chore(deps): update helm release argo-cd to v9.4.7

Reviewed-on: #252

README.md

@@ -0,0 +1,37 @@
+# Main Infrastructure: weyma-talos
+
+**Production Kubernetes infrastructure with disaster recovery capabilities**
+
+This repository contains the foundational infrastructure for my Kubernetes homelab, designed with reliability and rapid recovery as core principles.
+
+## Architecture
+
+My infrastructure follows a layered "black start" approach - essential services run outside the Kubernetes cluster to enable cluster bootstrapping and recovery from total failures.
+
+### Black Start Layer
+Static services (Docker Compose on TrueNAS/Proxmox) that provide cluster dependencies:
+- Image cache for faster deployments and offline capability
+- Talos discovery server for node bootstrapping  
+- HashiCorp Vault for secrets management (external to cluster)
+- Future: Self-hosted Sidero Omni server (migrating from SaaS)
+
+### System Apps Layer
+Applications running within Kubernetes that provide core cluster functionality, managed via ArgoCD with GitOps principles.
+
+## Repository Structure
+
+- **`black-start/`** - Docker Compose services for cluster dependencies
+- **`config-patches/`** - Talos Linux configuration patches for cluster and individual machines
+- **`omni/`** - Sidero Omni [cluster template](https://docs.siderolabs.com/omni/reference/cluster-templates)
+- **`system-apps/`** - System applications (ArgoCD projects) - monitoring, ingress, certificates, storage
+
+## Tech Stack
+
+**OS:** Talos Linux | **Orchestration:** Kubernetes | **GitOps:** ArgoCD | **Secrets:** Vault | **Storage:** Rook-Ceph
+
+## Recovery Process
+
+The "black start" architecture enables ~15-20 minute automated recovery from complete infrastructure failure:
+1. Start black-start services → 2. Bootstrap Talos → 3. Deploy system apps → 4. Deploy core apps
+
+For application deployments, see [core-apps](https://git.dubyatp.xyz/core-apps).

black-start/services/talos-discovery/docker-compose.yaml

@@ -2,7 +2,7 @@ version: "3.8"
 services:
   discovery:
     restart: unless-stopped
-    image: ghcr.io/siderolabs/discovery-service:v1.0.13
+    image: ghcr.io/siderolabs/discovery-service:v1.0.15
     ports:
       - 10.105.6.215:3000:3000
       - 10.105.6.215:3001:3001

omni/controlplane.yaml

@@ -1,5 +0,0 @@
-kind: ControlPlane
-machines:
-  - 20b4c826-e699-43b3-826d-73eb5173680b
-  - 30303031-3030-3030-6335-303731636665
-  - 5fdea709-56ad-45f2-966d-5e344dbe4fdf

omni/machine/weyma-talos-cp01.yaml

@@ -1,16 +0,0 @@
-kind: Machine
-systemExtensions:
-  - siderolabs/nut-client
-  - siderolabs/qemu-guest-agent
-name: 5fdea709-56ad-45f2-966d-5e344dbe4fdf
-patches:
-  - idOverride: 400-cm-5fdea709-56ad-45f2-966d-5e344dbe4fdf
-    inline:
-      machine:
-        network:
-          hostname: weyma-talos-cp01
-          interfaces:
-            - deviceSelector:
-                driver: virtio*
-                hardwareAddr: bc:24:11:e6:ff:7b
-              dhcp: true

omni/machine/weyma-talos-cp02.yaml

@@ -1,13 +0,0 @@
-kind: Machine
-name: 20b4c826-e699-43b3-826d-73eb5173680b
-patches:
-  - idOverride: 400-cm-20b4c826-e699-43b3-826d-73eb5173680b
-    inline:
-      machine:
-        network:
-          hostname: weyma-talos-cp02
-          interfaces:
-            - deviceSelector:
-                driver: virtio*
-                hardwareAddr: 00:16:3e:9c:01:27
-              dhcp: true

omni/machine/weyma-talos-cp04.yaml

@@ -1,14 +0,0 @@
-kind: Machine
-systemExtensions:
-  - siderolabs/nut-client
-name: 30303031-3030-3030-6335-303731636665
-patches:
-  - idOverride: 400-cm-30303031-3030-3030-6335-303731636665
-    inline:
-      machine:
-        network:
-          hostname: weyma-talos-cp04
-          interfaces:
-            - deviceSelector:
-                hardwareAddr: dc:a6:32:95:0f:cb
-              dhcp: true

omni/machine/weyma-talos-testw01.yaml

@@ -1,30 +0,0 @@
-kind: Machine
-systemExtensions:
-  - siderolabs/i915
-  - siderolabs/nut-client
-name: 03000200-0400-0500-0006-000700080009
-install:
-  disk: /dev/sda
-patches:
-  - idOverride: 400-cm-03000200-0400-0500-0006-000700080009
-    inline:
-      machine:
-        network:
-          hostname: weyma-talos-testw01
-          interfaces:
-            - deviceSelector:
-                driver: igc
-                hardwareAddr: e8:ff:1e:d5:f8:22
-              dhcp: true
-              vlans:
-                - dhcp: false
-                  vlanId: 50
-            - deviceSelector:
-                hardwareAddr: e8:ff:1e:d5:f8:21
-              dhcp: true
-              mtu: 9000
-            - bridge:
-                interfaces:
-                  - enp2s0.50
-              dhcp: false
-              interface: br0

omni/machine/weyma-talos-testw04.yaml

@@ -1,25 +0,0 @@
-kind: Machine
-name: 1006b91a-ecbf-11ea-aed4-046ba1ee3700
-patches:
-  - idOverride: 400-cm-1006b91a-ecbf-11ea-aed4-046ba1ee3700
-    inline:
-      machine:
-        network:
-          hostname: weyma-talos-testw04
-          interfaces:
-            - deviceSelector:
-                driver: mlx4_core
-                hardwareAddr: f4:52:14:60:5e:30
-              dhcp: true
-              vlans:
-                - dhcp: false
-                  vlanId: 50
-            - deviceSelector:
-                hardwareAddr: f4:52:14:60:5e:31
-              dhcp: true
-              mtu: 9000
-            - bridge:
-                interfaces:
-                  - eno1.50
-              dhcp: false
-              interface: br0

omni/machine/weyma-talos-testw05.yaml

@@ -1,24 +0,0 @@
-kind: Machine
-name: 5f0cd701-0784-4fcc-8e52-3b3304049972
-patches:
-  - idOverride: 400-cm-5f0cd701-0784-4fcc-8e52-3b3304049972
-    inline:
-      machine:
-        network:
-          hostname: weyma-talos-testw05
-          interfaces:
-            - deviceSelector:
-                hardwareAddr: 00:16:3e:b3:dd:f8
-              dhcp: true
-            - deviceSelector:
-                hardwareAddr: 00:16:3e:e5:79:0a
-              dhcp: true
-              mtu: 9000
-            - deviceSelector:
-                hardwareAddr: 00:16:3e:6b:1c:1d
-              dhcp: false
-            - bridge:
-                interfaces:
-                  - enx00163e6b1c1d
-              dhcp: false
-              interface: br0

omni/machine/weyma-talos-w02.yaml

@@ -1,25 +0,0 @@
-kind: Machine
-name: 02c02200-f403-11ef-9372-70f446672600
-patches:
-  - idOverride: 400-cm-02c02200-f403-11ef-9372-70f446672600
-    inline:
-      machine:
-        network:
-          hostname: weyma-talos-w02
-          interfaces:
-            - deviceSelector:
-                driver: igc
-                hardwareAddr: e8:ff:1e:d4:b8:89
-              dhcp: true
-              vlans:
-                - dhcp: false
-                  vlanId: 50
-            - deviceSelector:
-                hardwareAddr: e8:ff:1e:d4:b8:8a
-              dhcp: true
-              mtu: 9000
-            - bridge:
-                interfaces:
-                  - enp1s0.50
-              dhcp: false
-              interface: br0

omni/machine/weyma-talos-w03.yaml

@@ -1,27 +0,0 @@
-kind: Machine
-name: da507021-8912-4337-86a3-94a05bd1cf05
-patches:
-  - idOverride: 400-cm-da507021-8912-4337-86a3-94a05bd1cf05
-    inline:
-      machine:
-        network:
-          hostname: weyma-talos-w03
-          interfaces:
-            - deviceSelector:
-                driver: virtio*
-                hardwareAddr: bc:24:11:be:6c:08
-              dhcp: true
-            - deviceSelector:
-                driver: virtio*
-                hardwareAddr: bc:24:11:f8:4a:92
-              dhcp: true
-              mtu: 8996
-            - deviceSelector:
-                driver: virtio*
-                hardwareAddr: bc:24:11:93:02:0e
-              dhcp: false
-            - bridge:
-                interfaces:
-                  - enxbc241193020e
-              dhcp: false
-              interface: br0

omni/weyma-talos.yaml

@@ -52,6 +52,7 @@ patches:
             bind-address: 0.0.0.0
         proxy:
           extraArgs:
+            proxy-mode: ipvs
             metrics-bind-address: 0.0.0.0:10249
         scheduler:
           extraArgs:
@@ -287,3 +288,245 @@ patches:
                 selector:
                   k8s-app: metrics-server
             name: metrics-lb
+          - contents: |-
+              apiVersion: v1
+              data:
+                  Corefile: |
+                      .:53 {
+                          errors
+                          health {
+                              lameduck 5s
+                          }
+                          ready
+                          log . {
+                              class error
+                          }
+                          prometheus :9153
+
+                          kubernetes cluster.local in-addr.arpa ip6.arpa {
+                              pods insecure
+                              fallthrough in-addr.arpa ip6.arpa
+                              ttl 30
+                          }
+
+                          rewrite name git.dubyatp.xyz traefik-local.traefik.svc.cluster.local
+                          
+                          forward . /etc/resolv.conf {
+                            max_concurrent 1000
+                          }
+                          cache 30 {
+                            disable success cluster.local
+                            disable denial cluster.local
+                          }
+                          loop
+                          reload
+                          loadbalance
+                      }
+              kind: ConfigMap
+              metadata:
+                  name: coredns
+                  namespace: kube-system
+            name: coredns-config
+---
+kind: ControlPlane
+machines:
+  - 20b4c826-e699-43b3-826d-73eb5173680b
+  - 5fdea709-56ad-45f2-966d-5e344dbe4fdf
+  - 30303031-3030-3030-6335-303731636665
+---
+kind: Workers
+machines:
+  - 02c02200-f403-11ef-9372-70f446672600
+  - 03000200-0400-0500-0006-000700080009
+  - 1006b91a-ecbf-11ea-aed4-046ba1ee3700
+  - 5f0cd701-0784-4fcc-8e52-3b3304049972
+  - da507021-8912-4337-86a3-94a05bd1cf05
+---
+kind: Machine
+name: 02c02200-f403-11ef-9372-70f446672600
+patches:
+  - idOverride: 400-cm-02c02200-f403-11ef-9372-70f446672600
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-w02
+          interfaces:
+            - deviceSelector:
+                driver: igc
+                hardwareAddr: e8:ff:1e:d4:b8:89
+              dhcp: true
+              vlans:
+                - dhcp: false
+                  vlanId: 50
+            - deviceSelector:
+                hardwareAddr: e8:ff:1e:d4:b8:8a
+              dhcp: true
+              mtu: 9000
+            - bridge:
+                interfaces:
+                  - enp1s0.50
+              dhcp: false
+              interface: br0
+---
+kind: Machine
+name: 03000200-0400-0500-0006-000700080009
+patches:
+  - idOverride: 400-cm-03000200-0400-0500-0006-000700080009
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-testw01
+          interfaces:
+            - deviceSelector:
+                driver: igc
+                hardwareAddr: e8:ff:1e:d5:f8:22
+              dhcp: true
+              vlans:
+                - dhcp: false
+                  vlanId: 50
+            - deviceSelector:
+                hardwareAddr: e8:ff:1e:d5:f8:21
+              dhcp: true
+              mtu: 9000
+            - bridge:
+                interfaces:
+                  - enp2s0.50
+              dhcp: false
+              interface: br0
+---
+kind: Machine
+name: 1006b91a-ecbf-11ea-aed4-046ba1ee3700
+patches:
+  - idOverride: 400-cm-1006b91a-ecbf-11ea-aed4-046ba1ee3700
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-testw04
+          interfaces:
+            - deviceSelector:
+                driver: mlx4_core
+                hardwareAddr: f4:52:14:60:5e:30
+              dhcp: true
+              vlans:
+                - dhcp: false
+                  vlanId: 50
+            - deviceSelector:
+                hardwareAddr: f4:52:14:60:5e:31
+              dhcp: true
+              mtu: 9000
+            - bridge:
+                interfaces:
+                  - eno1.50
+              dhcp: false
+              interface: br0
+---
+kind: Machine
+name: 30303031-3030-3030-6335-303731636665
+patches:
+  - idOverride: 400-cm-30303031-3030-3030-6335-303731636665
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-cp04
+          interfaces:
+            - deviceSelector:
+                hardwareAddr: dc:a6:32:95:0f:cb
+              dhcp: true
+---
+kind: Machine
+name: 20b4c826-e699-43b3-826d-73eb5173680b
+patches:
+  - idOverride: 400-cm-20b4c826-e699-43b3-826d-73eb5173680b
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-cp02
+          interfaces:
+            - deviceSelector:
+                driver: virtio*
+                hardwareAddr: 00:16:3e:9c:01:27
+              dhcp: true
+---
+kind: Machine
+name: 5f0cd701-0784-4fcc-8e52-3b3304049972
+patches:
+  - idOverride: 400-cm-5f0cd701-0784-4fcc-8e52-3b3304049972
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-testw05
+          interfaces:
+            - deviceSelector:
+                hardwareAddr: 00:16:3e:b3:dd:f8
+              dhcp: true
+            - deviceSelector:
+                hardwareAddr: 00:16:3e:e5:79:0a
+              dhcp: true
+              mtu: 9000
+            - deviceSelector:
+                hardwareAddr: 00:16:3e:6b:1c:1d
+              dhcp: false
+            - bridge:
+                interfaces:
+                  - enx00163e6b1c1d
+              dhcp: false
+              interface: br0
+---
+kind: Machine
+systemExtensions:
+  - siderolabs/nut-client
+  - siderolabs/qemu-guest-agent
+name: 5fdea709-56ad-45f2-966d-5e344dbe4fdf
+patches:
+  - idOverride: 400-cm-5fdea709-56ad-45f2-966d-5e344dbe4fdf
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-cp01
+          interfaces:
+            - deviceSelector:
+                driver: virtio*
+                hardwareAddr: bc:24:11:e6:ff:7b
+              dhcp: true
+---
+kind: Machine
+name: da507021-8912-4337-86a3-94a05bd1cf05
+patches:
+  - idOverride: 400-cm-da507021-8912-4337-86a3-94a05bd1cf05
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-w03
+          interfaces:
+            - deviceSelector:
+                driver: virtio*
+                hardwareAddr: bc:24:11:be:6c:08
+              dhcp: true
+            - deviceSelector:
+                driver: virtio*
+                hardwareAddr: bc:24:11:f8:4a:92
+              dhcp: true
+              mtu: 8996
+            - deviceSelector:
+                driver: virtio*
+                hardwareAddr: bc:24:11:93:02:0e
+              dhcp: false
+            - bridge:
+                interfaces:
+                  - enxbc241193020e
+              dhcp: false
+              interface: br0

omni/workers.yaml

@@ -1,7 +0,0 @@
-kind: Workers
-machines:
-  - 02c02200-f403-11ef-9372-70f446672600
-  - 03000200-0400-0500-0006-000700080009
-  - 1006b91a-ecbf-11ea-aed4-046ba1ee3700
-  - 5f0cd701-0784-4fcc-8e52-3b3304049972
-  - da507021-8912-4337-86a3-94a05bd1cf05

renovate.json

@@ -14,6 +14,12 @@
     }
   ],
   "packageRules": [
+    {
+      "description": "Automerge patch updates",
+      "matchUpdateTypes": ["patch"],
+      "matchCurrentVersion": "!/^0/",
+      "automerge": true
+    },
     {
       "description": "Rook Ceph - auto-update minor and patch versions only",
       "matchDatasources": ["docker"],

system-apps/argocd/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: argo-cd
-  version: 9.1.7
+  version: 9.4.7
   repository: https://argoproj.github.io/argo-helm

system-apps/argocd/values.yaml

@@ -56,18 +56,6 @@ argo-cd:
                Argo CD has not reported any applications data for the past 15 minutes which
                means that it must be down or not functioning properly.  This needs to be
                resolved for this cloud to continue to maintain state.
-         - alert: ArgoAppNotSynced
-           expr: |
-             argocd_app_info{sync_status!="Synced"} == 1
-           for: 12h
-           labels:
-             severity: warning
-           annotations:
-             summary: '{{ $labels.name }} Application not synchronized'
-             description: >
-               The application {{ $labels.name }} has not been synchronized for over
-               12 hours which means that the state of this cloud has drifted away from the
-               state inside Git.
   server:
     ingress:
       enabled: true
@@ -140,18 +128,30 @@ argo-cd:
           remoteRef:
             key: argo-cd
             property: webhook.gitea.secret
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
         - secretKey: admin.password
           remoteRef:
             key: argo-cd
             property: admin.password
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
         - secretKey: admin.passwordMtime
           remoteRef:
             key: argo-cd
             property: admin.passwordMtime
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
         - secretKey: dex.authentik.clientSecret
           remoteRef:
             key: argo-cd
             property: dex.authentik.clientSecret
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
     - apiVersion: external-secrets.io/v1
       kind: ExternalSecret
       metadata:
@@ -172,14 +172,23 @@ argo-cd:
           remoteRef:
             key: argo-cd-git
             property: sshPrivateKey
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
         - secretKey: type
           remoteRef:
             key: argo-cd-git
             property: type
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
         - secretKey: url
           remoteRef:
             key: argo-cd-git
             property: url.core-apps
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
     - apiVersion: external-secrets.io/v1
       kind: ExternalSecret
       metadata:
@@ -200,14 +209,23 @@ argo-cd:
           remoteRef:
             key: argo-cd-git
             property: sshPrivateKey
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
         - secretKey: type
           remoteRef:
             key: argo-cd-git
             property: type
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
         - secretKey: url
           remoteRef:
             key: argo-cd-git
             property: url.weyma-talos
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
     - apiVersion: external-secrets.io/v1
       kind: ExternalSecret
       metadata:
@@ -228,14 +246,23 @@ argo-cd:
           remoteRef:
             key: argo-cd-git
             property: sshPrivateKey
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
         - secretKey: type
           remoteRef:
             key: argo-cd-git
             property: type
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
         - secretKey: url
           remoteRef:
             key: argo-cd-git
             property: url.williamp-sites
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
     - apiVersion: external-secrets.io/v1
       kind: ExternalSecret
       metadata:
@@ -256,11 +283,20 @@ argo-cd:
           remoteRef:
             key: argo-cd-git
             property: sshPrivateKey
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
         - secretKey: type
           remoteRef:
             key: argo-cd-git
             property: type
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
         - secretKey: url
           remoteRef:
             key: argo-cd-git
             property: url.db-operators
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None

system-apps/cert-manager/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: cert-manager
-  version: v1.19.2
+  version: v1.19.4
   repository: https://charts.jetstack.io

system-apps/external-secrets/chart/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: external-secrets
-  version: 1.1.1
+  version: 2.0.1
   repository: https://charts.external-secrets.io

system-apps/kite/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: kite
-  version: 0.7.5
+  version: 0.7.8
   repository: https://zxh326.github.io/kite

system-apps/kite/values.yaml

@@ -1,5 +1,7 @@
 kite:
   host: "https://weyma-kite.infra.dubyatp.xyz"
+  deploymentStrategy:
+    type: Recreate
   secret:
     create: false
     existingSecret: kite-secret
@@ -16,3 +18,5 @@ kite:
         paths:
           - path: /
             pathType: ImplementationSpecific
+  podAnnotations:
+    backup.velero.io/backup-volumes: kite-storage

system-apps/kubernetes-replicator/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: kubernetes-replicator
-  version: 2.12.2
+  version: 2.12.3
   repository: https://helm.mittwald.de

system-apps/monitoring/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: kube-prometheus-stack
-  version: 80.4.1
+  version: 82.4.3
   repository: https://prometheus-community.github.io/helm-charts

system-apps/rook-ceph/clusters/cluster.yaml

@@ -21,7 +21,7 @@ spec:
     # versions running within the cluster. See tags available at https://hub.docker.com/r/ceph/ceph/tags/.
     # If you want to be more precise, you can always use a timestamp tag such as quay.io/ceph/ceph:v19.2.1-20250202
     # This tag might not contain a new Ceph version, just security fixes from the underlying operating system, which will reduce vulnerabilities
-    image: quay.io/ceph/ceph:v19.2.3-20250717
+    image: quay.io/ceph/ceph:v20.2.0-20251104
     # Whether to allow unsupported versions of Ceph. Currently Reef and Squid are supported.
     # Future versions such as Tentacle (v20) would require this to be set to `true`.
     # Do not set to true in production.

system-apps/rook-ceph/operator/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: rook-ceph
-  version: v1.18.8
+  version: v1.19.2
   repository: https://charts.rook.io/release

system-apps/rook-ceph/operator/templates/rules.yaml

@@ -497,61 +497,6 @@ spec:
             oid: "1.3.6.1.4.1.50495.1.2.1.8.1"
             severity: "critical"
             type: "ceph_default"
-        - alert: "CephNodeNetworkPacketDrops"
-          annotations:
-            description: "Node {{ "{{" }} $labels.instance {{ "}}" }} experiences packet drop > 0.5% or > 10 packets/s on interface {{ "{{" }} $labels.device {{ "}}" }}."
-            summary: "One or more NICs reports packet drops"
-          expr: |
-            (
-              rate(node_network_receive_drop_total{device!="lo"}[1m]) +
-              rate(node_network_transmit_drop_total{device!="lo"}[1m])
-            ) / (
-              rate(node_network_receive_packets_total{device!="lo"}[1m]) +
-              rate(node_network_transmit_packets_total{device!="lo"}[1m])
-            ) >= 0.0050000000000000001 and (
-              rate(node_network_receive_drop_total{device!="lo"}[1m]) +
-              rate(node_network_transmit_drop_total{device!="lo"}[1m])
-            ) >= 10
-          labels:
-            oid: "1.3.6.1.4.1.50495.1.2.1.8.2"
-            severity: "warning"
-            type: "ceph_default"
-        - alert: "CephNodeNetworkPacketErrors"
-          annotations:
-            description: "Node {{ "{{" }} $labels.instance {{ "}}" }} experiences packet errors > 0.01% or > 10 packets/s on interface {{ "{{" }} $labels.device {{ "}}" }}."
-            summary: "One or more NICs reports packet errors"
-          expr: |
-            (
-              rate(node_network_receive_errs_total{device!="lo"}[1m]) +
-              rate(node_network_transmit_errs_total{device!="lo"}[1m])
-            ) / (
-              rate(node_network_receive_packets_total{device!="lo"}[1m]) +
-              rate(node_network_transmit_packets_total{device!="lo"}[1m])
-            ) >= 0.0001 or (
-              rate(node_network_receive_errs_total{device!="lo"}[1m]) +
-              rate(node_network_transmit_errs_total{device!="lo"}[1m])
-            ) >= 10
-          labels:
-            oid: "1.3.6.1.4.1.50495.1.2.1.8.3"
-            severity: "warning"
-            type: "ceph_default"
-        - alert: "CephNodeNetworkBondDegraded"
-          annotations:
-            description: "Bond {{ "{{" }} $labels.master {{ "}}" }} is degraded on Node {{ "{{" }} $labels.instance {{ "}}" }}."
-            summary: "Degraded Bond on Node {{ "{{" }} $labels.instance {{ "}}" }}"
-          expr: |
-            node_bonding_slaves - node_bonding_active != 0
-          labels:
-            severity: "warning"
-            type: "ceph_default"
-        - alert: "CephNodeInconsistentMTU"
-          annotations:
-            description: "Node {{ "{{" }} $labels.instance {{ "}}" }} has a different MTU size ({{ "{{" }} $value {{ "}}" }}) than the median of devices named {{ "{{" }} $labels.device {{ "}}" }}."
-            summary: "MTU settings across Ceph hosts are inconsistent"
-          expr: "node_network_mtu_bytes * (node_network_up{device!=\"lo\"} > 0) ==  scalar(    max by (device) (node_network_mtu_bytes * (node_network_up{device!=\"lo\"} > 0)) !=      quantile by (device) (.5, node_network_mtu_bytes * (node_network_up{device!=\"lo\"} > 0))  )or node_network_mtu_bytes * (node_network_up{device!=\"lo\"} > 0) ==  scalar(    min by (device) (node_network_mtu_bytes * (node_network_up{device!=\"lo\"} > 0)) !=      quantile by (device) (.5, node_network_mtu_bytes * (node_network_up{device!=\"lo\"} > 0))  )"
-          labels:
-            severity: "warning"
-            type: "ceph_default"
     - name: "pools"
       rules:
         - alert: "CephPoolGrowthWarning"

system-apps/traefik/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: traefik
-  version: 37.4.0
+  version: 39.0.2
   repository: https://traefik.github.io/charts

system-apps/traefik/values.yaml

@@ -4,18 +4,17 @@ traefik:
     - --entryPoints.websecure.transport.respondingTimeouts.readTimeout=0
   ports:
     web:
-      redirections:
+      http:
-        entryPoint:
+        redirections:
-          to: websecure
+          entryPoint:
-          scheme: https
+            to: websecure
-          permanent: true
+            scheme: https
+            permanent: true
     gitssh:
       port: 2222
       exposedPort: 22
       expose:
         default: true
-      tls:
-        passthrough: true
   metrics:
     prometheus:
       service:
@@ -38,7 +37,7 @@ traefik:
     kind: DaemonSet
     additionalContainers:
     - name: cloudflared
-      image: cloudflare/cloudflared:2025.11.1
+      image: cloudflare/cloudflared:2026.2.0
       command:
         - cloudflared
         - tunnel
@@ -81,6 +80,19 @@ traefik:
                 traefik-real-ip:
                   excludednets:
                     - "1.1.1.1/24"
+          routers:
+            dispatcharr:
+              entryPoints:
+              - websecure
+              service: dispatcharr
+              tls:
+                options: default
+              rule: 'Host(`dispatcharr.dubyatp.xyz`) && PathPrefix(`/`)'
+          services:
+            dispatcharr:
+              loadBalancer:
+                servers:
+                - url: http://10.105.15.20:9191
   service:
     spec:
       externalTrafficPolicy: Local
@@ -117,3 +129,26 @@ traefik:
     data:
       tls.crt: ""
       tls.key: ""
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      name: traefik-local
+    spec:
+      sessionAffinity: ClientIP
+      sessionAffinityConfig:
+        clientIP:
+          timeoutSeconds: 3600
+      selector:
+        app.kubernetes.io/name: traefik
+        app.kubernetes.io/instance: traefik-traefik
+      ports:
+      - name: gitssh
+        port: 22
+        targetPort: gitssh
+      - name: web
+        port: 80
+        targetPort: web
+      - name: websecure
+        port: 443
+        targetPort: websecure
+      type: ClusterIP

system-apps/velero/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: velero
-  version: 11.2.0
+  version: 11.4.0
   repository: https://vmware-tanzu.github.io/helm-charts

system-apps/velero/values.yaml

@@ -59,7 +59,7 @@ velero:
         insecureSkipTLSVerify: "true"
   initContainers:
   - name: velero-plugin-for-aws
-    image: velero/velero-plugin-for-aws:v1.13.1
+    image: velero/velero-plugin-for-aws:v1.13.2
     imagePullPolicy: IfNotPresent
     volumeMounts:
       - mountPath: /target