8080
--- a/dmz/redlib/templates/ingress.yaml
+++ b/dmz/redlib/templates/ingress.yaml
@@ -0,0 +1,43 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: redlib-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
      kind: Rule
      middlewares:
        - name: authentik-proxy-provider
          namespace: traefik
      services:
        - name: redlib
          port: 8080
  tls:
    secretName: redlib-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: redlib-tls
 spec:
  secretName: redlib-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "redlib.durp.info"
  dnsNames:
    - "redlib.durp.info"
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: redlib-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/dmz/redlib/templates/service.yaml
+++ b/dmz/redlib/templates/service.yaml
@@ -0,0 +1,12 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: redlib
 spec:
  ports:
  - name: http
    port: 8080
    targetPort: 8080
    protocol: TCP 
  selector:
    app: redlib
--- a/dmz/redlib/values.yaml
+++ b/dmz/redlib/values.yaml
--- a/dmz/terraform/main.tf
+++ b/dmz/terraform/main.tf
@@ -3,7 +3,7 @@ terraform {
  required_providers {
    proxmox = {
      source  = "Telmate/proxmox"
-      version = "3.0.1-rc6"
+      version = "3.0.1-rc9"
    }
  }
 }
--- a/dmz/traefik/Chart.yaml
+++ b/dmz/traefik/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: traefik
  repository: https://traefik.github.io/charts
-  version: 34.0.0
+  version: 34.5.0
--- a/dmz/traefik/templates/middleware.yaml
+++ b/dmz/traefik/templates/middleware.yaml
@@ -1,11 +1,11 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-    name: authentik-proxy-provider
+  name: authentik-proxy-provider
-    namespace: traefik
+  namespace: traefik
 spec:
  forwardAuth:
-    address: http://ak-outpost-dmz-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri
+    address: http://ak-outpost-authentik-dmz-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri
    trustForwardHeader: true
    authResponseHeaders:
      - X-authentik-username
@@ -21,7 +21,6 @@ spec:
      - X-authentik-meta-version
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
@@ -33,3 +32,23 @@ spec:
      - 192.168.0.0/16
      - 172.16.0.0/12
      - 10.0.0.0/8
 ---
 #apiVersion: traefik.io/v1alpha1
 #kind: Middleware
 #metadata:
 #  name: bouncer
 #  namespace: traefik
 #spec:
 #  plugin:
 #    bouncer:
 #      enabled: true
 #      crowdsecMode: stream
 #      crowdsecLapiScheme: https
 #      crowdsecLapiTLSInsecureVerify: true
 #      crowdsecLapiHost: crowdsec-service.crowdsec:8080
 #      crowdsecLapiKey:
 #        valueFrom:
 #          secretKeyRef:
 #            name: crowdsec-lapi-key
 #            key: lapi-key
--- a/dmz/traefik/templates/secrets.yaml
+++ b/dmz/traefik/templates/secrets.yaml
@@ -0,0 +1,21 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: crowdsec-lapi-key
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: crowdsec-lapi-key
  data:
    - secretKey: lapi-key
      remoteRef:
        key: kv/crowdsec/api
        property: key
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault
--- a/dmz/traefik/templates/traefik-dashboard.yaml
+++ b/dmz/traefik/templates/traefik-dashboard.yaml
@@ -1,34 +1,35 @@
-#apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.io/v1alpha1
-#kind: IngressRoute
+kind: IngressRoute
-#metadata:
+metadata:
-#  name: traefik-ingress
+  name: traefik-ingress
-#spec:
+spec:
-#  entryPoints:
+  entryPoints:
-#    - websecure
+    - websecure
-#  routes:
+  routes:
-#  - match: Host(`traefik.durp.info`)
+    - match: Host(`traefik.dmz.durp.info`)
-#    kind: Rule
+      kind: Rule
-#    services:
+      middlewares:
-#    - name: api@internal
+        - name: whitelist
-#      kind: TraefikService
+          namespace: traefik
-#  tls:
+        - name: authentik-proxy-provider
-#    secretName: traefik-tls  
+          namespace: traefik
-#
+      services:
-#---
+        - name: api@internal
-#
+          kind: TraefikService
-#apiVersion: cert-manager.io/v1
+  tls:
-#kind: Certificate
+    secretName: traefik-tls
-#metadata:
+
-#  name: traefik-tls
+---
-#  namespace: traefik
+apiVersion: cert-manager.io/v1
-#spec:
+kind: Certificate
-#  secretName: traefik-tls
+metadata:
-#  issuerRef:
+  name: traefik-tls
-#    name: letsencrypt-production
+  namespace: traefik
-#    kind: ClusterIssuer
+spec:
-#  commonName: "traefik.durp.info"
+  secretName: traefik-tls
-#  dnsNames:
+  issuerRef:
-#  - "traefik.durp.info"
+    name: vault-issuer
-#
+    kind: ClusterIssuer
-#---
+  commonName: "traefik.dmz.durp.info"
-#
+  dnsNames:
    - "traefik.dmz.durp.info"
--- a/dmz/traefik/values.yaml
+++ b/dmz/traefik/values.yaml
@@ -1,10 +1,10 @@
 traefik:
-  image: 
+  image:
    #    registry: registry.durp.info
    #    repository: traefik
    pullPolicy: Always
-  
+
-  providers:  
+  providers:
    kubernetesCRD:
      allowCrossNamespace: true
      allowExternalNameServices: true
@@ -18,40 +18,41 @@ traefik:
  #   - name: traefik-configmap
  #     mountPath: "/config"
  #     type: configMap
-  
+
  ingressRoute:
    dashboard:
      enabled: true
-  
+
-  additionalArguments: 
+  additionalArguments:
    #  - "--providers.file.filename=/config/config.yml"
    - "--serversTransport.insecureSkipVerify=true"
    - "--log.level=DEBUG"
    - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin
    - --experimental.plugins.jwt.version=v0.7.0
-  
+    - --experimental.plugins.bouncer.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
    - --experimental.plugins.bouncer.version=v1.4.2
  autoscaling:
    enabled: true
    minReplicas: 3
    maxReplicas: 10
    metrics:
-    - type: Resource
+      - type: Resource
-      resource:
+        resource:
-        name: cpu
+          name: cpu
-        target:
+          target:
-          type: Utilization
+            type: Utilization
-          averageUtilization: 80
+            averageUtilization: 80
    behavior:
      scaleDown:
        stabilizationWindowSeconds: 300
        policies:
-        - type: Pods
+          - type: Pods
-          value: 1
+            value: 1
-          periodSeconds: 60
+            periodSeconds: 60
-  
+
  # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
-  resources: 
+  resources:
    requests:
      cpu: "100m"
      memory: "512Mi"
--- a/dmz/vault/Chart.yaml
+++ b/dmz/vault/Chart.yaml
@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: vault
  repository: https://helm.releases.hashicorp.com  
-  version: 0.29.1
+  version: 0.30.0
--- a/dmz/vault/templates/secret-store.yaml
+++ b/dmz/vault/templates/secret-store.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
  name: vault
--- a/infra/argocd/Chart.yaml
+++ b/infra/argocd/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: argo-cd
  repository: https://argoproj.github.io/argo-helm
-  version: 6.11.1
+  version: 8.1.3
--- a/infra/argocd/templates/argocd-crossplane.yaml
+++ b/infra/argocd/templates/argocd-crossplane.yaml
@@ -0,0 +1,101 @@
 #apiVersion: external-secrets.io/v1
 #kind: ExternalSecret
 #metadata:
 #  name: argocd-secret-crossplane
 #spec:
 #  secretStoreRef:
 #    name: vault
 #    kind: ClusterSecretStore
 #  target:
 #    name: argocd-secret-crossplane
 #  data:
 #    - secretKey: authToken
 #      remoteRef:
 #        key: kv/argocd/provider-argocd
 #        property: token
 #
 #---
 #apiVersion: external-secrets.io/v1
 #kind: ExternalSecret
 #metadata:
 #  name: prod-kubeconfig
 #spec:
 #  secretStoreRef:
 #    name: vault
 #    kind: ClusterSecretStore
 #  target:
 #    name: prod-kubeconfig
 #  data:
 #    - secretKey: kubeconfig
 #      remoteRef:
 #        key: kv/argocd/prd
 #        property: kubeconfig
 #
 #---
 #apiVersion: argocd.crossplane.io/v1alpha1
 #kind: ProviderConfig
 #metadata:
 #  name: argocd-provider
 #spec:
 #  serverAddr: argocd-server.argocd.svc:443
 #  insecure: true
 #  plainText: false
 #  credentials:
 #    source: Secret
 #    secretRef:
 #      namespace: argocd
 #      name: argocd-secret-crossplane
 #      key: authToken
 #
 #---
 #apiVersion: cluster.argocd.crossplane.io/v1alpha1
 #kind: Cluster
 #metadata:
 #  name: prd
 #  labels:
 #    purpose: prd
 #spec:
 #  forProvider:
 #    name: prd
 #    config:
 #      kubeconfigSecretRef:
 #        name: prod-kubeconfig
 #        namespace: argocd
 #        key: kubeconfig
 #  providerConfigRef:
 #    name: argocd-provider
 #
 #---
 #apiVersion: external-secrets.io/v1
 #kind: ExternalSecret
 #metadata:
 #  name: dev-kubeconfig
 #spec:
 #  secretStoreRef:
 #    name: vault
 #    kind: ClusterSecretStore
 #  target:
 #    name: dev-kubeconfig
 #  data:
 #    - secretKey: kubeconfig
 #      remoteRef:
 #        key: kv/argocd/dev
 #        property: kubeconfig
 #
 #---
 #apiVersion: cluster.argocd.crossplane.io/v1alpha1
 #kind: Cluster
 #metadata:
 #  name: dev
 #  labels:
 #    purpose: dev
 #spec:
 #  forProvider:
 #    name: dev
 #    config:
 #      kubeconfigSecretRef:
 #        name: dev-kubeconfig
 #        namespace: argocd
 #        key: kubeconfig
 #  providerConfigRef:
 #    name: argocd-provider
--- a/infra/argocd/templates/argocd.yaml
+++ b/infra/argocd/templates/argocd.yaml
@@ -21,7 +21,7 @@ spec:
 ---
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: vault-argocd
--- a/infra/argocd/templates/authentik.yaml
+++ b/infra/argocd/templates/authentik.yaml
@@ -13,17 +13,16 @@ spec:
    namespace: authentik
    name: in-cluster
  syncPolicy:
-    managedNamespaceMetadata:
+    #managedNamespaceMetadata:
-      labels:
+    #  labels:
-        istio-injection: enabled
+    #    istio-injection: enabled
    automated:
      prune: true
-      selfHeal: true  
+      selfHeal: true
    syncOptions:
-      - CreateNamespace=true 
+      - CreateNamespace=true
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -41,7 +40,6 @@ spec:
  syncPolicy:
    automated:
      prune: true
-      selfHeal: true  
+      selfHeal: true
    syncOptions:
-      - CreateNamespace=true 
+      - CreateNamespace=true
--- a/infra/argocd/templates/bitwarden.yaml
+++ b/infra/argocd/templates/bitwarden.yaml
@@ -0,0 +1,20 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: bitwarden
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: infra/bitwarden
  destination:
    namespace: bitwarden
    name: in-cluster
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
--- a/infra/argocd/templates/crowdsec.yaml
+++ b/infra/argocd/templates/crowdsec.yaml
@@ -0,0 +1,20 @@
 #apiVersion: argoproj.io/v1alpha1
 #kind: Application
 #metadata:
 #  name: crowdsec
 #  namespace: argocd
 #spec:
 #  project: default
 #  source:
 #    repoURL: https://gitlab.com/developerdurp/homelab.git
 #    targetRevision: main
 #    path: dmz/crowdsec
 #  destination:
 #    namespace: crowdsec
 #    name: dmz
 #  syncPolicy:
 #    automated:
 #      prune: true
 #      selfHeal: true
 #    syncOptions:
 #      - CreateNamespace=true
--- a/infra/argocd/templates/istio.yaml
+++ b/infra/argocd/templates/istio.yaml
@@ -13,41 +13,46 @@ spec:
    namespace: istio-system
    name: in-cluster
  syncPolicy:
    managedNamespaceMetadata:
      labels:
        topology.istio.io/network: network1
    automated:
      prune: true
-      selfHeal: true  
+      selfHeal: true
    syncOptions:
-      - CreateNamespace=true 
+      - CreateNamespace=true
  ignoreDifferences:
-  - group: admissionregistration.k8s.io
+    - group: admissionregistration.k8s.io
-    kind: ValidatingWebhookConfiguration
+      kind: ValidatingWebhookConfiguration
-    jsonPointers:
+      jsonPointers:
-    - /webhooks/0/failurePolicy
+        - /webhooks/0/failurePolicy
 ---
-
+apiVersion: argoproj.io/v1alpha1
-#apiVersion: argoproj.io/v1alpha1
+kind: Application
-#kind: Application
+metadata:
-#metadata:
+  name: istio-system-dmz
-#  name: istio-system-dmz
+  namespace: argocd
-#  namespace: argocd
+spec:
-#spec:
+  project: default
-#  project: default
+  source:
-#  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
-#    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
-#    targetRevision: main
+    path: dmz/istio-system
-#    path: dmz/istio-system
+  destination:
-#  destination:
+    namespace: istio-system
-#    namespace: istio-system
+    name: dmz
-#    name: dmz
+  syncPolicy:
-#  syncPolicy:
+    managedNamespaceMetadata:
-#    automated:
+      labels:
-#      prune: true
+        topology.istio.io/network: network2
-#      selfHeal: true  
+    automated:
-#    syncOptions:
+      prune: true
-#      - CreateNamespace=true 
+      selfHeal: true
-#  ignoreDifferences:
+    syncOptions:
-#  - group: admissionregistration.k8s.io
+      - CreateNamespace=true
-#    kind: ValidatingWebhookConfiguration
+  ignoreDifferences:
-#    jsonPointers:
+    - group: admissionregistration.k8s.io
-#    - /webhooks/0/failurePolicy
+      kind: ValidatingWebhookConfiguration
      jsonPointers:
        - /webhooks/0/failurePolicy
--- a/infra/argocd/templates/kube-prometheus-stack.yaml
+++ b/infra/argocd/templates/kube-prometheus-stack.yaml
@@ -0,0 +1,20 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: kube-prometheus-stack
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: infra/kube-prometheus-stack
  destination:
    namespace: kube-prometheus-stack
    name: in-cluster
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
--- a/infra/argocd/templates/litellm.yaml
+++ b/infra/argocd/templates/litellm.yaml
@@ -1,20 +1,20 @@
-apiVersion: argoproj.io/v1alpha1
+#apiVersion: argoproj.io/v1alpha1
-kind: Application
+#kind: Application
-metadata:
+#metadata:
-  name: litellm
+#  name: litellm
-  namespace: argocd
+#  namespace: argocd
-spec:
+#spec:
-  project: default
+#  project: default
-  source:
+#  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
+#    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+#    targetRevision: main
-    path: infra/litellm
+#    path: infra/litellm
-  destination:
+#  destination:
-    namespace: litellm
+#    namespace: litellm
-    name: in-cluster
+#    name: in-cluster
-  syncPolicy:
+#  syncPolicy:
-    automated:
+#    automated:
-      prune: true
+#      prune: true
-      selfHeal: true  
+#      selfHeal: true
-    syncOptions:
+#    syncOptions:
-      - CreateNamespace=true 
+#      - CreateNamespace=true
--- a/infra/argocd/templates/littlelink.yaml
+++ b/infra/argocd/templates/littlelink.yaml
@@ -0,0 +1,22 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: littlelink
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: dmz/littlelink
    directory:
      recurse: true
  destination:
    name: dmz
    namespace: littlelink
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
--- a/infra/argocd/templates/longhorn.yaml
+++ b/infra/argocd/templates/longhorn.yaml
@@ -15,7 +15,33 @@ spec:
  syncPolicy:
    automated:
      prune: true
-      selfHeal: true  
+      selfHeal: true
    syncOptions:
-      - CreateNamespace=true 
+      - CreateNamespace=true
  ignoreDifferences:
    - group: engineimages.longhorn.io
      jsonPointers:
        - /spec/preserveUnknownFields
      kind: CustomResourceDefinition
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: longhorn-system-dmz
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: dmz/longhorn
  destination:
    namespace: longhorn-system
    name: dmz
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
--- a/infra/argocd/templates/metallb-system.yaml
+++ b/infra/argocd/templates/metallb-system.yaml
@@ -42,3 +42,25 @@ spec:
    syncOptions:
      - CreateNamespace=true 
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: metallb-system-dev
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: dev/metallb-system
  destination:
    namespace: metallb-system
    name: dev
  syncPolicy:
    automated:
      prune: true
      selfHeal: true  
    syncOptions:
      - CreateNamespace=true 
--- a/infra/argocd/templates/nfs.yaml
+++ b/infra/argocd/templates/nfs.yaml
@@ -0,0 +1,18 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: nfs
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: infra/nfs
  destination:
    namespace: kube-system
    name: in-cluster
  syncPolicy:
    automated:
      prune: true
      selfHeal: true  
--- a/infra/argocd/templates/octopusdeploy.yaml
+++ b/infra/argocd/templates/octopusdeploy.yaml
@@ -0,0 +1,42 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: octopusdeploy
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: infra/octopusdeploy
  destination:
    namespace: octopusdeploy
    name: in-cluster
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: octopusdeploy-agent
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: infra/octopus-agent
  destination:
    namespace: octopus-agent
    name: in-cluster
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
--- a/infra/argocd/templates/openclarity.yaml
+++ b/infra/argocd/templates/openclarity.yaml
@@ -0,0 +1,20 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: openclarity
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: infra/openclarity
  destination:
    namespace: openclarity
    name: in-cluster
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
--- a/infra/argocd/templates/openspeedtest.yaml
+++ b/infra/argocd/templates/openspeedtest.yaml
@@ -0,0 +1,22 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: openspeedtest
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: dmz/openspeedtest
    directory:
      recurse: true
  destination:
    name: dmz
    namespace: openspeedtest
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
--- a/infra/argocd/templates/redlib.yaml
+++ b/infra/argocd/templates/redlib.yaml
@@ -0,0 +1,22 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: redlib
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: dmz/redlib
    directory:
      recurse: true
  destination:
    name: dmz
    namespace: redlib
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
--- a/infra/argocd/templates/renovate.yaml
+++ b/infra/argocd/templates/renovate.yaml
@@ -0,0 +1,20 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: renovate
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: infra/renovate
  destination:
    namespace: renovate
    name: in-cluster
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
--- a/infra/argocd/templates/traefik.yaml
+++ b/infra/argocd/templates/traefik.yaml
@@ -48,3 +48,29 @@ spec:
    syncOptions:
      - CreateNamespace=true 
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: traefik-dev
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: dev/traefik
  destination:
    namespace: traefik
    name: dev
  syncPolicy:
    #    managedNamespaceMetadata:
    #      labels:
    #        istio-injection: enabled
    automated:
      prune: true
      selfHeal: true  
    syncOptions:
      - CreateNamespace=true 
--- a/infra/argocd/values.yaml
+++ b/infra/argocd/values.yaml
@@ -1,27 +1,26 @@
 argo-cd:
  global:
    revisionHistoryLimit: 1
    image:
      repository: registry.durp.info/argoproj/argocd
      imagePullPolicy: Always
-  server:
+  #server:
-    #extraArgs:
+  #extraArgs:
-    #  - --dex-server-plaintext
+  #  - --dex-server-plaintext
-    #  - --dex-server=argocd-dex-server:5556
+  #  - --dex-server=argocd-dex-server:5556
-    # oidc.config: |
+  # oidc.config: |
-    #   name: AzureAD
+  #   name: AzureAD
-    #   issuer: https://login.microsoftonline.com/TENANT_ID/v2.0
+  #   issuer: https://login.microsoftonline.com/TENANT_ID/v2.0
-    #   clientID: CLIENT_ID
+  #   clientID: CLIENT_ID
-    #   clientSecret: $oidc.azuread.clientSecret
+  #   clientSecret: $oidc.azuread.clientSecret
-    #   requestedIDTokenClaims:
+  #   requestedIDTokenClaims:
-    #     groups:
+  #     groups:
-    #       essential: true
+  #       essential: true
-    #   requestedScopes:
+  #   requestedScopes:
-    #     - openid
+  #     - openid
-    #     - profile
+  #     - profile
-    #     - email
+  #     - email
  dex:
    enabled: true
@@ -35,6 +34,7 @@ argo-cd:
      annotations: {}
      url: https://argocd.infra.durp.info
      oidc.tls.insecure.skip.verify: "true"
      accounts.provider-argocd: apiKey
      dex.config: |
        connectors:
          - config:
@@ -50,13 +50,15 @@ argo-cd:
            name: authentik
            type: oidc
            id: authentik
      resource.exclusions: ""
    rbac:
      create: true
      policy.csv: |
        g, ArgoCD Admins, role:admin
        g, provider-argocd, role:admin
      scopes: "[groups]"
  server:
-    route: 
+    route:
-      enabled: false
+      enabled: false
--- a/infra/authentik/Chart.yaml
+++ b/infra/authentik/Chart.yaml
@@ -7,6 +7,7 @@ version: 0.1.0
 appVersion: "1.16.0"
 dependencies:
- name: authentik
+  - name: authentik
-  repository: https://charts.goauthentik.io
+    repository: https://charts.goauthentik.io
-  version: 2024.8.3
+    version: 2025.4.1
--- a/infra/authentik/templates/ingress.yaml
+++ b/infra/authentik/templates/ingress.yaml
@@ -6,16 +6,20 @@ spec:
  entryPoints:
    - websecure
  routes:
-  - match: Host(`authentik.durp.info`) && PathPrefix(`/`) 
+    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
-    kind: Rule
+      kind: Rule
-    services:
+      services:
-    - name: authentik-server
+        - name: authentik-server
-      port: 80
+          port: 80
    - match: Host(`authentik.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
      kind: Rule
      services:
        - name: ak-outpost-authentik-embedded-outpost
          port: 9000
  tls:
    secretName: authentik-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -27,5 +31,4 @@ spec:
    kind: ClusterIssuer
  commonName: "authentik.durp.info"
  dnsNames:
-  - "authentik.durp.info" 
+    - "authentik.durp.info"
--- a/infra/authentik/templates/secrets.yaml
+++ b/infra/authentik/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: authentik-secret
--- a/infra/authentik/values.yaml
+++ b/infra/authentik/values.yaml
@@ -1,6 +1,8 @@
 authentik:
  global:
-    env: 
+    security:
      allowInsecureImages: true
    env:
      - name: AUTHENTIK_POSTGRESQL__PASSWORD
        valueFrom:
          secretKeyRef:
@@ -19,7 +21,7 @@ authentik:
    outposts:
      container_image_base: registry.durp.info/goauthentik/%(type)s:%(version)s
    postgresql:
-      host: '{{ .Release.Name }}-postgresql-hl'
+      host: "{{ .Release.Name }}-postgresql-hl"
      name: "authentik"
      user: "authentik"
      port: 5432
@@ -36,7 +38,7 @@ authentik:
      pullPolicy: Always
    postgresqlUsername: "authentik"
    postgresqlDatabase: "authentik"
-    existingSecret: db-pass 
+    existingSecret: db-pass
    persistence:
      enabled: true
      storageClass: longhorn
@@ -47,7 +49,7 @@ authentik:
    enabled: true
    master:
      persistence:
-        enabled: false    
+        enabled: false
    image:
      registry: registry.durp.info
      repository: bitnami/redis
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`argocd login --insecure`
							`argocd cluster add default --name prd --yes --kubeconfig ~/Documents/config-prd`
		`@@ -0,0 +1 @@`
							`Acquire::http::Proxy "http://192.168.21.200:3142";`
`@@ -1 +1,2 @@`
	`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhPVgL8gXdRTw0E2FvlOUoUI4vd794nB0nZVIsc+U5M`	`sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGilcndatMrXg06VxtNKuIo3scoyyXbYX8Z7cOjeA102AAAABHNzaDo= desktop-arch-09-08-2025-yubikey`
		`sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINsbNSZ5Wr+50Ahz+IeZxt6F7gZ6wm1J8uKXQLbdbKFaAAAABHNzaDo= desktop-arch-09-08-2025-yubikeyNano`