Merge pull request 'chore(deps): update all-minor-patch-updates' (#296 ) from renovate/all-minor-patch-updates into main

Reviewed-on: #296
chore(deps): update all-minor-patch-updates
2026-04-17 18:42:13 +00:00 · 2026-04-17 15:00:31 +00:00 · 2026-04-15 10:53:59 -04:00 · 2026-04-15 10:52:17 -04:00 · 2026-04-15 14:40:42 +00:00 · 2026-04-15 14:40:29 +00:00
19 changed files with 191 additions and 26 deletions
@@ -0,0 +1,37 @@
+# Main Infrastructure: weyma-talos
+
+**Production Kubernetes infrastructure with disaster recovery capabilities**
+
+This repository contains the foundational infrastructure for my Kubernetes homelab, designed with reliability and rapid recovery as core principles.
+
+## Architecture
+
+My infrastructure follows a layered "black start" approach - essential services run outside the Kubernetes cluster to enable cluster bootstrapping and recovery from total failures.
+
+### Black Start Layer
+Static services (Docker Compose on TrueNAS/Proxmox) that provide cluster dependencies:
+- Image cache for faster deployments and offline capability
+- Talos discovery server for node bootstrapping  
+- HashiCorp Vault for secrets management (external to cluster)
+- Future: Self-hosted Sidero Omni server (migrating from SaaS)
+
+### System Apps Layer
+Applications running within Kubernetes that provide core cluster functionality, managed via ArgoCD with GitOps principles.
+
+## Repository Structure
+
+- **`black-start/`** - Docker Compose services for cluster dependencies
+- **`config-patches/`** - Talos Linux configuration patches for cluster and individual machines
+- **`omni/`** - Sidero Omni [cluster template](https://docs.siderolabs.com/omni/reference/cluster-templates)
+- **`system-apps/`** - System applications (ArgoCD projects) - monitoring, ingress, certificates, storage
+
+## Tech Stack
+
+**OS:** Talos Linux | **Orchestration:** Kubernetes | **GitOps:** ArgoCD | **Secrets:** Vault | **Storage:** Rook-Ceph
+
+## Recovery Process
+
+The "black start" architecture enables ~15-20 minute automated recovery from complete infrastructure failure:
+1. Start black-start services → 2. Bootstrap Talos → 3. Deploy system apps → 4. Deploy core apps
+
+For application deployments, see [core-apps](https://git.dubyatp.xyz/core-apps).
@@ -2,7 +2,7 @@ version: "3.8"
 services:
  discovery:
    restart: unless-stopped
-    image: ghcr.io/siderolabs/discovery-service:v1.0.13
+    image: ghcr.io/siderolabs/discovery-service:v1.0.17
    ports:
      - 10.105.6.215:3000:3000
      - 10.105.6.215:3001:3001
@@ -5,7 +5,7 @@ services:
    command: tunnel run weyma-vault
    env_file: ".env"
  vault:
-    image: hashicorp/vault:1.21
+    image: hashicorp/vault:2.0
    env_file: ".env.vault"
    environment:
      VAULT_ADDR: "https://weyma-vault.infra.dubyatp.xyz:8200"
@@ -52,6 +52,7 @@ patches:
            bind-address: 0.0.0.0
        proxy:
          extraArgs:
+            proxy-mode: ipvs
            metrics-bind-address: 0.0.0.0:10249
        scheduler:
          extraArgs:
@@ -287,6 +288,45 @@ patches:
                selector:
                  k8s-app: metrics-server
            name: metrics-lb
+          - contents: |-
+              apiVersion: v1
+              data:
+                  Corefile: |
+                      .:53 {
+                          errors
+                          health {
+                              lameduck 5s
+                          }
+                          ready
+                          log . {
+                              class error
+                          }
+                          prometheus :9153
+
+                          kubernetes cluster.local in-addr.arpa ip6.arpa {
+                              pods insecure
+                              fallthrough in-addr.arpa ip6.arpa
+                              ttl 30
+                          }
+
+                          rewrite name git.dubyatp.xyz traefik-local.traefik.svc.cluster.local
+                          
+                          forward . /etc/resolv.conf {
+                            max_concurrent 1000
+                          }
+                          cache 30 {
+                            disable success cluster.local
+                            disable denial cluster.local
+                          }
+                          loop
+                          reload
+                          loadbalance
+                      }
+              kind: ConfigMap
+              metadata:
+                  name: coredns
+                  namespace: kube-system
+            name: coredns-config
 ---
 kind: ControlPlane
 machines:
@@ -15,10 +15,9 @@
  ],
  "packageRules": [
    {
-      "description": "Automerge patch updates",
-      "matchUpdateTypes": ["patch"],
-      "matchCurrentVersion": "!/^0/",
-      "automerge": true
+      "description": "Consolidate patch and minor updates to one PR",
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "all-minor-patch-updates"
    },
    {
      "description": "Rook Ceph - auto-update minor and patch versions only",
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: argo-cd
-  version: 9.3.5
+  version: 9.5.2
  repository: https://argoproj.github.io/argo-helm
@@ -128,18 +128,34 @@ argo-cd:
          remoteRef:
            key: argo-cd
            property: webhook.gitea.secret
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: admin.password
          remoteRef:
            key: argo-cd
            property: admin.password
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: admin.passwordMtime
          remoteRef:
            key: argo-cd
            property: admin.passwordMtime
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: dex.authentik.clientSecret
          remoteRef:
            key: argo-cd
            property: dex.authentik.clientSecret
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
    - apiVersion: external-secrets.io/v1
      kind: ExternalSecret
      metadata:
@@ -160,14 +176,26 @@ argo-cd:
          remoteRef:
            key: argo-cd-git
            property: sshPrivateKey
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: type
          remoteRef:
            key: argo-cd-git
            property: type
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: url
          remoteRef:
            key: argo-cd-git
            property: url.core-apps
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
    - apiVersion: external-secrets.io/v1
      kind: ExternalSecret
      metadata:
@@ -188,14 +216,26 @@ argo-cd:
          remoteRef:
            key: argo-cd-git
            property: sshPrivateKey
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: type
          remoteRef:
            key: argo-cd-git
            property: type
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: url
          remoteRef:
            key: argo-cd-git
            property: url.weyma-talos
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
    - apiVersion: external-secrets.io/v1
      kind: ExternalSecret
      metadata:
@@ -216,14 +256,26 @@ argo-cd:
          remoteRef:
            key: argo-cd-git
            property: sshPrivateKey
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: type
          remoteRef:
            key: argo-cd-git
            property: type
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: url
          remoteRef:
            key: argo-cd-git
            property: url.williamp-sites
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
    - apiVersion: external-secrets.io/v1
      kind: ExternalSecret
      metadata:
@@ -244,11 +296,23 @@ argo-cd:
          remoteRef:
            key: argo-cd-git
            property: sshPrivateKey
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: type
          remoteRef:
            key: argo-cd-git
            property: type
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
        - secretKey: url
          remoteRef:
            key: argo-cd-git
            property: url.db-operators
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: cert-manager
-  version: v1.19.2
+  version: v1.20.2
  repository: https://charts.jetstack.io
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: external-secrets
-  version: 1.2.1
+  version: 2.3.0
  repository: https://charts.external-secrets.io
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: kite
-  version: 0.7.7
+  version: 0.9.0
  repository: https://zxh326.github.io/kite
@@ -1,5 +1,7 @@
 kite:
  host: "https://weyma-kite.infra.dubyatp.xyz"
+  deploymentStrategy:
+    type: Recreate
  secret:
    create: false
    existingSecret: kite-secret
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: kubernetes-replicator
-  version: 2.12.2
+  version: 2.12.3
  repository: https://helm.mittwald.de
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: kube-prometheus-stack
-  version: 81.2.1
+  version: 83.6.0
  repository: https://prometheus-community.github.io/helm-charts
@@ -17,5 +17,6 @@ spec:
      conversionStrategy: Default
      decodingStrategy: None
      metadataPolicy: None
+      nullBytePolicy: Ignore
      key: monitoring
      property: discord_webhook
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: rook-ceph
-  version: v1.19.0
+  version: v1.19.4
  repository: https://charts.rook.io/release
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: traefik
-  version: 38.0.2
+  version: 39.0.8
  repository: https://traefik.github.io/charts
@@ -4,6 +4,7 @@ traefik:
    - --entryPoints.websecure.transport.respondingTimeouts.readTimeout=0
  ports:
    web:
+      http:
        redirections:
          entryPoint:
            to: websecure
@@ -14,8 +15,6 @@ traefik:
      exposedPort: 22
      expose:
        default: true
-      tls:
-        passthrough: true
  metrics:
    prometheus:
      service:
@@ -38,7 +37,7 @@ traefik:
    kind: DaemonSet
    additionalContainers:
    - name: cloudflared
-      image: cloudflare/cloudflared:2026.1.1
+      image: cloudflare/cloudflared:2026.3.0
      command:
        - cloudflared
        - tunnel
@@ -130,3 +129,26 @@ traefik:
    data:
      tls.crt: ""
      tls.key: ""
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      name: traefik-local
+    spec:
+      sessionAffinity: ClientIP
+      sessionAffinityConfig:
+        clientIP:
+          timeoutSeconds: 3600
+      selector:
+        app.kubernetes.io/name: traefik
+        app.kubernetes.io/instance: traefik-traefik
+      ports:
+      - name: gitssh
+        port: 22
+        targetPort: gitssh
+      - name: web
+        port: 80
+        targetPort: web
+      - name: websecure
+        port: 443
+        targetPort: websecure
+      type: ClusterIP
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: velero
-  version: 11.3.2
+  version: 12.0.0
  repository: https://vmware-tanzu.github.io/helm-charts
@@ -59,7 +59,7 @@ velero:
        insecureSkipTLSVerify: "true"
  initContainers:
  - name: velero-plugin-for-aws
-    image: velero/velero-plugin-for-aws:v1.13.2
+    image: velero/velero-plugin-for-aws:v1.14.0
    imagePullPolicy: IfNotPresent
    volumeMounts:
      - mountPath: /target