yt-dlp-bot: deploy update to 1ef217f

Reviewed-on: #61

.gitignore

@@ -1 +1,3 @@
 *-testing/
+Chart.lock
+charts/

arr-stack/flaresolverr/deployment.yaml

@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: flaresolverr
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: flaresolverr
+  template:
+    metadata:
+      labels:
+        app: flaresolverr
+    spec:
+      containers:
+      - name: flaresolverr
+        image: ghcr.io/flaresolverr/flaresolverr:v3.4.1
+        resources:
+          limits:
+            memory: "4Gi"
+            cpu: "1"
+          requests:
+            memory: "2Gi"
+            cpu: "0.5"

arr-stack/flaresolverr/svc.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: flaresolverr
+spec:
+  selector:
+    app: flaresolverr
+  ports:
+  - port: 8191
+    targetPort: 8191

arr-stack/prowlarr/deployment.yaml

@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: prowlarr
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: prowlarr
+  template:
+    metadata:
+      labels:
+        app: prowlarr
+      annotations:
+        backup.velero.io/backup-volumes: config
+    spec:
+      containers:
+      - name: prowlarr
+        image: linuxserver/prowlarr:version-2.0.5.5160
+        volumeMounts:
+          - name: config
+            mountPath: /config
+        resources:
+          limits:
+            memory: "1Gi"
+            cpu: "1"
+          requests:
+            memory: "512Mi"
+            cpu: "0.5"
+      volumes:
+        - name: config
+          persistentVolumeClaim:
+            claimName: prowlarr-config

arr-stack/prowlarr/pvc.yaml

@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: emby-config
+  name: prowlarr-config
 spec:
-  storageClassName: weyma-shared
   resources:
     requests:
       storage: 10Gi
   volumeMode: Filesystem
   accessModes:
-    - ReadWriteOnce
+    - ReadWriteMany

arr-stack/prowlarr/svc.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: prowlarr
+spec:
+  selector:
+    app: prowlarr
+  ports:
+  - port: 9696
+    targetPort: 9696

arr-stack/radarr/deployment.yaml

@@ -0,0 +1,45 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: radarr
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: radarr
+  template:
+    metadata:
+      labels:
+        app: radarr
+      annotations:
+        backup.velero.io/backup-volumes: config
+    spec:
+      containers:
+      - name: radarr
+        image: linuxserver/radarr:version-5.27.5.10198
+        volumeMounts:
+          - name: config
+            mountPath: /config
+          - name: downloads
+            mountPath: /mnt/Downloads
+          - name: movies
+            mountPath: /mnt/movies
+        resources:
+          limits:
+            memory: "1Gi"
+            cpu: "1"
+          requests:
+            memory: "512Mi"
+            cpu: "0.5"
+      volumes:
+        - name: config
+          persistentVolumeClaim:
+            claimName: radarr-config
+        - name: movies
+          nfs:
+            server: 10.105.15.20
+            path: /mnt/hdd-pool/movies
+        - name: downloads
+          nfs:
+            server: 10.105.15.20
+            path: /mnt/hdd-pool/syncthing-downloads

arr-stack/radarr/pvc.yaml

@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: resilio-pvc
+  name: radarr-config
 spec:
-  storageClassName: weyma-shared
   resources:
     requests:
       storage: 10Gi
   volumeMode: Filesystem
   accessModes:
-    - ReadWriteOnce
+    - ReadWriteMany

arr-stack/radarr/svc.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: radarr
+spec:
+  selector:
+    app: radarr
+  ports:
+  - port: 7878
+    targetPort: 7878

arr-stack/sonarr/deployment.yaml

@@ -0,0 +1,45 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sonarr
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: sonarr
+  template:
+    metadata:
+      labels:
+        app: sonarr
+      annotations:
+        backup.velero.io/backup-volumes: config
+    spec:
+      containers:
+      - name: sonarr
+        image: linuxserver/sonarr:4.0.15
+        volumeMounts:
+          - name: config
+            mountPath: /config
+          - name: downloads
+            mountPath: /mnt/Downloads
+          - name: tv-shows
+            mountPath: /mnt/tv-shows
+        resources:
+          limits:
+            memory: "1Gi"
+            cpu: "1"
+          requests:
+            memory: "512Mi"
+            cpu: "0.5"
+      volumes:
+        - name: config
+          persistentVolumeClaim:
+            claimName: sonarr-config
+        - name: tv-shows
+          nfs:
+            server: 10.105.15.20
+            path: /mnt/hdd-pool/tv-shows
+        - name: downloads
+          nfs:
+            server: 10.105.15.20
+            path: /mnt/hdd-pool/syncthing-downloads

arr-stack/sonarr/pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: sonarr-config
+spec:
+  resources:
+    requests:
+      storage: 10Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteMany

arr-stack/sonarr/svc.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: sonarr
+spec:
+  selector:
+    app: sonarr
+  ports:
+  - port: 8989
+    targetPort: 8989

arr-stack/tunnel/deployment.yaml

@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deluge-tunnel
+spec:
+  selector:
+    matchLabels:
+      app: deluge-tunnel
+  template:
+    metadata:
+      labels:
+        app: deluge-tunnel
+    spec:
+      containers:
+      - name: deluge-tunnel
+        image: kroniak/ssh-client:3.21
+        command: ["/bin/sh", "-c", "ssh -o StrictHostKeyChecking=no weyma-talos@45.152.211.243 -p 2222 -L 0.0.0.0:58846:127.0.0.1:58846 -L 0.0.0.0:8112:127.0.0.1:8112 -N"]
+        volumeMounts:
+          - name: ssh-keys
+            mountPath: /root/.ssh
+        resources:
+          limits:
+            memory: "512Mi"
+            cpu: "500m"
+          requests:
+            memory: "128Mi"
+            cpu: "200m"
+      volumes:
+        - name: ssh-keys
+          secret:
+            defaultMode: 0400
+            secretName: ssh-keys
+

arr-stack/tunnel/ssh-keys.yaml

@@ -0,0 +1,28 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: ssh-keys
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: deluge-ssh
+      metadataPolicy: None
+      property: private
+    secretKey: id_ed25519
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: deluge-ssh
+      metadataPolicy: None
+      property: public
+    secretKey: id_ed25519.pub
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: weyma-vault
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: ssh-keys

arr-stack/tunnel/svc.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: deluge
+spec:
+  selector:
+    app: deluge-tunnel
+  ports:
+  - port: 58846
+    targetPort: 58846
+    name: deluge
+  - port: 8112
+    targetPort: 8112
+    name: web

attic/secret.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: attic-secret

authentik/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: authentik
-  version: 2025.4.1
+  version: 2025.10.2
   repository: https://charts.goauthentik.io

authentik/values.yaml

@@ -25,59 +25,6 @@ authentik:
       - name: cert-dubyatp-xyz
         secret:
           secretName: cert-dubyatp-xyz
-  postgresql:
-    enabled: true
-    image:
-      repository: bitnami/postgresql
-      tag: 15.8.0-debian-12-r18
-    auth:
-      username: authentik
-      database: authentik
-      existingSecret: "authentik-credentials"
-      secretKeys:
-        adminPasswordKey: "admin-password"
-        userPasswordKey: "user-password"
-        replicationPasswordKey: "replication-password"
-    primary:
-      podAnnotations:
-        backup.velero.io/backup-volumes: data
-      extendedConfiguration: |
-        max_connections = 500
-      resourcesPreset: "none"
-      persistence:
-        enabled: true
-        storageClass: weyma-shared
-        accessModes:
-          - ReadWriteOnce
-      readReplicas:
-        resourcesPreset: "none"
-      backup:
-        resourcesPreset: "none"
-      passwordUpdateJob:
-        resourcesPreset: "none"
-      volumePermissions:
-        resourcesPreset: "none"
-      metrics:
-        resourcesPreset: "none"
-  redis:
-    enabled: true
-    architecture: standalone
-    auth:
-      enabled: false
-    master:
-      resourcesPreset: "none"
-      podAnnotations:
-        backup.velero.io/backup-volumes: redis-data
-    replica:
-      resourcesPreset: "none"
-    sentinel:
-      resourcesPreset: "none"
-    metrics:
-      resourcesPreset: "none"
-    volumePermissions:
-      resourcesPreset: "none"
-    sysctl:
-      resourcesPreset: "none"
   global:
     env:
       - name: AUTHENTIK_SECRET_KEY
@@ -85,11 +32,32 @@ authentik:
           secretKeyRef:
             name: authentik-credentials
             key: authentik-secret-key
+      - name: AUTHENTIK_POSTGRESQL__HOST
+        value: pooler-weyma-rw.cloudnativepg.svc.cluster.local
+      - name: AUTHENTIK_POSTGRESQL__NAME
+        value: authentik
+      - name: AUTHENTIK_POSTGRESQL__USER
+        value: authentik
       - name: AUTHENTIK_POSTGRESQL__PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: authentik-db-auth
+            key: password
+      - name: AUTHENTIK_EMAIL__FROM
+        value: authentik_dubyatp@em924671.dubyatp.xyz
+      - name: AUTHENTIK_EMAIL__HOST
+        value: mail.smtp2go.com
+      - name: AUTHENTIK_EMAIL__USE_TLS
+        value: "true"
+      - name: AUTHENTIK_EMAIL__USERNAME
+        value: authentik_dubyatp
+      - name: AUTHENTIK_EMAIL__PASSWORD
         valueFrom:
           secretKeyRef:
             name: authentik-credentials
-            key: user-password
+            key: smtp-password
+      - name: AUTHENTIK_EMAIL__TIMEOUT
+        value: "30"
   additionalObjects:
     - apiVersion: networking.k8s.io/v1
       kind: Ingress
@@ -124,7 +92,7 @@ authentik:
       data:
         tls.crt: ""
         tls.key: ""
-    - apiVersion: external-secrets.io/v1beta1
+    - apiVersion: external-secrets.io/v1
       kind: ExternalSecret
       metadata:
         name: authentik-credentials
@@ -153,3 +121,28 @@ authentik:
             remoteRef:
               key: authentik
               property: user-password
+          - secretKey: smtp-password
+            remoteRef:
+              key: authentik
+              property: smtp-password
+    - apiVersion: external-secrets.io/v1
+      kind: ExternalSecret
+      metadata:
+        name: authentik-db-auth
+      spec:
+        data:
+        - remoteRef:
+            conversionStrategy: Default
+            decodingStrategy: None
+            key: cloudnativepg
+            metadataPolicy: None
+            property: authentik_pw
+          secretKey: password
+        refreshInterval: 1h
+        secretStoreRef:
+          kind: ClusterSecretStore
+          name: weyma-vault
+        target:
+          creationPolicy: Owner
+          deletionPolicy: Retain
+          name: authentik-db-auth

dispatcharr/deployment.yaml

@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dispatcharr
+spec:
+  selector:
+    matchLabels:
+      app: dispatcharr
+  template:
+    metadata:
+      labels:
+        app: dispatcharr
+      annotations:
+        backup.velero.io/backup-volumes: data
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: extensions.talos.dev/i915
+                operator: Exists
+      nodeSelector:
+        kubernetes.io/hostname: weyma-talos-testw04
+      containers:
+      - name: dispatcharr
+        image: ghcr.io/dispatcharr/dispatcharr:0.8.0-amd64
+        env:
+          - name: DISPATCHARR_ENV
+            value: aio
+          - name: REDIS_HOST
+            value: localhost
+          - name: CELERY_BROKER_URL
+            value: redis://localhost:6379/0
+          - name: DISPATCHARR_LOG_LEVEL
+            value: info
+          - name: UWSGI_NICE_LEVEL
+            value: "-5"
+          - name: CELERY_NICE_LEVEL
+            value: "-5"
+        volumeMounts:
+          - name: dispatcharr-data
+            mountPath: /data
+          - name: dev-dri
+            mountPath: /dev/dri
+        resources:
+          limits:
+            memory: "3Gi"
+            cpu: "1"
+          requests:
+            memory: "256Mi"
+            cpu: "500m"
+        securityContext:
+          privileged: true
+      volumes:
+        - name: dispatcharr-data
+          persistentVolumeClaim:
+            claimName: dispatcharr
+        - name: dev-dri
+          hostPath:
+            path: /dev/dri

dispatcharr/ingress.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: dispatcharr
+  labels:
+    app.kubernetes.io/name: dispatcharr
+spec:
+  rules:
+  - host: dispatcharr.dubyatp.xyz
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: dispatcharr-svc
+            port: 
+              number: 9191

dispatcharr/pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: dispatcharr
+spec:
+  resources:
+    requests:
+      storage: 20Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteMany

dispatcharr/svc.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: dispatcharr-svc
+spec:
+  selector:
+    app: dispatcharr
+  ports:
+  - port: 9191
+    targetPort: 9191

emby/cert-dubyatp-xyz.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: cert-dubyatp-xyz
-  annotations:
-    replicator.v1.mittwald.de/replicate-from: "cert-manager/cert-dubyatp-xyz"
-    replicator.v1.mittwald.de/replicated-keys: "tls.crt,tls.key"
-data:
-  tls.crt: ""
-  tls.key: ""

emby/deployment.yaml

@@ -1,79 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: emby
-spec:
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: emby
-  template:
-    metadata:
-      annotations:
-        backup.velero.io/backup-volumes: emby-config
-      labels:
-        app: emby
-    spec:
-      volumes:
-        - name: tv-shows
-          nfs:
-            server: 10.105.15.20
-            path: /mnt/hdd-pool/tv-shows
-        - name: movies
-          nfs:
-            server: 10.105.15.20
-            path: /mnt/hdd-pool/movies
-        - name: emby-config
-          persistentVolumeClaim:
-            claimName: emby-config
-        - name: transcode-temp
-          emptyDir:
-            sizeLimit: 8Gi
-            medium: Memory
-        - name: dev-dri
-          hostPath:
-            path: /dev/dri
-      containers:
-      - name: emby
-        image: emby/embyserver:4.8.11.0
-        volumeMounts:
-          - name: tv-shows
-            mountPath: /mnt/tv-shows
-          - name: movies
-            mountPath: /mnt/movies
-          - name: emby-config
-            mountPath: /config
-          - name: transcode-temp
-            mountPath: /tmp/transcode
-          - name: dev-dri
-            mountPath: /dev/dri
-        env:
-        - name: UID
-          value: "1000"
-        - name: GID
-          value: "1000"
-        - name: GIDLIST
-          value: "100"
-        livenessProbe:
-          httpGet:
-            path: /
-            port: http
-        securityContext:
-          privileged: true
-        resources:
-          limits:
-            memory: 8Gi
-            cpu: '1'
-          requests:
-            memory: 4Gi
-            cpu: "500m"
-      nodeSelector:
-        kubernetes.io/hostname: weyma-talos-testw04
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-            - matchExpressions:
-              - key: extensions.talos.dev/i915
-                operator: Exists

emby/ingress.yaml

@@ -1,22 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: emby-ingress
-  annotations:
-    traefik.ingress.kubernetes.io/router.middlewares: cloudflarewarp@file
-spec:
-  rules:
-  - host: emby.dubyatp.xyz
-    http:
-      paths:
-      - pathType: Prefix
-        path: "/"
-        backend:
-          service:
-            name: emby-http-svc
-            port: 
-              number: 8096
-  tls:
-  - hosts:
-    - emby.dubyatp.xyz
-    secretName: cert-dubyatp-xyz

emby/resilio-sync.yaml

@@ -1,39 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: resilio-sync
-spec:
-  selector:
-    matchLabels:
-      app: resilio-sync
-  template:
-    metadata:
-      labels:
-        app: resilio-sync
-    spec:
-      containers:
-      - name: resilio-sync
-        image: lscr.io/linuxserver/resilio-sync:3.0.0
-        volumeMounts:
-        - name: config
-          mountPath: /config
-        - name: tv-shows
-          mountPath: /sync/tv-shows
-        - name: movies
-          mountPath: /sync/movies
-        resources:
-          limits:
-            memory: "700Mi"
-            cpu: "500m"
-      volumes:
-        - name: config
-          persistentVolumeClaim:
-            claimName: resilio-pvc
-        - name: tv-shows
-          nfs:
-            server: 10.105.15.20
-            path: /mnt/hdd-pool/tv-shows
-        - name: movies
-          nfs:
-            server: 10.105.15.20
-            path: /mnt/hdd-pool/movies

emby/svc.yaml

@@ -1,23 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: emby-http-svc
-spec:
-  type: ClusterIP
-  selector:
-    app: emby
-  ports:
-  - port: 8096
-    targetPort: 8096
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: emby-https-svc
-spec:
-  type: ClusterIP
-  selector:
-    app: emby
-  ports:
-  - port: 8920
-    targetPort: 8920

gitea-runner/deployment.yaml

@@ -1,33 +1,39 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: gitea-runner
+  annotations:
+    deployment.kubernetes.io/revision: "4"
+  labels:
+    app: act-runner
+  name: act-runner
+  namespace: gitea-runner
 spec:
+  progressDeadlineSeconds: 600
   replicas: 1
-  strategy:
-    type: Recreate
+  revisionHistoryLimit: 10
   selector:
     matchLabels:
-      app: gitea-runner
+      app: act-runner
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
   template:
     metadata:
+      creationTimestamp: null
       labels:
-        app: gitea-runner
+        app: act-runner
     spec:
-      restartPolicy: Always
-      volumes:
-      - name: docker-certs
-        emptyDir: {}
-      - name: runner-data
-        persistentVolumeClaim:
-          claimName: gitea-runner-pvc
       containers:
-      - name: runner
-        image: gitea/act_runner:nightly
-        command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- run.sh"]
+      - command:
+        - sh
+        - -c
+        - while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...';
+          sleep 5; done; /sbin/tini -- run.sh
         env:
         - name: DOCKER_HOST
-          value: tcp://127.0.0.1:2376
+          value: tcp://localhost:2376
         - name: DOCKER_CERT_PATH
           value: /certs/client
         - name: DOCKER_TLS_VERIFY
@@ -37,20 +43,37 @@ spec:
         - name: GITEA_RUNNER_REGISTRATION_TOKEN
           valueFrom:
             secretKeyRef:
-              name: gitea-runner-token
-              key: registration-token
+              key: token
+              name: runner-secret
+        image: gitea/act_runner:nightly
+        imagePullPolicy: Always
+        name: runner
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
         volumeMounts:
-        - name: docker-certs
-          mountPath: /certs
-        - name: runner-data
-          mountPath: /data
-      - name: daemon
-        image: docker:23.0.6-dind
-        env:
+        - mountPath: /certs
+          name: docker-certs
+        - mountPath: /data
+          name: runner-data
+      - env:
         - name: DOCKER_TLS_CERTDIR
           value: /certs
+        image: docker:23.0.6-dind
+        imagePullPolicy: IfNotPresent
+        name: daemon
         securityContext:
           privileged: true
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
         volumeMounts:
-        - name: docker-certs
-          mountPath: /certs
+        - mountPath: /certs
+          name: docker-certs
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: docker-certs
+      - name: runner-data
+        persistentVolumeClaim:
+          claimName: act-runner-vol

gitea-runner/secret.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: gitea-runner-token

gitea/Chart.yaml

@@ -0,0 +1,28 @@
+apiVersion: v2
+name: gitea
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: "1.0"
+
+dependencies:
+- name: gitea
+  version: 12.4.0
+  repository: https://dl.gitea.com/charts/

gitea/values.yaml

@@ -0,0 +1,188 @@
+gitea:
+  replicaCount: 3
+  ingress:
+    enabled: true
+    hosts:
+      - host: git.dubyatp.xyz
+        paths:
+          - path: /
+    tls:
+      - secretName: cert-dubyatp-xyz
+        hosts:
+          - git.dubyatp.xyz
+  persistence:
+    enabled: true
+    create: true
+    mount: true
+    claimName: gitea-shared-storage
+    size: 50Gi
+    accessModes:
+      - ReadWriteMany
+    storageClass: weyma-shared
+  deployment:
+    annotations:
+      backup.velero.io/backup-volumes: data
+    env:
+      - name: GITEA__database__PASSWD
+        valueFrom:
+          secretKeyRef:
+            key: password
+            name: gitea-db-auth
+      - name: GITEA__mailer__PASSWD
+        valueFrom:
+          secretKeyRef:
+            key: smtp_smtp2go
+            name: gitea-secrets
+      - name: GITEA__security__INTERNAL_TOKEN
+        valueFrom:
+          secretKeyRef:
+            key: internal_token
+            name: gitea-secrets
+      - name: GITEA__security__SECRET_KEY
+        valueFrom:
+          secretKeyRef:
+            key: secret_key
+            name: gitea-secrets
+      - name: GITEA__oauth2__JWT_SECRET
+        valueFrom:
+          secretKeyRef:
+            key: oauth2_jwt
+            name: gitea-secrets
+  gitea:
+    admin:
+      passwordMode: initialOnlyNoReset
+    podAnnotations:
+      backup.velero.io/backup-volumes: data
+    config:
+      database:
+        DB_TYPE: postgres
+        HOST: pooler-weyma-rw.cloudnativepg.svc.cluster.local
+        NAME: gitea
+        USER: gitea
+      server:
+        DISABLE_SSH: false
+        DOMAIN: git.dubyatp.xyz
+        ENABLE_PPROF: false
+        ROOT_URL: https://git.dubyatp.xyz
+        SSH_DOMAIN: git-ssh.dubyatp.xyz
+        SSH_LISTEN_PORT: 22
+        SSH_PORT: 22
+        START_SSH_SERVER: true
+        OFFLINE_MODE: false
+      service:
+        DISABLE_REGISTRATION: false
+      webhook:
+        ALLOWED_HOST_LIST: "drone.infra.dubyatp.xyz,argocd.infra.dubyatp.xyz,discord.com,10.0.0.0/8"
+      mailer:
+        ENABLED: true
+        FROM: gitea@em924671.dubyatp.xyz
+        PROTOCOL: smtps
+        SMTP_ADDR: mail.smtp2go.com
+        SMTP_PORT: 465
+        USER: gitea_dubyatp
+      security:
+        INSTALL_LOCK: true
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+  extraDeploy:
+    - apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteTCP
+      metadata:
+        name: gitea-ssh
+      spec:
+        entryPoints:
+        - gitssh
+        routes:
+        - match: HostSNI(`*`)
+          priority: 1
+          services:
+          - name: gitea-ssh
+            port: 22
+    - apiVersion: v1
+      kind: Secret
+      metadata:
+        name: cert-dubyatp-xyz
+        annotations:
+          replicator.v1.mittwald.de/replicate-from: "cert-manager/cert-dubyatp-xyz"
+          replicator.v1.mittwald.de/replicated-keys: "tls.crt,tls.key"
+      data:
+        tls.crt: ""
+        tls.key: ""
+    - apiVersion: external-secrets.io/v1
+      kind: ExternalSecret
+      metadata:
+        name: gitea-db-auth
+      spec:
+        data:
+        - remoteRef:
+            conversionStrategy: Default
+            decodingStrategy: None
+            key: cloudnativepg
+            metadataPolicy: None
+            property: gitea_pw
+          secretKey: password
+        refreshInterval: 1h
+        secretStoreRef:
+          kind: ClusterSecretStore
+          name: weyma-vault
+        target:
+          creationPolicy: Owner
+          deletionPolicy: Retain
+          name: gitea-db-auth
+    - apiVersion: external-secrets.io/v1
+      kind: ExternalSecret
+      metadata:
+        name: gitea-secrets
+      spec:
+        data:
+        - remoteRef:
+            conversionStrategy: Default
+            decodingStrategy: None
+            key: gitea
+            metadataPolicy: None
+            property: internal_token
+          secretKey: internal_token
+        - remoteRef:
+            conversionStrategy: Default
+            decodingStrategy: None
+            key: gitea
+            metadataPolicy: None
+            property: oauth2_jwt
+          secretKey: oauth2_jwt
+        - remoteRef:
+            conversionStrategy: Default
+            decodingStrategy: None
+            key: gitea
+            metadataPolicy: None
+            property: secret_key
+          secretKey: secret_key
+        - remoteRef:
+            conversionStrategy: Default
+            decodingStrategy: None
+            key: gitea
+            metadataPolicy: None
+            property: smtp_smtp2go
+          secretKey: smtp_smtp2go
+        - remoteRef:
+            conversionStrategy: Default
+            decodingStrategy: None
+            key: gitea
+            metadataPolicy: None
+            property: gitea_admin
+          secretKey: gitea_admin
+        refreshInterval: 1h
+        secretStoreRef:
+          kind: ClusterSecretStore
+          name: weyma-vault
+        target:
+          creationPolicy: Owner
+          deletionPolicy: Retain
+          name: gitea-secrets
+  postgresql-ha:
+    enabled: false
+  valkey-cluster:
+    enabled: true
+    valkey:
+      resourcesPreset: "small"

grafana/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: grafana
-  version: 9.0.0
+  version: 10.2.0
   repository: https://grafana.github.io/helm-charts

grafana/values.yaml

@@ -3,17 +3,8 @@ grafana:
     existingSecret: grafana-admin
     passwordKey: passwordKey
     userKey: userKey
-  affinity: {}
-  alerting: {}
   assertNoLeakedSecrets: true
   automountServiceAccountToken: true
-  autoscaling:
-    behavior: {}
-    enabled: false
-    maxReplicas: 5
-    minReplicas: 1
-    targetCPU: "60"
-    targetMemory: ""
   containerSecurityContext:
     allowPrivilegeEscalation: false
     capabilities:
@@ -22,52 +13,16 @@ grafana:
     seccompProfile:
       type: RuntimeDefault
   createConfigmap: true
-  dashboardProviders: {}
-  dashboards: {}
-  dashboardsConfigMaps: {}
-  datasources: {}
   defaultCurlOptions: -skf
   deploymentStrategy:
-    type: RollingUpdate
-  dnsConfig: {}
-  dnsPolicy: null
-  downloadDashboards:
-    env: {}
-    envFromSecret: ""
-    envValueFrom: {}
-    resources: {}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-        - ALL
-      seccompProfile:
-        type: RuntimeDefault
-  downloadDashboardsImage:
-    pullPolicy: IfNotPresent
-    registry: docker.io
-    repository: curlimages/curl
-    sha: ""
-    tag: 8.9.1
-  enableKubeBackwardCompatibility: false
+    type: Recreate
   enableServiceLinks: true
-  env: {}
   envFromConfigMaps:
   - name: grafana-env
-  envFromSecret: ""
   envFromSecrets:
   - name: grafana-secretenv
-  envRenderSecret: {}
-  envValueFrom: {}
-  extraConfigmapMounts: []
-  extraContainerVolumes: []
-  extraContainers: ""
-  extraEmptyDirMounts: []
-  extraExposePorts: []
-  extraInitContainers: []
-  extraLabels: {}
   extraObjects:
-  - apiVersion: external-secrets.io/v1beta1
+  - apiVersion: external-secrets.io/v1
     kind: ExternalSecret
     metadata:
       name: grafana-admin
@@ -95,7 +50,7 @@ grafana:
         creationPolicy: Owner
         deletionPolicy: Retain
         name: grafana-admin
-  - apiVersion: external-secrets.io/v1beta1
+  - apiVersion: external-secrets.io/v1
     kind: ExternalSecret
     metadata:
       name: grafana-secretenv
@@ -148,13 +103,6 @@ grafana:
     data:
       tls.crt: ""
       tls.key: ""
-  extraSecretMounts: []
-  extraVolumeMounts: []
-  extraVolumes: []
-  global:
-    imagePullSecrets: []
-    imageRegistry: null
-  gossipPortName: gossip
   grafana.ini:
     analytics:
       check_for_updates: true
@@ -170,93 +118,14 @@ grafana:
     server:
       domain: '{{ if (and .Values.ingress.enabled .Values.ingress.hosts) }}{{ tpl (.Values.ingress.hosts
         | first) . }}{{ else }}''''{{ end }}'
-  headlessService: false
-  hostAliases: []
   image:
     pullPolicy: IfNotPresent
-    pullSecrets: []
     registry: docker.io
     repository: grafana/grafana
-    sha: ""
-    tag: ""
-  imageRenderer:
-    affinity: {}
-    automountServiceAccountToken: false
-    autoscaling:
-      behavior: {}
-      enabled: false
-      maxReplicas: 5
-      minReplicas: 1
-      targetCPU: "60"
-      targetMemory: ""
-    containerSecurityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-        - ALL
-      readOnlyRootFilesystem: true
-      seccompProfile:
-        type: RuntimeDefault
-    deploymentStrategy: {}
-    enabled: false
-    env:
-      HTTP_HOST: 0.0.0.0
-      XDG_CACHE_HOME: /tmp/.chromium
-      XDG_CONFIG_HOME: /tmp/.chromium
-    envValueFrom: {}
-    extraConfigmapMounts: []
-    extraSecretMounts: []
-    extraVolumeMounts: []
-    extraVolumes: []
-    grafanaProtocol: http
-    grafanaSubPath: ""
-    hostAliases: []
-    image:
-      pullPolicy: Always
-      pullSecrets: []
-      registry: docker.io
-      repository: grafana/grafana-image-renderer
-      sha: ""
-      tag: latest
-    networkPolicy:
-      extraIngressSelectors: []
-      limitEgress: false
-      limitIngress: true
-    nodeSelector: {}
-    podAnnotations: {}
-    podPortName: http
-    priorityClassName: ""
-    renderingCallbackURL: ""
-    replicas: 1
-    resources: {}
-    revisionHistoryLimit: 10
-    securityContext: {}
-    serverURL: ""
-    service:
-      appProtocol: ""
-      enabled: true
-      port: 8081
-      portName: http
-      targetPort: 8081
-    serviceAccountName: ""
-    serviceMonitor:
-      enabled: false
-      interval: 1m
-      labels: {}
-      path: /metrics
-      relabelings: []
-      scheme: http
-      scrapeTimeout: 30s
-      targetLabels: []
-      tlsConfig: {}
-    tolerations: []
   ingress:
-    annotations: {}
     enabled: true
-    extraPaths: []
     hosts:
     - grafana.infra.dubyatp.xyz
-    labels: {}
     path: /
     pathType: Prefix
     tls:
@@ -265,13 +134,6 @@ grafana:
       secretName: cert-dubyatp-xyz
   initChownData:
     enabled: true
-    image:
-      pullPolicy: IfNotPresent
-      registry: docker.io
-      repository: library/busybox
-      sha: ""
-      tag: 1.37.0
-    resources: {}
     securityContext:
       capabilities:
         add:
@@ -283,11 +145,6 @@ grafana:
       runAsUser: 0
       seccompProfile:
         type: RuntimeDefault
-  ldap:
-    config: ""
-    enabled: false
-    existingSecret: ""
-  lifecycleHooks: {}
   livenessProbe:
     failureThreshold: 10
     httpGet:
@@ -295,227 +152,45 @@ grafana:
       port: 3000
     initialDelaySeconds: 60
     timeoutSeconds: 30
-  namespaceOverride: ""
-  networkPolicy:
-    allowExternal: true
-    egress:
-      blockDNSResolution: false
-      enabled: false
-      ports: []
-      to: []
-    enabled: false
-    explicitNamespacesSelector: {}
-    ingress: true
-  nodeSelector: {}
-  notifiers: {}
   persistence:
     accessModes:
     - ReadWriteOnce
-    disableWarning: false
     enabled: true
-    extraPvcLabels: {}
     finalizers:
     - kubernetes.io/pvc-protection
-    inMemory:
-      enabled: false
-    lookupVolumeName: true
     size: 10Gi
     type: pvc
-    volumeName: ""
-  plugins: []
-  podDisruptionBudget: {}
   podPortName: grafana
   podAnnotations:
     backup.velero.io/backup-volumes: "storage"
   rbac:
     create: true
-    extraClusterRoleRules: []
-    extraRoleRules: []
     namespaced: false
-    pspEnabled: false
-    pspUseAppArmor: false
   readinessProbe:
     httpGet:
       path: /api/health
       port: 3000
   replicas: 1
-  resources: {}
   revisionHistoryLimit: 10
-  route:
-    main:
-      additionalRules: []
-      annotations: {}
-      apiVersion: gateway.networking.k8s.io/v1
-      enabled: false
-      filters: []
-      hostnames: []
-      kind: HTTPRoute
-      labels: {}
-      matches:
-      - path:
-          type: PathPrefix
-          value: /
-      parentRefs: []
   securityContext:
     fsGroup: 472
     runAsGroup: 472
     runAsNonRoot: true
     runAsUser: 472
   service:
-    annotations: {}
-    appProtocol: ""
     enabled: true
-    ipFamilies: []
-    ipFamilyPolicy: ""
-    labels: {}
-    loadBalancerClass: ""
-    loadBalancerIP: ""
-    loadBalancerSourceRanges: []
     port: 80
     portName: service
-    sessionAffinity: ""
     targetPort: 3000
     type: ClusterIP
   serviceAccount:
     automountServiceAccountToken: false
     create: true
-    labels: {}
-    name: null
-    nameTest: null
-  serviceMonitor:
-    basicAuth: {}
-    enabled: false
-    interval: 30s
-    labels: {}
-    metricRelabelings: []
-    path: /metrics
-    relabelings: []
-    scheme: http
-    scrapeTimeout: 30s
-    targetLabels: []
-    tlsConfig: {}
-  shareProcessNamespace: false
-  sidecar:
-    alerts:
-      enabled: false
-      env: {}
-      extraMounts: []
-      initAlerts: false
-      label: grafana_alert
-      labelValue: ""
-      reloadURL: http://localhost:3000/api/admin/provisioning/alerting/reload
-      resource: both
-      resourceName: ""
-      script: null
-      searchNamespace: null
-      sizeLimit: {}
-      skipReload: false
-      watchMethod: WATCH
-    dashboards:
-      SCProvider: true
-      defaultFolderName: null
-      enabled: false
-      env: {}
-      envValueFrom: {}
-      extraMounts: []
-      folder: /tmp/dashboards
-      folderAnnotation: null
-      label: grafana_dashboard
-      labelValue: ""
-      provider:
-        allowUiUpdates: false
-        disableDelete: false
-        folder: ""
-        folderUid: ""
-        foldersFromFilesStructure: false
-        name: sidecarProvider
-        orgid: 1
-        type: file
-      reloadURL: http://localhost:3000/api/admin/provisioning/dashboards/reload
-      resource: both
-      resourceName: ""
-      script: null
-      searchNamespace: null
-      sizeLimit: {}
-      skipReload: false
-      watchMethod: WATCH
-    datasources:
-      enabled: false
-      env: {}
-      envValueFrom: {}
-      extraMounts: []
-      initDatasources: false
-      label: grafana_datasource
-      labelValue: ""
-      reloadURL: http://localhost:3000/api/admin/provisioning/datasources/reload
-      resource: both
-      resourceName: ""
-      script: null
-      searchNamespace: null
-      sizeLimit: {}
-      skipReload: false
-      watchMethod: WATCH
-    enableUniqueFilenames: false
-    image:
-      registry: quay.io
-      repository: kiwigrid/k8s-sidecar
-      sha: ""
-      tag: 1.30.3
-    imagePullPolicy: IfNotPresent
-    livenessProbe: {}
-    notifiers:
-      enabled: false
-      env: {}
-      extraMounts: []
-      initNotifiers: false
-      label: grafana_notifier
-      labelValue: ""
-      reloadURL: http://localhost:3000/api/admin/provisioning/notifications/reload
-      resource: both
-      resourceName: ""
-      script: null
-      searchNamespace: null
-      sizeLimit: {}
-      skipReload: false
-      watchMethod: WATCH
-    plugins:
-      enabled: false
-      env: {}
-      extraMounts: []
-      initPlugins: false
-      label: grafana_plugin
-      labelValue: ""
-      reloadURL: http://localhost:3000/api/admin/provisioning/plugins/reload
-      resource: both
-      resourceName: ""
-      script: null
-      searchNamespace: null
-      sizeLimit: {}
-      skipReload: false
-      watchMethod: WATCH
-    readinessProbe: {}
-    resources: {}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-        - ALL
-      seccompProfile:
-        type: RuntimeDefault
-  smtp:
-    existingSecret: ""
-    passwordKey: password
-    userKey: user
   testFramework:
-    containerSecurityContext: {}
     enabled: true
     image:
       registry: docker.io
       repository: bats/bats
-      tag: 1.12.0
+      tag: 1.13.0
     imagePullPolicy: IfNotPresent
-    resources: {}
-    securityContext: {}
-  tolerations: []
-  topologySpreadConstraints: []
   useStatefulSet: false

immich/immich-ml-deployment.yaml

@@ -13,7 +13,7 @@ spec:
     spec:
       containers:
       - name: immich-ml
-        image: ghcr.io/immich-app/immich-machine-learning:v1.132.3
+        image: ghcr.io/immich-app/immich-machine-learning:v1.134.0
         volumeMounts:
           - name: model-cache
             mountPath: /cache
@@ -23,7 +23,7 @@ spec:
             mountPath: /dev/dri
         env:
           - name: DB_HOSTNAME
-            value: "weyma-pgsql-rw.cloudnativepg.svc.cluster.local"
+            value: "immich-rw.cloudnativepg.svc.cluster.local"
           - name: DB_DATABASE_NAME
             value: "immich"
           - name: DB_USERNAME

immich/immich-postgres-credentials.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: postgres-credentials

immich/immich-server_deployment.yaml

@@ -13,7 +13,7 @@ spec:
     spec:
       containers:
       - name: immich-server
-        image: ghcr.io/immich-app/immich-server:v1.132.3
+        image: ghcr.io/immich-app/immich-server:v1.134.0
         volumeMounts:
           - name: library
             mountPath: /usr/src/app/upload
@@ -23,7 +23,7 @@ spec:
             mountPath: /dev/dri
         env:
           - name: DB_HOSTNAME
-            value: "weyma-pgsql-rw.cloudnativepg.svc.cluster.local"
+            value: "immich-rw.cloudnativepg.svc.cluster.local"
           - name: DB_DATABASE_NAME
             value: "immich"
           - name: DB_USERNAME

jellyfin/Chart.yaml

@@ -0,0 +1,28 @@
+apiVersion: v2
+name: jellyfin
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: "1.0"
+
+dependencies:
+- name: jellyfin
+  version: 2.5.0
+  repository: https://jellyfin.github.io/jellyfin-helm

jellyfin/templates/metrics-block.yaml

@@ -0,0 +1,33 @@
+{{- if and (.Values.jellyfin.metrics.enabled) (.Values.jellyfin.ingress.enabled) -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: dummy-svc
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    app: dummy-svc
+  ports:
+    - protocol: TCP
+      port: 6767
+      targetPort: 6767
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: block-metrics
+  namespace: {{ .Release.Namespace }}
+spec:
+  rules:
+  - host: {{ (index .Values.jellyfin.ingress.hosts 0).host }}
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/metrics"
+        backend:
+          service:
+            name: dummy-svc
+            port: 
+              number: 6767
+{{- end }}

jellyfin/templates/redirect-regex.yaml

@@ -0,0 +1,26 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: emby-redirect
+spec:
+  redirectRegex:
+    regex: ^https?://emby\.dubyatp\.xyz/(.*)$
+    replacement: https://jellyfin.dubyatp.xyz/${1}
+    permanent: true
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: emby-redirect
+spec:
+  entryPoints:
+  - websecure
+  - web
+  routes:
+  - kind: Rule
+    match: Host(`emby.dubyatp.xyz`)
+    middlewares:
+        - name: emby-redirect
+    services:
+      - name: noop@internal
+        kind: TraefikService

jellyfin/templates/ssl-cert.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+data:
+  tls.crt:
+  tls.key:
+kind: Secret
+metadata:
+  annotations:
+    replicator.v1.mittwald.de/replicate-from: cert-manager/cert-dubyatp-xyz
+    replicator.v1.mittwald.de/replicated-keys: tls.crt,tls.key
+  name: cert-dubyatp-xyz
+type: Opaque

jellyfin/values.yaml

@@ -0,0 +1,73 @@
+jellyfin:
+  deploymentStrategy:
+    type: Recreate
+  ingress:
+    enabled: true
+    hosts:
+      - host: jellyfin.dubyatp.xyz
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+    tls:
+      - secretName: cert-dubyatp.xyz
+        hosts:
+          - jellyfin.dubyatp.xyz
+  persistence:
+    config:
+      size: 25Gi
+    media:
+      enabled: false
+  volumes:
+    - name: tv-shows
+      nfs:
+        server: 10.105.15.20
+        path: /mnt/hdd-pool/tv-shows
+    - name: movies
+      nfs:
+        server: 10.105.15.20
+        path: /mnt/hdd-pool/movies
+    - name: dvr
+      nfs:
+        server: 10.105.15.20
+        path: /mnt/hdd-pool/DVR
+    - name: youtube-vids
+      nfs:
+        server: 10.105.15.20
+        path: /mnt/hdd-pool/youtube-vids
+    - name: transcode-temp
+      emptyDir:
+        sizeLimit: 8Gi
+        medium: Memory
+    - name: dev-dri
+      hostPath:
+        path: /dev/dri
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  volumeMounts:
+    - name: tv-shows
+      mountPath: /mnt/tv-shows
+    - name: movies
+      mountPath: /mnt/movies
+    - name: dvr
+      mountPath: /mnt/dvr
+    - name: youtube-vids
+      mountPath: /mnt/youtube-vids
+    - name: transcode-temp
+      mountPath: /tmp/transcode
+    - name: dev-dri
+      mountPath: /dev/dri
+  podAnnotations:
+    backup.velero.io/backup-volumes: config
+  securityContext:
+    privileged: true
+  nodeSelector:
+    kubernetes.io/hostname: weyma-talos-testw04
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+          - matchExpressions:
+            - key: extensions.talos.dev/i915
+              operator: Exists

netmaker/config.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: netmaker-config 
+data:
+  SERVER_NAME: netmaker.infra.dubyatp.xyz
+  SERVER_API_CONN_STRING: api.netmaker.infra.dubyatp.xyz:443
+  SERVER_HTTP_HOST: api.netmaker.infra.dubyatp.xyz
+  API_PORT: "8081"
+  WG_QUICK_USERSPACE_IMPLEMENTATION: wireguard-go
+  DNS_MODE: "off"
+  DISPLAY_KEYS: "on"
+  DATABASE: postgres
+  SQL_HOST: "pooler-weyma-rw.cloudnativepg.svc.cluster.local"
+  SQL_PORT: "5432"
+  SQL_DB: "netmaker"
+  SQL_USER: "netmaker"
+  MQ_USERNAME: netmaker
+  CORS_ALLOWED_ORIGIN: '*'
+  SERVER_BROKER_ENDPOINT: "ws://mq:1883"
+  BROKER_ENDPOINT: "wss://broker.netmaker.infra.dubyatp.xyz"
+  PLATFORM: "Kubernetes"
+  VERBOSITY: "3"
+  K8s: "true"
+  CACHING_ENABLED: "false"

netmaker/ingress.yaml

@@ -0,0 +1,16 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: netmaker-api-ingress
+spec:
+  rules:
+  - host: api.netmaker.infra.dubyatp.xyz
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: netmaker-rest
+            port: 
+              number: 8081

netmaker/mosquitto/certs-pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: shared-certs-pvc
+spec:
+  storageClassName: weyma-shared
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 100Mi

netmaker/mosquitto/config.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+data:
+  mosquitto.conf: |
+    per_listener_settings false
+    listener 8883
+    protocol websockets
+    allow_anonymous false
+    listener 1883
+    protocol websockets
+    allow_anonymous false
+    password_file /mosquitto/temp/password.txt
+  wait.sh: |
+    #!/bin/ash
+
+    encrypt_password() {
+      echo "${MQ_USERNAME}:${MQ_PASSWORD}" > /mosquitto/temp/password.txt
+      mosquitto_passwd -U /mosquitto/temp/password.txt
+      chmod 0700 /mosquitto/temp/password.txt
+    }
+
+    main(){
+
+     encrypt_password
+     echo "Starting MQ..."
+     # Run the main container command.
+     /docker-entrypoint.sh
+     /usr/sbin/mosquitto -c /mosquitto/config/mosquitto.conf
+
+    }
+
+    main "${@}"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: mosquitto
+    app.kubernetes.io/name: mosquitto
+  name: mosquitto-config
+  namespace: netmaker

netmaker/mosquitto/deployment.yaml

@@ -0,0 +1,83 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mosquitto
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: mosquitto
+      app.kubernetes.io/name: mosquitto
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: mosquitto
+        app.kubernetes.io/name: mosquitto
+    spec:
+      containers:
+      - image: eclipse-mosquitto:2.0.22-openssl
+        imagePullPolicy: IfNotPresent
+        command: ["/mosquitto/config/wait.sh"]
+        livenessProbe:
+          failureThreshold: 3
+          periodSeconds: 10
+          successThreshold: 1
+          tcpSocket:
+            port: 8883
+          timeoutSeconds: 1
+        name: mosquitto
+        env:
+          - name: MQ_USERNAME
+            value: netmaker
+          - name: MQ_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                key: mq_password
+                name: netmaker-secrets
+        ports:
+        - containerPort: 1883        
+          name: mqtt
+          protocol: TCP
+        - containerPort: 8883        
+          name: mqtt2
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 3
+          periodSeconds: 10
+          successThreshold: 1
+          tcpSocket:
+            port: 8883
+          timeoutSeconds: 1
+        resources: {}
+        startupProbe:
+          failureThreshold: 30
+          periodSeconds: 5
+          successThreshold: 1
+          tcpSocket:
+            port: 8883
+          timeoutSeconds: 1
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /mosquitto/config
+          name: mosquitto-config
+        - mountPath: /mosquitto/certs
+          name: shared-certs
+        - mountPath: /mosquitto/temp
+          name: mosquitto-temp
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - configMap:
+          name: mosquitto-config
+          defaultMode: 0755
+        name: mosquitto-config
+      - name: mosquitto-temp
+        emptyDir:
+      - name: shared-certs
+        persistentVolumeClaim:
+          claimName: shared-certs-pvc

netmaker/mosquitto/ingress.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mosquitto-ingress
+  labels:
+    app.kubernetes.io/name: mosquitto-ingress
+spec:
+  rules:
+  - host: broker.netmaker.infra.dubyatp.xyz
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: mq
+            port: 
+              number: 8883

netmaker/mosquitto/svc.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mq
+  namespace: netmaker
+spec:
+  ports:
+  - name: mqtt
+    port: 1883
+    protocol: TCP
+    targetPort: mqtt
+  - name: mqtt2
+    port: 8883
+    protocol: TCP
+    targetPort: mqtt2    
+  selector:
+    app.kubernetes.io/instance: mosquitto
+    app.kubernetes.io/name: mosquitto
+  sessionAffinity: None
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: 'netmaker-mqtt'
+spec:
+  externalTrafficPolicy: Cluster
+  type: NodePort
+  selector:
+    app.kubernetes.io/instance: mosquitto
+    app.kubernetes.io/name: mosquitto
+  ports:
+  - port: 31883
+    nodePort: 31883
+    protocol: TCP
+    targetPort: 8883
+    name: nm-mqtt

netmaker/postgres-auth.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: postgres-pw
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: cloudnativepg
+      metadataPolicy: None
+      property: netmaker_pw
+    secretKey: password
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: weyma-vault
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: postgres-pw

netmaker/secrets.yaml

@@ -0,0 +1,35 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: netmaker-secrets
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: netmaker
+      metadataPolicy: None
+      property: master_key
+    secretKey: master_key
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: netmaker
+      metadataPolicy: None
+      property: mq_password
+    secretKey: mq_password
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: netmaker
+      metadataPolicy: None
+      property: turn_password
+    secretKey: turn_password
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: weyma-vault
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: netmaker-secrets

netmaker/statefulset.yaml

@@ -0,0 +1,95 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app: netmaker
+  name: netmaker
+spec:
+  replicas: 3
+  serviceName: netmaker-headless
+  selector:
+    matchLabels:
+      app: netmaker
+  template:
+    metadata:
+      labels:
+        app: netmaker
+    spec:
+      initContainers:
+      - name: init-sysctl
+        image: busybox
+        imagePullPolicy: IfNotPresent
+        command: ["/bin/sh", "-c"]
+        args: ["sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.src_valid_mark=1 && sysctl -w net.ipv6.conf.all.disable_ipv6=0 && sysctl -w net.ipv6.conf.all.forwarding=1"]
+        securityContext:
+          privileged: true
+      dnsPolicy: ClusterFirstWithHostNet
+      containers:
+      - env:
+        - name: NODE_ID
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.name
+        - name: SQL_PASS
+          valueFrom:
+            secretKeyRef:
+              key: password
+              name: postgres-pw
+        - name: MASTER_KEY
+          valueFrom:
+            secretKeyRef:
+              key: master_key
+              name: netmaker-secrets
+        - name: MQ_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: mq_password
+              name: netmaker-secrets
+        - name: TURN_SERVER_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: turn_password
+              name: netmaker-secrets
+        envFrom:
+          - configMapRef:
+              name: netmaker-config
+        image: gravitl/netmaker:v1.1.0
+        imagePullPolicy: Always
+        name: netmaker
+        ports:
+        - containerPort: 8081
+          protocol: TCP
+        - containerPort: 31821
+          protocol: UDP
+        - containerPort: 31822
+          protocol: UDP
+        - containerPort: 31823
+          protocol: UDP
+        - containerPort: 31824
+          protocol: UDP
+        - containerPort: 31825
+          protocol: UDP
+        - containerPort: 31826
+          protocol: UDP
+        - containerPort: 31827
+          protocol: UDP
+        - containerPort: 31828
+          protocol: UDP
+        - containerPort: 31829
+          protocol: UDP
+        - containerPort: 31830
+          protocol: UDP
+        resources: {}
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+            - NET_RAW
+        volumeMounts:
+        - mountPath: /etc/netmaker/
+          name: shared-certs
+      volumes:
+      - name: shared-certs
+        persistentVolumeClaim:
+          claimName: shared-certs-pvc

netmaker/svc.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: 'netmaker-rest'
+spec:
+  ports:
+  - name: rest
+    port: 8081
+    protocol: TCP
+    targetPort: 8081
+  selector:
+    app: 'netmaker'
+  sessionAffinity: None
+  type: ClusterIP

netmaker/ui/deployment.yaml

@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: netmaker-ui
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: netmaker-ui
+  template:
+    metadata:
+      labels:
+        app: netmaker-ui
+    spec:
+      containers:
+      - name: netmaker-ui
+        image: gravitl/netmaker-ui:v1.1.0
+        env:
+        - name: BACKEND_URL
+          value: 'https://api.netmaker.infra.dubyatp.xyz'
+      terminationGracePeriodSeconds: 15

netmaker/ui/ingress.yaml

@@ -0,0 +1,16 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: netmaker-ui-ingress
+spec:
+  rules:
+  - host: dashboard.netmaker.infra.dubyatp.xyz
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: netmaker-ui
+            port: 
+              number: 80

netmaker/ui/svc.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: 'netmaker-ui'
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: 'netmaker-ui'
+  sessionAffinity: None
+  type: 'ClusterIP'

nextcloud/secret.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: nextcloud-secret

peertube/bucket.yaml

@@ -0,0 +1,10 @@
+apiVersion: objectbucket.io/v1alpha1
+kind: ObjectBucketClaim
+metadata:
+  name: peertube-bucket
+  namespace: peertube
+spec:
+  generateBucketName: peertube
+  storageClassName: weyma-s3-bucket
+  additionalConfig:
+    maxSize: "100Gi"

peertube/config.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: peertube-config
+data:
+  PEERTUBE_INSTANCE_NAME: "dubyatp peertube"
+  PEERTUBE_INSTANCE_DESCRIPTION: "duby's peertube instance"
+  POSTGRES_USER: peertube
+  POSTGRES_DB: peertube
+  PEERTUBE_DB_USERNAME: peertube
+  PEERTUBE_DB_HOSTNAME: pooler-weyma-rw.cloudnativepg.svc.cluster.local
+  PEERTUBE_DB_PORT: "5432"
+  PEERTUBE_WEBSERVER_HOSTNAME: "tube.dubyatp.xyz"
+  PEERTUBE_TRUST_PROXY: '["127.0.0.1", "loopback", "172.18.0.0/16"]'
+  PEERTUBE_SMTP_USERNAME: "peertube_dubyatp"
+  PEERTUBE_SMTP_HOSTNAME: "mail.smtp2go.com"
+  PEERTUBE_SMTP_PORT: "465"
+  PEERTUBE_SMTP_TLS: "true"
+  PEERTUBE_SMTP_FROM: "peertube@em924671.dubyatp.xyz"
+  PEERTUBE_ADMIN_EMAIL: "me@williamtpeebles.com"
+  #PEERTUBE_OBJECT_STORAGE_ENABLED: "true"
+  #PEERTUBE_OBJECT_STORAGE_ENDPOINT: "https://weyma-s3.infra.dubyatp.xyz"
+  #PEERTUBE_OBJECT_STORAGE_REGION: ""
+  #PEERTUBE_OBJECT_STORAGE_STREAMING_PLAYLISTS_BUCKET_NAME: "peertube-953221d2-7649-48b2-b79f-5a9e59daedbb"
+  #PEERTUBE_OBJECT_STORAGE_STREAMING_PLAYLISTS_PREFIX: "streaming/"
+  #PEERTUBE_OBJECT_STORAGE_WEB_VIDEOS_BUCKET_NAME: "peertube-953221d2-7649-48b2-b79f-5a9e59daedbb"
+  #PEERTUBE_OBJECT_STORAGE_WEB_VIDEOS_PREFIX: "videos/"
+  #PEERTUBE_OBJECT_STORAGE_USER_EXPORTS_BUCKET_NAME: "peertube-953221d2-7649-48b2-b79f-5a9e59daedbb"
+  #PEERTUBE_OBJECT_STORAGE_USER_EXPORTS_PREFIX: "exports/"
+  #PEERTUBE_OBJECT_STORAGE_ORIGINAL_VIDEO_FILES_BUCKET_NAME: "peertube-953221d2-7649-48b2-b79f-5a9e59daedbb"
+  #PEERTUBE_OBJECT_STORAGE_ORIGINAL_VIDEO_FILES_PREFIX: "original-videos/"
+  #PEERTUBE_OBJECT_STORAGE_CAPTIONS_BUCKET_NAME: "peertube-953221d2-7649-48b2-b79f-5a9e59daedbb"
+  #PEERTUBE_OBJECT_STORAGE_CAPTIONS_PREFIX: "captions/"
+  #PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PUBLIC: "public-read"
+  #PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PRIVATE: "private"

peertube/deployment.yaml

@@ -0,0 +1,69 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: peertube
+  labels:
+    app: peertube
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: peertube
+  template:
+    metadata:
+      labels:
+        app: peertube
+    spec:
+      containers:
+        - name: peertube
+          image: chocobozzz/peertube:v7.2.3-bookworm
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 80
+              name: http
+            - containerPort: 443
+              name: https
+            - containerPort: 9000
+              name: peertube
+            - containerPort: 1935
+              name: rtmp
+          envFrom:
+            - secretRef:
+                name: peertube-secret
+            - secretRef:
+                name: peertube-bucket
+            - configMapRef:
+                name: peertube-config
+          env:
+            - name: PEERTUBE_REDIS_HOSTNAME
+              value: "localhost"
+            - name: PEERTUBE_REDIS_AUTH
+              value: ""
+          volumeMounts:
+            - name: peertube-data
+              mountPath: /data
+          resources:
+            requests:
+              cpu: "0.5"
+              memory: 1Gi
+            limits:
+              cpu: "1"
+              memory: 2Gi
+        - name: redis
+          image: redis:8.2.1-alpine
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 6379
+              name: redis
+          resources:
+            requests:
+              cpu: "0.2"
+              memory: 256Mi
+            limits:
+              cpu: "0.5"
+              memory: 1Gi
+      volumes:
+        - name: peertube-data
+          persistentVolumeClaim:
+            claimName: peertube-data
+

peertube/ingress.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: peertube
+  labels:
+    app.kubernetes.io/name: peertube
+spec:
+  rules:
+  - host: tube.dubyatp.xyz
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: peertube
+            port: 
+              number: 9000

peertube/pvc.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: peertube-data
+spec:
+  accessModes: 
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 50Gi

peertube/secret.yaml

@@ -0,0 +1,42 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: peertube-secret
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: peertube
+      metadataPolicy: None
+      property: PEERTUBE_SECRET
+    secretKey: PEERTUBE_SECRET
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: peertube
+      metadataPolicy: None
+      property: PEERTUBE_DB_PASSWORD
+    secretKey: PEERTUBE_DB_PASSWORD
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: peertube
+      metadataPolicy: None
+      property: PEERTUBE_SMTP_PASSWORD
+    secretKey: PEERTUBE_SMTP_PASSWORD
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: peertube
+      metadataPolicy: None
+      property: POSTGRES_PASSWORD
+    secretKey: POSTGRES_PASSWORD
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: weyma-vault
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: peertube-secret

peertube/service.yaml

@@ -0,0 +1,24 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: peertube
+spec:
+  selector:
+    app: peertube
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+      name: http
+    - protocol: TCP
+      port: 25
+      targetPort: 25
+      name: smtp
+    - protocol: TCP
+      port: 9000
+      targetPort: 9000
+      name: peertube
+    - protocol: TCP
+      name: rtmp
+      port: 1935
+      targetPort: 1935

peertube/valkey.yaml

@@ -0,0 +1,16 @@
+apiVersion: hyperspike.io/v1
+kind: Valkey
+metadata:
+  name: peertube-kv
+  labels:
+    app.kubernetes.io/instance: peertube
+spec:
+  anonymousAuth: true
+  certIssuerType: ClusterIssuer
+  clusterDomain: cluster.local
+  clusterPreferredEndpointType: ip
+  nodes: 1
+  prometheus: false
+  replicas: 3
+  tls: false
+  volumePermissions: true

renovate.json

@@ -1,3 +1,6 @@
 {
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "kubernetes": {
+    "managerFilePatterns": ["deployment.yaml", "statefulset.yaml", "cron.yaml", "cronjob.yaml"]
+  }
 }

renovate/renovate-config.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: renovate-config
+data:
+  config.json: |-
+    {
+      "repositories": [
+        "infrastructure/core-apps",
+        "infrastructure/db-operators",
+        "infrastructure/weyma-talos",
+        "williamp/dubyatp.xyz",
+        "williamp/yt-dlp-bot"
+      ]
+    }

renovate/renovate-cronjob.yaml

@@ -0,0 +1,54 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: renovate-bot
+spec:
+  schedule: '@hourly'
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - image: renovate/renovate:40.14.6
+              name: renovate-bot
+              env: # For illustration purposes, please use secrets.
+                - name: RENOVATE_PLATFORM
+                  value: 'gitea'
+                - name: RENOVATE_ENDPOINT
+                  value: 'https://git.dubyatp.xyz/api/v1'
+                - name: RENOVATE_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      key: gitea-pat
+                      name: renovate-gitea-token
+                - name: RENOVATE_GITHUB_COM_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      key: github-com-pat
+                      name: renovate-github-com-token
+                - name: RENOVATE_GIT_PRIVATE_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      key: ssh-key
+                      name: renovate-ssh-key
+                - name: RENOVATE_AUTODISCOVER
+                  value: 'false'
+                - name: RENOVATE_BASE_DIR
+                  value: '/tmp/renovate/'
+                - name: RENOVATE_CONFIG_FILE
+                  value: '/opt/renovate/config.json'
+                - name: LOG_LEVEL
+                  value: debug
+              volumeMounts:
+                - name: config-volume
+                  mountPath: /opt/renovate/
+                - name: work-volume
+                  mountPath: /tmp/renovate/
+          restartPolicy: Never
+          volumes:
+            - name: config-volume
+              configMap:
+                name: renovate-config
+            - name: work-volume
+              emptyDir: {}

renovate/renovate-gitea-token.yaml

@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: renovate-gitea-token
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: weyma-vault
+    kind: ClusterSecretStore
+  target:
+    name: renovate-gitea-token
+    creationPolicy: Owner
+  data:
+    - secretKey: gitea-pat
+      remoteRef:
+        key: renovate
+        property: gitea-pat

renovate/renovate-github-token.yaml

@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: renovate-github-com-token
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: weyma-vault
+    kind: ClusterSecretStore
+  target:
+    name: renovate-github-com-token
+    creationPolicy: Owner
+  data:
+    - secretKey: github-com-pat
+      remoteRef:
+        key: renovate
+        property: github-com-pat

renovate/renovate-ssh-key.yaml

@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: renovate-ssh-key
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: weyma-vault
+    kind: ClusterSecretStore
+  target:
+    name: renovate-ssh-key
+    creationPolicy: Owner
+  data:
+    - secretKey: ssh-key
+      remoteRef:
+        key: renovate
+        property: ssh-key

vaultwarden/configmap.yaml

@@ -6,10 +6,10 @@ data:
   DATA_FOLDER: config
   DOMAIN: https://vaultwarden.dubyatp.xyz
   SIGNUPS_ALLOWED: "false"
-  SMTP_FROM: bitwarden@em3532.williamtpeebles.com
+  SMTP_FROM: vaultwarden@em924671.dubyatp.xyz
   SMTP_FROM_NAME: Vaultwarden
-  SMTP_HOST: smtp.sendgrid.net
-  SMTP_PORT: "587"
-  SMTP_SECURITY: starttls
+  SMTP_HOST: mail.smtp2go.com
+  SMTP_PORT: "2525"
+  SMTP_SECURITY: "off"
   SMTP_TIMEOUT: "15"
-  SMTP_USERNAME: apikey
+  SMTP_USERNAME: vaultwarden_dubyatp

vaultwarden/secret.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: vaultwarden-secrets
@@ -19,7 +19,11 @@ spec:
       remoteRef:
         key: vaultwarden
         property: hibp_api_key
-    - secretKey: SMTP_PASSWORD
+    - secretKey: SMTP_PASSWORD_OLD
       remoteRef:
         key: vaultwarden
         property: smtp_password
+    - secretKey: SMTP_PASSWORD
+      remoteRef:
+        key: vaultwarden
+        property: smtp_password_smtp2go

yt-dlp-bot/deployment.yaml

@@ -0,0 +1,44 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: yt-dlp-bot
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: yt-dlp-bot
+  template:
+    metadata:
+      labels:
+        app: yt-dlp-bot
+    spec:
+      containers:
+        - name: yt-dlp-bot
+          image: 'git.dubyatp.xyz/williamp/yt-dlp-bot:1ef217f'
+          env:
+            - name: OUT_PATH
+              value: /data/youtube-vids
+            - name: TEMP_PATH
+              value: /tmp/ytdlp-temp
+          envFrom:
+            - secretRef:
+                name: yt-dlp-discord-token
+          volumeMounts:
+            - name: youtube-vids
+              mountPath: /data/youtube-vids
+            - name: temp
+              mountPath: /tmp/ytdlp-temp
+          resources:
+            limits:
+              memory: "3Gi"
+              cpu: "1"
+      volumes:
+        - name: youtube-vids
+          nfs:
+            server: 10.105.15.20
+            path: /mnt/hdd-pool/youtube-vids
+        - name: temp
+          emptyDir:
+            medium: Memory
+  strategy:
+    type: Recreate

yt-dlp-bot/secret.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: yt-dlp-discord-token
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: yt-dlp-bot
+      metadataPolicy: None
+      property: DISCORD_TOKEN
+    secretKey: DISCORD_TOKEN
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: weyma-vault
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: yt-dlp-discord-token

zap2xml/bucket.yaml

@@ -0,0 +1,10 @@
+apiVersion: objectbucket.io/v1alpha1
+kind: ObjectBucketClaim
+metadata:
+  name: zap2xml-bucket
+  namespace: zap2xml
+spec:
+  generateBucketName: zap2xml
+  storageClassName: weyma-s3-bucket
+  additionalConfig:
+    maxSize: "1Gi"

zap2xml/config.yaml

@@ -0,0 +1,98 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: zap2xml-s3config
+data:
+  .s3cfg: |
+   [default]
+   access_key =
+   access_token = 
+   add_encoding_exts = 
+   add_headers = 
+   bucket_location = US
+   ca_certs_file = 
+   cache_file = 
+   check_ssl_certificate = True
+   check_ssl_hostname = True
+   cloudfront_host = cloudfront.amazonaws.com
+   connection_max_age = 5
+   connection_pooling = True
+   content_disposition = 
+   content_type = 
+   default_mime_type = binary/octet-stream
+   delay_updates = False
+   delete_after = False
+   delete_after_fetch = False
+   delete_removed = False
+   dry_run = False
+   enable_multipart = True
+   encoding = UTF-8
+   encrypt = False
+   expiry_date = 
+   expiry_days = 
+   expiry_prefix = 
+   follow_symlinks = False
+   force = False
+   get_continue = False
+   gpg_command = /usr/bin/gpg
+   gpg_decrypt = %(gpg_command)s -d --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s
+   gpg_encrypt = %(gpg_command)s -c --verbose --no-use-agent --batch --yes --passphrase-fd %(passphrase_fd)s -o %(output_file)s %(input_file)s
+   gpg_passphrase = 
+   guess_mime_type = True
+   host_base = https://weyma-s3.infra.dubyatp.xyz
+   host_bucket =
+   human_readable_sizes = False
+   invalidate_default_index_on_cf = False
+   invalidate_default_index_root_on_cf = True
+   invalidate_on_cf = False
+   keep_dirs = False
+   kms_key = 
+   limit = -1
+   limitrate = 0
+   list_allow_unordered = False
+   list_md5 = False
+   log_target_prefix = 
+   long_listing = False
+   max_delete = -1
+   max_retries = 5
+   mime_type = 
+   multipart_chunk_size_mb = 15
+   multipart_copy_chunk_size_mb = 1024
+   multipart_max_chunks = 10000
+   preserve_attrs = True
+   progress_meter = True
+   proxy_host = 
+   proxy_port = 0
+   public_url_use_https = False
+   put_continue = False
+   recursive = False
+   recv_chunk = 65536
+   reduced_redundancy = False
+   requester_pays = False
+   restore_days = 1
+   restore_priority = Standard
+   secret_key =
+   send_chunk = 65536
+   server_side_encryption = False
+   signature_v2 = False
+   signurl_use_https = False
+   simpledb_host = sdb.amazonaws.com
+   skip_destination_validation = False
+   skip_existing = False
+   socket_timeout = 300
+   ssl_client_cert_file = 
+   ssl_client_key_file = 
+   stats = False
+   stop_on_error = False
+   storage_class = 
+   throttle_max = 100
+   upload_id = 
+   urlencoding_mode = normal
+   use_http_expect = False
+   use_https = True
+   use_mime_magic = True
+   verbosity = WARNING
+   website_endpoint = http://%(bucket)s.s3-website-%(location)s.amazonaws.com/
+   website_error = 
+   website_index = index.html
+   

zap2xml/cron.yaml

@@ -0,0 +1,87 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: zap2xml-dtv-02191
+spec:
+  schedule: "0 */12 * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: zap2xml
+            image: git.dubyatp.xyz/williamp/kube-zap2xml:c075fec
+            envFrom:
+              - secretRef:
+                 name: zap2xml-bucket
+            env:
+              - name: LINEUP_ID
+                value: USA-DITV506-X
+              - name: POSTAL_CODE
+                value: "02191"
+              - name: TIMESPAN
+                value: "120"
+              - name: OUTPUT_FILE
+                value: /tmp/xmltv.xml
+              - name: PUBLIC_FILENAME
+                value: xmltv-directv-02191.xml
+              - name: S3_URL
+                value: s3://zap2xml-c134c9a7-a7a0-4113-997e-78e72ec3f576
+            volumeMounts:
+              - name: s3-config
+                mountPath: /root
+              - name: temp
+                mountPath: /tmp
+          restartPolicy: Never
+          volumes:
+            - name: s3-config
+              configMap:
+                name: zap2xml-s3config
+            - name: temp
+              emptyDir:
+               sizeLimit: 1Gi
+               medium: Memory
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: zap2xml-ota-02191
+spec:
+  schedule: "30 */12 * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: zap2xml
+            image: git.dubyatp.xyz/williamp/kube-zap2xml:c075fec
+            envFrom:
+              - secretRef:
+                 name: zap2xml-bucket
+            env:
+              - name: LINEUP_ID
+                value: USA-OTA02191
+              - name: POSTAL_CODE
+                value: "02191"
+              - name: TIMESPAN
+                value: "120"
+              - name: OUTPUT_FILE
+                value: /tmp/xmltv.xml
+              - name: PUBLIC_FILENAME
+                value: xmltv-ota-02191.xml
+              - name: S3_URL
+                value: s3://zap2xml-c134c9a7-a7a0-4113-997e-78e72ec3f576
+            volumeMounts:
+              - name: s3-config
+                mountPath: /root
+              - name: temp
+                mountPath: /tmp
+          restartPolicy: Never
+          volumes:
+            - name: s3-config
+              configMap:
+                name: zap2xml-s3config
+            - name: temp
+              emptyDir:
+               sizeLimit: 1Gi
+               medium: Memory