chore(deps): update all-minor-patch-updates

Merge pull request 'chore(deps): update all-minor-patch-updates' (#296 ) from renovate/all-minor-patch-updates into main
Reviewed-on: #296
2026-04-21 20:00:57 +00:00 · 2026-04-17 18:42:13 +00:00 · 2026-04-17 15:00:31 +00:00 · 2026-04-15 10:53:59 -04:00 · 2026-04-15 10:52:17 -04:00 · 2026-04-15 14:40:42 +00:00
20 changed files with 192 additions and 39 deletions
@@ -0,0 +1,37 @@
+# Main Infrastructure: weyma-talos
+
+**Production Kubernetes infrastructure with disaster recovery capabilities**
+
+This repository contains the foundational infrastructure for my Kubernetes homelab, designed with reliability and rapid recovery as core principles.
+
+## Architecture
+
+My infrastructure follows a layered "black start" approach - essential services run outside the Kubernetes cluster to enable cluster bootstrapping and recovery from total failures.
+
+### Black Start Layer
+Static services (Docker Compose on TrueNAS/Proxmox) that provide cluster dependencies:
+- Image cache for faster deployments and offline capability
+- Talos discovery server for node bootstrapping  
+- HashiCorp Vault for secrets management (external to cluster)
+- Future: Self-hosted Sidero Omni server (migrating from SaaS)
+
+### System Apps Layer
+Applications running within Kubernetes that provide core cluster functionality, managed via ArgoCD with GitOps principles.
+
+## Repository Structure
+
+- **`black-start/`** - Docker Compose services for cluster dependencies
+- **`config-patches/`** - Talos Linux configuration patches for cluster and individual machines
+- **`omni/`** - Sidero Omni [cluster template](https://docs.siderolabs.com/omni/reference/cluster-templates)
+- **`system-apps/`** - System applications (ArgoCD projects) - monitoring, ingress, certificates, storage
+
+## Tech Stack
+
+**OS:** Talos Linux | **Orchestration:** Kubernetes | **GitOps:** ArgoCD | **Secrets:** Vault | **Storage:** Rook-Ceph
+
+## Recovery Process
+
+The "black start" architecture enables ~15-20 minute automated recovery from complete infrastructure failure:
+1. Start black-start services → 2. Bootstrap Talos → 3. Deploy system apps → 4. Deploy core apps
+
+For application deployments, see [core-apps](https://git.dubyatp.xyz/core-apps).
@@ -2,7 +2,7 @@ version: "3.8"
 services:
  discovery:
    restart: unless-stopped
-    image: ghcr.io/siderolabs/discovery-service:v1.0.13
+    image: ghcr.io/siderolabs/discovery-service:v1.0.17
    ports:
      - 10.105.6.215:3000:3000
      - 10.105.6.215:3001:3001
@@ -5,7 +5,7 @@ services:
    command: tunnel run weyma-vault
    env_file: ".env"
  vault:
-    image: hashicorp/vault:1.21
+    image: hashicorp/vault:2.0
    env_file: ".env.vault"
    environment:
      VAULT_ADDR: "https://weyma-vault.infra.dubyatp.xyz:8200"
@@ -52,6 +52,7 @@ patches:
            bind-address: 0.0.0.0
        proxy:
          extraArgs:
+            proxy-mode: ipvs
            metrics-bind-address: 0.0.0.0:10249
        scheduler:
          extraArgs:
@@ -287,6 +288,45 @@ patches:
                selector:
                  k8s-app: metrics-server
            name: metrics-lb
+          - contents: |-
+              apiVersion: v1
+              data:
+                  Corefile: |
+                      .:53 {
+                          errors
+                          health {
+                              lameduck 5s
+                          }
+                          ready
+                          log . {
+                              class error
+                          }
+                          prometheus :9153
+
+                          kubernetes cluster.local in-addr.arpa ip6.arpa {
+                              pods insecure
+                              fallthrough in-addr.arpa ip6.arpa
+                              ttl 30
+                          }
+
+                          rewrite name git.dubyatp.xyz traefik-local.traefik.svc.cluster.local
+                          
+                          forward . /etc/resolv.conf {
+                            max_concurrent 1000
+                          }
+                          cache 30 {
+                            disable success cluster.local
+                            disable denial cluster.local
+                          }
+                          loop
+                          reload
+                          loadbalance
+                      }
+              kind: ConfigMap
+              metadata:
+                  name: coredns
+                  namespace: kube-system
+            name: coredns-config
 ---
 kind: ControlPlane
 machines:
@@ -15,10 +15,9 @@
  ],
  "packageRules": [
    {
-      "description": "Automerge patch updates",
-      "matchUpdateTypes": ["patch"],
-      "matchCurrentVersion": "!/^0/",
-      "automerge": true
+      "description": "Consolidate patch and minor updates to one PR",
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "all-minor-patch-updates"
    },
    {
      "description": "Rook Ceph - auto-update minor and patch versions only",
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: argo-cd
-  version: 9.2.4
+  version: 9.5.3
  repository: https://argoproj.github.io/argo-helm
@@ -56,18 +56,6 @@ argo-cd:
               Argo CD has not reported any applications data for the past 15 minutes which
               means that it must be down or not functioning properly.  This needs to be
               resolved for this cloud to continue to maintain state.
-         - alert: ArgoAppNotSynced
-           expr: |
-             argocd_app_info{sync_status!="Synced"} == 1
-           for: 12h
-           labels:
-             severity: warning
-           annotations:
-             summary: '{{ $labels.name }} Application not synchronized'
-             description: >
-               The application {{ $labels.name }} has not been synchronized for over
-               12 hours which means that the state of this cloud has drifted away from the
-               state inside Git.
  server:
    ingress:
      enabled: true
@@ -140,18 +128,34 @@ argo-cd:
          remoteRef:
            key: argo-cd
            property: webhook.gitea.secret
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: admin.password
          remoteRef:
            key: argo-cd
            property: admin.password
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: admin.passwordMtime
          remoteRef:
            key: argo-cd
            property: admin.passwordMtime
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: dex.authentik.clientSecret
          remoteRef:
            key: argo-cd
            property: dex.authentik.clientSecret
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
    - apiVersion: external-secrets.io/v1
      kind: ExternalSecret
      metadata:
@@ -172,14 +176,26 @@ argo-cd:
          remoteRef:
            key: argo-cd-git
            property: sshPrivateKey
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: type
          remoteRef:
            key: argo-cd-git
            property: type
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: url
          remoteRef:
            key: argo-cd-git
            property: url.core-apps
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
    - apiVersion: external-secrets.io/v1
      kind: ExternalSecret
      metadata:
@@ -200,14 +216,26 @@ argo-cd:
          remoteRef:
            key: argo-cd-git
            property: sshPrivateKey
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: type
          remoteRef:
            key: argo-cd-git
            property: type
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: url
          remoteRef:
            key: argo-cd-git
            property: url.weyma-talos
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
    - apiVersion: external-secrets.io/v1
      kind: ExternalSecret
      metadata:
@@ -228,14 +256,26 @@ argo-cd:
          remoteRef:
            key: argo-cd-git
            property: sshPrivateKey
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: type
          remoteRef:
            key: argo-cd-git
            property: type
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: url
          remoteRef:
            key: argo-cd-git
            property: url.williamp-sites
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
    - apiVersion: external-secrets.io/v1
      kind: ExternalSecret
      metadata:
@@ -256,11 +296,23 @@ argo-cd:
          remoteRef:
            key: argo-cd-git
            property: sshPrivateKey
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: type
          remoteRef:
            key: argo-cd-git
            property: type
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: url
          remoteRef:
            key: argo-cd-git
            property: url.db-operators
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: cert-manager
-  version: v1.19.2
+  version: v1.20.2
  repository: https://charts.jetstack.io
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: external-secrets
-  version: 1.2.1
+  version: 2.3.0
  repository: https://charts.external-secrets.io
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: kite
-  version: 0.7.7
+  version: 0.9.0
  repository: https://zxh326.github.io/kite
@@ -1,5 +1,7 @@
 kite:
  host: "https://weyma-kite.infra.dubyatp.xyz"
+  deploymentStrategy:
+    type: Recreate
  secret:
    create: false
    existingSecret: kite-secret
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: kubernetes-replicator
-  version: 2.12.2
+  version: 2.12.3
  repository: https://helm.mittwald.de
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: kube-prometheus-stack
-  version: 80.10.0
+  version: 83.7.0
  repository: https://prometheus-community.github.io/helm-charts
@@ -17,5 +17,6 @@ spec:
      conversionStrategy: Default
      decodingStrategy: None
      metadataPolicy: None
+      nullBytePolicy: Ignore
      key: monitoring
      property: discord_webhook
@@ -21,7 +21,7 @@ spec:
    # versions running within the cluster. See tags available at https://hub.docker.com/r/ceph/ceph/tags/.
    # If you want to be more precise, you can always use a timestamp tag such as quay.io/ceph/ceph:v19.2.1-20250202
    # This tag might not contain a new Ceph version, just security fixes from the underlying operating system, which will reduce vulnerabilities
-    image: quay.io/ceph/ceph:v19.2.3-20250717
+    image: quay.io/ceph/ceph:v20.2.0-20251104
    # Whether to allow unsupported versions of Ceph. Currently Reef and Squid are supported.
    # Future versions such as Tentacle (v20) would require this to be set to `true`.
    # Do not set to true in production.
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: rook-ceph
-  version: v1.18.8
+  version: v1.19.4
  repository: https://charts.rook.io/release
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: traefik
-  version: 38.0.1
+  version: 39.0.8
  repository: https://traefik.github.io/charts
@@ -4,6 +4,7 @@ traefik:
    - --entryPoints.websecure.transport.respondingTimeouts.readTimeout=0
  ports:
    web:
+      http:
        redirections:
          entryPoint:
            to: websecure
@@ -14,8 +15,6 @@ traefik:
      exposedPort: 22
      expose:
        default: true
-      tls:
-        passthrough: true
  metrics:
    prometheus:
      service:
@@ -38,7 +37,7 @@ traefik:
    kind: DaemonSet
    additionalContainers:
    - name: cloudflared
-      image: cloudflare/cloudflared:2025.11.1
+      image: cloudflare/cloudflared:2026.3.0
      command:
        - cloudflared
        - tunnel
@@ -130,3 +129,26 @@ traefik:
    data:
      tls.crt: ""
      tls.key: ""
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      name: traefik-local
+    spec:
+      sessionAffinity: ClientIP
+      sessionAffinityConfig:
+        clientIP:
+          timeoutSeconds: 3600
+      selector:
+        app.kubernetes.io/name: traefik
+        app.kubernetes.io/instance: traefik-traefik
+      ports:
+      - name: gitssh
+        port: 22
+        targetPort: gitssh
+      - name: web
+        port: 80
+        targetPort: web
+      - name: websecure
+        port: 443
+        targetPort: websecure
+      type: ClusterIP
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: velero
-  version: 11.3.1
+  version: 12.0.0
  repository: https://vmware-tanzu.github.io/helm-charts
@@ -59,7 +59,7 @@ velero:
        insecureSkipTLSVerify: "true"
  initContainers:
  - name: velero-plugin-for-aws
-    image: velero/velero-plugin-for-aws:v1.13.1
+    image: velero/velero-plugin-for-aws:v1.14.0
    imagePullPolicy: IfNotPresent
    volumeMounts:
      - mountPath: /target