build(deps): bump hotio/jackett

Bumps [hotio/jackett](https://github.com/hotio/jackett) from release-v0.24.1846 to release-v0.24.1954.
- [Commits](https://github.com/hotio/jackett/commits)

---
updated-dependencies:
- dependency-name: hotio/jackett
  dependency-version: release-v0.24.1954
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/dependabot.yml

@@ -16,6 +16,7 @@ updates:
       - "/docker/infrastructure/network/traefik"
       - "/docker/infrastructure/squid"
       - "/docker/infrastructure/sshportal"
+      - "/docker/personal/fireshare"
       - "/docker/personal/gramps"
       - "/docker/personal/media/films-series/jackett"
       - "/docker/personal/media/films-series/jellyfin"
@@ -33,7 +34,6 @@ updates:
       - "/docker/production/alexscript"
       - "/docker/production/buildpath"
       - "/docker/production/semeryfr"
-      - "/docker/production/vhaudiquetfr"
       - "/docker/tools/excalidraw"
       - "/docker/tools/obsidian-livesync"
       - "/docker/tools/stirling-pdf"
@@ -51,7 +51,9 @@ updates:
       - "/kubernetes/personal/notesnook"
       - "/kubernetes/personal/photoprism"
       - "/kubernetes/production/umami"
+      - "/kubernetes/production/vhaudiquet-fr"
       - "/kubernetes/system/blocky"
+      - "/kubernetes/system/caddy"
       - "/kubernetes/system/coredns"
       - "/kubernetes/system/csi-driver-nfs"
       - "/kubernetes/system/external-dns"

.sops.yaml

@@ -3,7 +3,7 @@ creation_rules:
     encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
     pgp: DC6910268E657FF70BA7EC289974494E76938DDC
   - path_regex: .*.yaml
-    encrypted_regex: ^(data|stringData)$
+    encrypted_regex: ^(data|stringData|.*.key|.*.crt)$
     pgp: DC6910268E657FF70BA7EC289974494E76938DDC
   - path_regex: .*.env$
     input_type: dotenv

.swarmcd/stacks.yaml

@@ -53,6 +53,13 @@ sshportal:
   branch: main
   compose_file: docker/infrastructure/sshportal/docker-compose.yml
 
+fireshare:
+  repo: homeprod
+  branch: main
+  compose_file: docker/personal/fireshare/docker-compose.yml
+  sops_files:
+    - docker/personal/fireshare/.env
+
 gramps:
   repo: homeprod
   branch: main
@@ -146,11 +153,6 @@ semeryfr:
   branch: main
   compose_file: docker/production/semeryfr/docker-compose.yml
 
-vhaudiquetfr:
-  repo: homeprod
-  branch: main
-  compose_file: docker/production/vhaudiquetfr/docker-compose.yml
-
 excalidraw:
   repo: homeprod
   branch: main

dns/production/buildpath.win.yaml

@@ -3,7 +3,7 @@
 : - octodns:
       cloudflare:
         auto-ttl: true
-        proxied: true
+        proxied: false
     ttl: 300
     type: A
     value: 83.113.30.49
@@ -22,7 +22,7 @@ www:
   octodns:
     cloudflare:
       auto-ttl: true
-      proxied: true
+      proxied: false
   ttl: 300
   type: A
   value: 83.113.30.49

dns/production/vhaudiquet.fr.yaml

@@ -355,6 +355,13 @@ canada:
   ttl: 300
   type: A
   value: 192.99.6.159
+clips:
+  octodns:
+    cloudflare:
+      auto-ttl: true
+  ttl: 300
+  type: A
+  value: 83.113.30.49
 flix:
   octodns:
     cloudflare:

docker/home/esphome/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   esphome:
-    image: ghcr.io/esphome/esphome:2026.4.3
+    image: ghcr.io/esphome/esphome:2026.4.5
     ports:
       - "6052"
     networks:

docker/home/n8n/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   n8n:
-    image: docker.n8n.io/n8nio/n8n:2.18.4
+    image: docker.n8n.io/n8nio/n8n:2.21.2
     environment:
       - TZ=Europe/Paris
       - N8N_SECURE_COOKIE=false

docker/infrastructure/mail/stalwart/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   stalwart:
-    image: stalwartlabs/stalwart:v0.16.3
+    image: stalwartlabs/stalwart:v0.16.5
     container_name: stalwart
     networks:
       - default

docker/infrastructure/network/traefik/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   traefik:
-    image: traefik:3.6
+    image: traefik:v3.7
     command: 
       - "--configFile=/etc/traefik/traefik.yml"
     ports:

docker/infrastructure/network/traefik/traefik.yml

@@ -8,6 +8,8 @@ entryPoints:
       trustedIPs:
         - "127.0.0.1/32"
         - "10.1.2.11/32" # nginxproxymanager
+        - "10.1.2.152/32" # caddy
+        - "10.0.0.0/8" # caddy pods
 
 providers:
   docker:

docker/personal/fireshare/.env

@@ -0,0 +1,11 @@
+ADMIN_USERNAME=ENC[AES256_GCM,data:8ngfC8VHpaaGCQ==,iv:Ze7ThfWmAWj0ZvV3A7Pd+aqAW/pahkTZhdFC/TnAwZ0=,tag:KCFdGV1dEw3e+q6FBgy2cw==,type:str]
+ADMIN_PASSWORD=ENC[AES256_GCM,data:UhxEMnqYDyfgffqUf3Q=,iv:VvNX867P+w20Y7laG0R0c4BUw1uICeyF5SU3+waosRE=,tag:JL4GC+UZY3TqSmCq14CTpg==,type:str]
+SECRET_KEY=ENC[AES256_GCM,data:uahYXYr4DvavNMTTdcDA0hdp5wj3OLret3fPF1DEc2lis+E7/fe45DWFuhUu8RAK76tuheA=,iv:Lofc+PP7Rtg99l36yOx6bt0i8hg1DJXzwSKQNJCRYPw=,tag:AiUGZOiLyjKItf++Gya+eA==,type:str]
+DOMAIN=ENC[AES256_GCM,data:LyJ7RAgrioTltNQ/BKoPbEN8XQ==,iv:IHrT5TkaXuIhkfN/nHcapz4CNBG0t9lbzrHDjp04JLw=,tag:gjSa/tSVEqk6pXrfhjs7gQ==,type:str]
+sops_lastmodified=2026-05-06T17:05:48Z
+sops_mac=ENC[AES256_GCM,data:wRtDnVQkNsc1MtxSpbuVDuACkCwunYeyYSaQX2Tglm2kwOnx9iCyhuWY6RMYu5nfyJ1CT1kfqeGrGxhJ5uMDee29eLUv844X3hIXwpMT50jHFXEtfKLfRMfqpv9r9mbp2EP9VNDUtPyIwDk5vSjGeaYqEWtHW/q5y9qIrzqqy5g=,iv:UG4XGi3Qo8/nAddY+rzJm1AKIAmJjtR+2bDqSeaVxG4=,tag:SL2rvrxFmMfgyUyMqFIZEQ==,type:str]
+sops_pgp__list_0__map_created_at=2026-05-06T17:05:48Z
+sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ//b6zlRVKrqzzszBJmnOUlfeZd5m2ekYv/zIBr4oxHyn5L\neLLff+N7hjBVSajg9Qg7GBQv7s3DX70vHTpdUP38UEO1aM0l3eU1JCwA4Hdh7Ds5\nnq330vUKhIAd+K8Vv4Ei9YHpj+kgMnt+R780qZUg18D39TAnx36q9b5SKzZCUsks\n3YM+G8pHLRipZhxp6zwhOPHVSnImOFjty4d6JV6Zes9zfslaETgva7p5DIKP0ttf\nI2JRacvL75MMp1USyqGKt7Bpl6Yz4VxY49aea+FxDlbzCVLuBBgZMoEjhPQifQfh\nB6OObmu1cVhECidrMHmqDBNqgKsNLble+g3Le+gJdn/zKxVc+q+cPPuk/JdT8tfv\nZTei6jg66IREZOrZCP3Gt4OB5LbkLdS0NET2CMVAYkGQvGrSC+diwUnFkI+WEh+p\noZhvgp/ytBgaw6ZyNPmvkGkFeFg1/ISpOHkVQ+P6Pnot8h4HvuI/KcBwJRCrtdbg\n+XMpqeQdmCnM04v5Uq1NVqRWHD0yvd7GHDOZCqJPMFHP0M6R+SwHq+8+pgbO3jxt\n+426MvhNKw8xWMtnUIO8sSSkzgOfT6vFXmzQvIawbXvitjGjiElkpmT5Hz3hn1Bm\nnu8CivqLwL4Gs1Uc2m6qHGkvGqxWwcHABWqftAk3VfhmjcFDwAyWROlCuD+A15PS\nXgE1wn9jLesXaiCwzAp4AOstkk0fR2yio4fa9dCeenzuedULNLuCyJfYtSm4QlSU\nvffH4iL8X/R24s6SdPsCIuNnAeKc0P4E55AlOaeZN4HcZzfspVikAZx+bK14JS8=\n=KGp6\n-----END PGP MESSAGE-----
+sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.10.2

docker/personal/fireshare/docker-compose.yml

@@ -0,0 +1,58 @@
+services:
+  fireshare:
+    container_name: fireshare
+    image: shaneisrael/fireshare:1.6.10-lite
+    ports:
+      - "80"
+    volumes:
+      - data:/data
+      - processed:/processed
+      - video:/videos
+      - images:/images
+    env_file:
+      - .env
+    environment:
+      # PUID/PGID: the user/group ID the container runs as. Files written to your
+      # volumes (data, processed, videos, images) will be owned by this user. Set these to
+      # match the owner of your host directories to avoid permission errors.
+      # Run `id` on your host to find your UID and GID.
+      - PUID=1000
+      - PGID=1000
+    networks:
+      - default
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.fireshare.rule=Host(`clips.vhaudiquet.fr`)"
+      - "traefik.http.services.fireshare.loadbalancer.server.port=80"
+
+volumes:
+  data:
+    driver: local
+    driver_opts:
+      type: 'none'
+      o: 'bind'
+      device: '/app/fireshare/data'
+  processed:
+    driver: local
+    driver_opts:
+      type: 'none'
+      o: 'bind'
+      device: '/app/fireshare/processed'
+  video:
+    driver: local
+    driver_opts:
+      type: 'none'
+      o: 'bind'
+      device: '/app/fireshare/video'
+  images:
+    driver: local
+    driver_opts:
+      type: 'none'
+      o: 'bind'
+      device: '/app/fireshare/images'
+
+networks:
+  proxy:
+    external: true
+    name: proxy

docker/personal/gramps/docker-compose.yml

@@ -1,7 +1,7 @@
 services:
   grampsweb:
     container_name: grampsweb
-    image: ghcr.io/gramps-project/grampsweb:26.4.3
+    image: ghcr.io/gramps-project/grampsweb:26.5.1
     restart: always
     networks:
       - default
@@ -31,7 +31,7 @@ services:
 
   grampsweb_celery:
     container_name: grampsweb_celery
-    image: ghcr.io/gramps-project/grampsweb:26.4.3
+    image: ghcr.io/gramps-project/grampsweb:26.5.1
     restart: always
     environment:
       - GRAMPSWEB_TREE="Gramps Web"  # will create a new tree if not exists
@@ -52,7 +52,7 @@ services:
     command: celery -A gramps_webapi.celery worker --loglevel=INFO --concurrency=2
 
   grampsweb_redis:
-    image: docker.io/library/redis:8.6.2-alpine
+    image: docker.io/library/redis:8.6.3-alpine
     container_name: grampsweb_redis
     restart: always
 

docker/personal/media/films-series/jackett/docker-compose.yml

@@ -1,7 +1,7 @@
 services:
   jackett:
     container_name: jackett
-    image: ghcr.io/hotio/jackett:release-v0.24.1813
+    image: ghcr.io/hotio/jackett:release-v0.24.1954
     ports:
       - "9117"
     networks:

docker/personal/media/films-series/jellyfin/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   jellyfin:
-    image: jellyfin/jellyfin:2026042706
+    image: jellyfin/jellyfin:2026051106
     container_name: jellyfin
     networks:
       - default

docker/personal/media/music/navidrome/docker-compose.yml

@@ -14,7 +14,7 @@ services:
       ND_SESSIONTIMEOUT: 24h
       ND_BASEURL: "http://navidrome.lan"
       ND_PORT: 4533
-      ND_REVERSEPROXYWHITELIST: "172.20.0.0/16,10.1.2.11/32"
+      ND_REVERSEPROXYWHITELIST: "172.20.0.0/16,10.1.2.11/32,10.1.2.152/32"
     volumes:
       - data:/data
       - "music:/music:ro"

docker/personal/radicale/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   radicale:
-    image: tomsquest/docker-radicale:3.7.1.0
+    image: tomsquest/docker-radicale:3.7.2.0
     container_name: radicale
     ports:
       - 5232

docker/personal/syncthing/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   syncthing-valentin:
-    image: syncthing/syncthing:2.0
+    image: syncthing/syncthing:2.1
     container_name: syncthing-valentin
     hostname: syncthing-valentin
     environment:

docker/production/buildpath/docker-compose.yml

@@ -10,7 +10,7 @@ services:
     env_file: .env
 
   match_collector:
-    image: git.vhaudiquet.fr/vhaudiquet/lolstats-match_collector:ee32060a7f05bd963bed4337369e146ba6313d64
+    image: git.vhaudiquet.fr/vhaudiquet/lolstats-match_collector:0224b7812c8631bde3e9513adace64341152fc20
     build: ./match_collector
     volumes:
       - bpcdragon_cache:/cdragon
@@ -23,7 +23,7 @@ services:
     env_file: .env
 
   frontend:
-    image: git.vhaudiquet.fr/vhaudiquet/lolstats-frontend:ee32060a7f05bd963bed4337369e146ba6313d64
+    image: git.vhaudiquet.fr/vhaudiquet/lolstats-frontend:0224b7812c8631bde3e9513adace64341152fc20
     build: ./frontend
     restart: always
     volumes:

docker/production/vhaudiquetfr/docker-compose.yml

@@ -1,36 +0,0 @@
-services:
-  vhaudiquetfr:
-    container_name: vhaudiquetfr
-    image: git.vhaudiquet.fr/vhaudiquet/vhaudiquet.fr:259ad574d15c1b50e0766602b6b0b5ee39afd657
-    networks:
-      - default
-      - proxy
-    ports:
-      - 80
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.vhaudiquetfr.rule=Host(`vhaudiquet.fr`)"
-    environment:
-      - NGINX_HOST=vhaudiquet.fr
-      - NGINX_PORT=80
-    volumes:
-      - files:/usr/share/nginx/html/files
-      - public:/usr/share/nginx/html/public
-
-networks:
-  proxy:
-    external: true
-    name: proxy
-
-volumes:
-  files:
-    driver: local
-    driver_opts:
-      type: 'none'
-      o: 'bind'
-      device: '/app/vhaudiquetfr/files'
-  public:
-    driver_opts:
-      type: 'nfs'
-      o: 'addr=truenas.lan'
-      device: ':/mnt/main_storage/public'

generate-dependabot.sh

@@ -52,6 +52,7 @@ find kubernetes -name 'release.yaml' -print0 \
 if ! [ -f .github/dependabot.yml ] || ! cmp -s "$tmpfile" .github/dependabot.yml; then
   mv "$tmpfile" .github/dependabot.yml
   echo "Updated .github/dependabot.yml!"
+  git add ".github/dependabot.yml"
 else
   echo "No changes to .github/dependabot.yml."
 fi

generate-docker-swarmcd.sh

@@ -33,6 +33,7 @@ find docker -name 'docker-compose.yml' -print0 \
 if ! [ -f .swarmcd/stacks.yaml ] || ! cmp -s "$tmpfile" .swarmcd/stacks.yaml; then
   mv "$tmpfile" .swarmcd/stacks.yaml
   echo "Updated .swarmcd/stacks.yaml!"
+  git add ".swarmcd/stacks.yaml"
 else
   echo "No changes to .swarmcd/stacks.yaml."
 fi

infra/pve/docker.tf

@@ -1,137 +0,0 @@
-/* 
-* Docker machine terraform file
-*/
-
-resource "proxmox_virtual_environment_download_file" "debian-latest-cloudimg" {
-  content_type = "iso"
-  datastore_id = "local"
-  file_name = "debian-12-generic-amd64.qcow2.img"
-  node_name = "pve"
-  url = "https://cloud.debian.org/images/cloud/bookworm/latest/debian-12-generic-amd64.qcow2"
-}
-
-resource "proxmox_virtual_environment_file" "docker-machine-cloud-config" {
-  content_type = "snippets"
-  datastore_id = "local"
-  node_name    = "pve"
-
-  source_raw {
-    data = <<-EOF
-    #cloud-config
-    package_update: true
-    packages:
-      - git
-      - ca-certificates
-      - wget
-      - curl
-      - gnupg2
-      - qemu-guest-agent
-      - nfs-common
-    runcmd:
-      - systemctl enable --now qemu-guest-agent
-      - install -m 0755 -d /etc/apt/keyrings
-      - curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
-      - chmod a+r /etc/apt/keyrings/docker.asc
-      - echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
-      - apt-get update
-      - apt-get -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
-      - docker swarm init
-      - git clone https://github.com/vhaudiquet/homeprod /root/homeprod
-      - mkdir /app
-      - echo "truenas.lan:/mnt/fast_app_data/docker-homeprod      /app     nfs     defaults,_netdev    0 0" >>/etc/fstab
-      - mount -t nfs truenas.lan:/mnt/fast_app_data/docker-homeprod /app
-      - echo "${var.sops_private_key}" | gpg --import
-    EOF
-    file_name = "docker-machine-cloud-config.yaml"
-  }
-}
-
-resource "proxmox_virtual_environment_vm" "docker-machine" {
-  name = "docker-machine"
-  node_name = "pve"
-  on_boot = true
-
-  agent {
-    enabled = true
-  }
-
-  tags = ["debian", "debian-latest", "docker", "terraform"]
-
-  cpu {
-    type = "host"
-    cores = 4
-    sockets = 1
-    flags = []
-  }
-
-  memory {
-    dedicated = 16192
-  }
-
-  network_device {
-    bridge = "vmbr0"
-    model = "virtio"
-    vlan_id = 2
-  }
-
-  lifecycle {
-    ignore_changes = [
-      network_interface_names,
-      mac_addresses,
-      ipv4_addresses,
-      ipv6_addresses,
-      id,
-      disk,
-      initialization,
-      vga
-    ]
-  }
-
-  boot_order = ["scsi0"]
-  scsi_hardware = "virtio-scsi-single"
-
-  vga {
-    type = "serial0"
-  }
-
-  disk {
-    interface = "scsi0"
-    iothread = true
-    datastore_id = "local-lvm"
-    size = 128
-    discard = "ignore"
-    file_id = proxmox_virtual_environment_download_file.debian-latest-cloudimg.id
-  }
-
-  vm_id = 701
-
-  initialization {
-    datastore_id = "local-lvm"
-    interface = "ide2"
-    
-    ip_config {
-      ipv4 {
-        address = "10.1.2.175/24"
-        gateway = "10.1.2.1"
-      }
-    }
-
-    user_account {
-      keys = [trimspace(var.ssh_public_key)]
-      password = var.machine_root_password
-      username = "root"
-    }
-
-    vendor_data_file_id = proxmox_virtual_environment_file.docker-machine-cloud-config.id
-  }
-
-  operating_system {
-    type = "l26"
-  }
-
-  tpm_state {
-    version = "v2.0"
-  }
-
-  serial_device {}
-}

infra/pve/docker/main.tf

@@ -1,39 +0,0 @@
-terraform {
-  required_providers {
-    docker = {
-      source  = "kreuzwerker/docker"
-      version = "3.6.2"
-    }
-  }
-}
-
-# Docker configuration
-provider "docker" {
-  host = "ssh://root@docker-machine.lan"
-}
-
-resource "docker_image" "swarm-cd" {
-  name = "ghcr.io/m-adawi/swarm-cd:latest"
-}
-
-resource "docker_container" "swarm-cd" {
-  name  = "swarm-cd"
-  image = docker_image.swarm-cd.image_id
-  volumes {
-      host_path = "/var/run/docker.sock"
-      container_path = "/var/run/docker.sock"
-      read_only = true
-  }
-  volumes {
-    host_path = "/root/homeprod/.swarmcd/repos.yaml"
-    container_path = "/app/repos.yaml"
-    read_only = true
-  }
-  volumes {
-    host_path = "/root/homeprod/.swarmcd/stacks.yaml"
-    container_path = "/app/stacks.yaml"
-    read_only = true
-  }
-
-  depends_on = [ docker_image.swarm-cd ]
-}

infra/pve/kube.tf

@@ -1,381 +0,0 @@
-/* 
-* Kubernetes cluster terraform file
-*/
-
-resource "proxmox_virtual_environment_download_file" "talos-cloudimg" {
-  content_type = "iso"
-  datastore_id = "local"
-  file_name = "talos-v1.11.1-nocloud-amd64.iso"
-  node_name = "pve"
-  url = "https://factory.talos.dev/image/ce4c980550dd2ab1b17bbf2b08801c7eb59418eafe8f279833297925d67c7515/v1.11.1/nocloud-amd64.iso"
-}
-
-resource "proxmox_virtual_environment_vm" "kube" {
-  name = "kube-talos"
-  description = "Kubernetes Talos Linux"
-  tags = ["kubernetes", "talos", "terraform"]
-
-  node_name = "pve"
-  vm_id = 703
-  machine = "q35"
-  keyboard_layout = "fr"
-
-  agent {
-    enabled = true
-  }
-  stop_on_destroy = true
-
-  cpu {
-    cores = 4
-    type = "x86-64-v3"
-  }
-
-  memory {
-    dedicated = 16192
-    floating = 16192
-  }
-
-  boot_order = ["scsi0", "ide0"]
-  scsi_hardware = "virtio-scsi-single"
-
-  cdrom {
-    file_id = proxmox_virtual_environment_download_file.talos-cloudimg.id
-    interface = "ide0"
-  }
-
-  disk {
-    interface = "scsi0"
-    iothread = true
-    datastore_id = "local-lvm"
-    size = 128
-    discard = "ignore"
-    file_format = "raw"
-  }
-
-  vga {
-    type = "serial0"
-  }
-
-  initialization {
-    datastore_id = "local-lvm"
-    interface = "ide2"
-
-    ip_config {
-      ipv4 {
-        address = "10.1.2.187/24"
-        gateway = "10.1.2.1"
-      }
-    }
-
-    user_account {
-      keys = [trimspace(var.ssh_public_key)]
-      password = var.machine_root_password
-      username = "root"
-    }
-  }
-
-  lifecycle {
-    ignore_changes = [ 
-      ipv4_addresses, ipv6_addresses, network_interface_names
-     ]
-  }
-
-  network_device {
-    bridge = "vmbr0"
-    model = "virtio"
-    vlan_id = 2
-  }
-
-  operating_system {
-    type = "l26"
-  }
-
-  tpm_state {
-    version = "v2.0"
-  }
-
-  serial_device {}
-}
-
-resource "talos_machine_secrets" "kube" {}
-
-data "talos_machine_configuration" "kube" {
-  cluster_name = "kube"
-  machine_type = "controlplane"
-  cluster_endpoint = "https://kube-talos.lan:6443"
-  machine_secrets = talos_machine_secrets.kube.machine_secrets
-  config_patches = [
-    yamlencode({
-      machine = {
-        install = {
-          image = "factory.talos.dev/installer/ce4c980550dd2ab1b17bbf2b08801c7eb59418eafe8f279833297925d67c7515:v1.11.1"
-        }
-        network = {
-          nameservers = [
-            "10.1.2.3"
-          ]
-        }
-      }
-      cluster = {
-        allowSchedulingOnControlPlanes = true
-        apiServer = {
-          certSANs = [
-            "kube-talos.lan"
-          ]
-        }
-        network = {
-          dnsDomain = "kube-talos.lan"
-          cni = {
-            name: "none"
-          }
-        }
-        proxy = {
-          disabled = true
-        }
-      }
-    })
-  ]
-}
-
-data "talos_client_configuration" "kube" {
-  cluster_name = "kube"
-  client_configuration = talos_machine_secrets.kube.client_configuration
-  nodes = ["kube-talos"]
-}
-
-resource "talos_machine_configuration_apply" "kube" {
-  client_configuration = talos_machine_secrets.kube.client_configuration
-  machine_configuration_input = data.talos_machine_configuration.kube.machine_configuration
-  node = "10.1.2.187" #proxmox_virtual_environment_vm.kube.ipv4_addresses[7][0] # lo + 6 talos-created interfaces before eth0
-  depends_on = [ proxmox_virtual_environment_vm.kube ]
-  lifecycle {
-    replace_triggered_by = [ proxmox_virtual_environment_vm.kube ]
-  }
-}
-
-resource "talos_machine_bootstrap" "kube" {
-  node = "10.1.2.187" #proxmox_virtual_environment_vm.kube.ipv4_addresses[7][0] # lo + 6 talos-created interfaces before eth0
-  client_configuration = talos_machine_secrets.kube.client_configuration
-  depends_on = [ talos_machine_configuration_apply.kube ]
-  lifecycle {
-    replace_triggered_by = [ proxmox_virtual_environment_vm.kube ]
-  }
-}
-
-resource "talos_cluster_kubeconfig" "kube" {
-  node = proxmox_virtual_environment_vm.kube.ipv4_addresses[7][0] # lo + 6 talos-created interfaces before eth0
-  depends_on = [ talos_machine_bootstrap.kube ]
-  client_configuration = talos_machine_secrets.kube.client_configuration
-}
-
-output "kubeconfig" {
-  sensitive = true
-  value = talos_cluster_kubeconfig.kube.kubeconfig_raw
-}
-
-resource "local_file" "kubeconfig" {
-    content     = "${talos_cluster_kubeconfig.kube.kubeconfig_raw}"
-    filename = "${path.module}/kubeconfig"
-    depends_on = [ talos_cluster_kubeconfig.kube ]
-}
-
-data "talos_client_configuration" "talosconfig" {
-  cluster_name = "homeprod"
-  client_configuration = talos_machine_secrets.kube.client_configuration
-  nodes = [proxmox_virtual_environment_vm.kube.ipv4_addresses[7][0]]
-}
-
-resource "local_file" "talosconfig" {
-    content     = "${data.talos_client_configuration.talosconfig.talos_config}"
-    filename = "${path.module}/talosconfig"
-    depends_on = [ data.talos_client_configuration.talosconfig ]
-}
-
-# TODO : Wait for talos_cluster_kubeconfig...
-resource "helm_release" "cilium" {
-  name = "cilium"
-  namespace = "kube-system"
-  repository = "https://helm.cilium.io/"
-  chart = "cilium"
-  wait = false
-  depends_on = [ local_file.kubeconfig ]
-
-  set {
-    name = "ipam.mode"
-    value = "kubernetes"
-  }
-  set {
-    name = "kubeProxyReplacement"
-    value = true
-  }
-  set {
-    name = "securityContext.capabilities.ciliumAgent"
-    value = "{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}"
-  }
-  set {
-    name = "securityContext.capabilities.cleanCiliumState"
-    value = "{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}"
-  }
-  set {
-    name = "cgroup.autoMount.enabled"
-    value = false
-  }
-  set {
-    name = "cgroup.hostRoot"
-    value = "/sys/fs/cgroup"
-  }
-  set {
-    name = "k8sServiceHost"
-    value = "localhost"
-  }
-  set {
-    name = "k8sServicePort"
-    value = 7445
-  }
-  set {
-    name = "etcd.clusterDomain"
-    value = "kube-talos.lan"
-  }
-  set {
-    name = "hubble.relay.enabled"
-    value = true
-  }
-  # Enable hubble ui
-  set {
-    name = "hubble.ui.enabled"
-    value = true
-  }
-  # Gateway API support
-  set {
-    name = "gatewayAPI.enabled"
-    value = true
-  }
-  set {
-    name = "gatewayAPI.enableAlpn"
-    value = true
-  }
-  set {
-    name = "gatewayAPI.enableAppProtocol"
-    value = true
-  }
-  # Gateway API trusted hops : for reverse proxy
-  set {
-    name = "gatewayAPI.xffNumTrustedHops"
-    value = 1
-  }
-  # Single-node cluster, so 1 operator only
-  set {
-    name = "operator.replicas"
-    value = 1
-  }
-  # L2 announcements
-  set {
-    name = "l2announcements.enabled"
-    value = true
-  }
-  set {
-    name = "externalIPs.enabled"
-    value = true
-  }
-  # Disable ingress controller (traefik will be used for now)
-  set {
-    name = "ingressController.enabled"
-    value = false
-  }
-  set {
-    name = "ingressController.loadbalancerMode"
-    value = "shared"
-  }
-  # Ingress controller for external : behind reverse proxy, trust 1 hop
-  set {
-    name = "envoy.xffNumTrustedHopsL7PolicyIngress"
-    value = 1
-  }
-  # Set cilium as default ingress controller
-  set {
-    name = "ingressController.default"
-    value = true
-  }
-  set {
-    name = "ingressController.service.externalTrafficPolicy"
-    value = "Local"
-  }
-}
-
-resource "kubernetes_namespace" "flux-system" {
-  metadata {
-    name = "flux-system"
-  }
-
-  lifecycle {
-    ignore_changes = [ metadata[0].annotations, metadata[0].labels ]
-  }
-
-  depends_on = [ talos_cluster_kubeconfig.kube, local_file.kubeconfig, helm_release.cilium ]
-}
-
-resource "kubernetes_secret" "flux-sops" {
-  metadata {
-    name = "flux-sops"
-    namespace = "flux-system"
-  }
-
-  type = "generic"
-
-  data = {
-    "sops.asc"=var.sops_private_key
-  }
-
-  depends_on = [ kubernetes_namespace.flux-system ]
-}
-
-resource "helm_release" "flux-operator" {
-  name = "flux-operator"
-  namespace = "flux-system"
-  repository = "oci://ghcr.io/controlplaneio-fluxcd/charts"
-  chart = "flux-operator"
-  wait = true
-  depends_on = [ kubernetes_secret.flux-sops ]
-}
-
-resource "helm_release" "flux-instance" {
-  name = "flux"
-  namespace = "flux-system"
-  repository = "oci://ghcr.io/controlplaneio-fluxcd/charts"
-  chart = "flux-instance"
-
-  values = [
-    file("values/components.yaml")
-  ]
-  set {
-    name = "instance.distribution.version"
-    value = "2.x"
-  }
-  set {
-    name = "instance.distribution.registry"
-    value = "ghcr.io/fluxcd"
-  }
-  set {
-    name = "instance.sync.name"
-    value = "homeprod"
-  }
-  set {
-    name = "instance.sync.kind"
-    value = "GitRepository"
-  }
-  set {
-    name = "instance.sync.url"
-    value = "https://github.com/vhaudiquet/homeprod"
-  }
-  set {
-    name = "instance.sync.path"
-    value = "kubernetes/"
-  }
-  set {
-    name = "instance.sync.ref"
-    value = "refs/heads/main"
-  }
-
-
-  depends_on = [ helm_release.flux-operator ]
-}

infra/pve/main.tf

@@ -1,46 +0,0 @@
-# Terraform providers configuration
-terraform {
-  required_providers {
-    proxmox = {
-      source = "bpg/proxmox"
-      version = "0.83.2"
-    }
-    talos = {
-      source  = "siderolabs/talos"
-      version = "0.9.0"
-    }
-    kubernetes = {
-      source = "hashicorp/kubernetes"
-      version = "2.38.0"
-    }
-    helm = {
-      source = "hashicorp/helm"
-      version = "2.17.0"
-    }
-  }
-}
-
-# Proxmox configuration
-provider "proxmox" {
-  endpoint = "https://pve.lan:8006/"
-  api_token = var.api_token
-  insecure = true
-  ssh {
-    agent    = true
-    username = "root"
-  }
-}
-
-# Talos configuration
-provider "talos" {}
-
-# Kubernetes configuration
-provider "kubernetes" {
-  config_path = "${path.module}/kubeconfig"
-}
-# Helm configuration
-provider "helm" {
-  kubernetes {
-    config_path = "${path.module}/kubeconfig"
-  }
-}

infra/pve/variables.tf

@@ -1,19 +0,0 @@
-variable "api_token" {
-  description = "Token to connect Proxmox API"
-  type = string
-}
-
-variable "machine_root_password" {
-  description = "Root password for VMs and containers"
-  type = string
-}
-
-variable "ssh_public_key" {
-  description = "Public SSH key authorized access for VMs and containers"
-  type = string
-}
-
-variable "sops_private_key" {
-  description = "Private SOPS GPG key for flux/kubernetes to decrypt secrets"
-  type = string
-}

infra/r740/kube/main.tf

@@ -44,7 +44,10 @@ data "talos_machine_configuration" "kube" {
         }
         network = {
           nameservers = [
-            "10.1.2.3"
+            # We need a set of nameservers that can work independently of kube
+            # to bootstrap. 
+            "10.1.2.148",
+            "1.1.1.1"
           ]
         }
         certSANs = [

infra/r740/kube/values/components.yaml

@@ -10,7 +10,7 @@ instance:
     type: kubernetes
     multitenant: false
     networkPolicy: true
-    domain: "kube-talos.lan"
+    domain: "cluster.local"
   kustomize:
     patches:
       - target:

infra/r740/proxmox/ai.tf

@@ -47,7 +47,9 @@ resource "proxmox_virtual_environment_file" "ai-cloud-config" {
 resource "proxmox_virtual_environment_vm" "ai" {
   name = "ai-${var.proxmox_node_name}"
   node_name = var.proxmox_node_name
-  on_boot = true
+  
+  on_boot = false
+  started = false
 
   agent {
     enabled = true

infra/r740/proxmox/docker.tf

@@ -61,7 +61,7 @@ resource "proxmox_virtual_environment_vm" "docker-machine" {
   }
 
   memory {
-    floating = 22222
+    floating = 32000
     dedicated = 38768
   }
 

infra/r740/proxmox/kube.tf

@@ -29,7 +29,7 @@ resource "proxmox_virtual_environment_vm" "kube" {
 
   memory {
     dedicated = 32768
-    floating = 16192
+    floating = 22222
   }
 
   boot_order = ["scsi0", "ide0"]
@@ -89,6 +89,12 @@ resource "proxmox_virtual_environment_vm" "kube" {
     vlan_id = 2
   }
 
+  network_device {
+    bridge = "vmbr0"
+    model = "virtio"
+    vlan_id = 2
+  }
+
   operating_system {
     type = "l26"
   }

kubernetes/production/vhaudiquet-fr/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: vhaudiquet-fr
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml
+secretGenerator:
+  - name: vhaudiquet-fr-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml

kubernetes/production/vhaudiquet-fr/kustomizeconfig.yaml

@@ -0,0 +1,6 @@
+nameReference:
+- kind: Secret
+  version: v1
+  fieldSpecs:
+  - path: spec/valuesFrom/name
+    kind: HelmRelease

kubernetes/production/vhaudiquet-fr/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vhaudiquet-fr

kubernetes/production/vhaudiquet-fr/release.yaml

@@ -0,0 +1,19 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: vhaudiquet-fr
+  namespace: vhaudiquet-fr
+spec:
+  interval: 1m
+  chart:
+    spec:
+      sourceRef:
+        kind: HelmRepository
+        name: vhaudiquet-fr
+        namespace: vhaudiquet-fr
+      chart: vhaudiquet-fr
+      version: '>=0.1.0-0'
+      interval: 1m
+  valuesFrom:
+    - kind: Secret
+      name: vhaudiquet-fr-values

kubernetes/production/vhaudiquet-fr/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: vhaudiquet-fr
+  namespace: vhaudiquet-fr
+spec:
+  interval: 1m
+  url: https://git.vhaudiquet.fr/api/packages/vhaudiquet/helm

kubernetes/production/vhaudiquet-fr/values.yaml

@@ -0,0 +1,67 @@
+# Number of replicas
+replicaCount: 1
+# Container image configuration
+image:
+    repository: git.vhaudiquet.fr/vhaudiquet/vhaudiquet.fr
+    pullPolicy: IfNotPresent
+    # The image tag defaults to the chart appVersion (which is set to git SHA by CI).
+    # Override this only if you need a specific version.
+    tag: ""
+# Image pull secrets for private registries
+imagePullSecrets: []
+# Ingress configuration
+ingress:
+    enabled: true
+    className: ""
+    annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+    hosts:
+        - host: vhaudiquet.fr
+          paths:
+            - path: /
+              pathType: Prefix
+    tls: []
+# Environment variables
+env:
+    NGINX_HOST: vhaudiquet.fr
+    NGINX_PORT: "80"
+# NFS Storage configuration for public files
+nfs:
+    enabled: true
+    # NFS server IP address
+    server: truenas.lan
+    # NFS export path
+    path: /mnt/main_storage/public
+    # Mount path inside the container
+    mountPath: /usr/share/nginx/html/public
+    # Storage size for PVC
+    storageSize: 10Gi
+    # Storage class name (leave empty for default)
+    storageClassName: ""
+sops:
+    lastmodified: "2026-05-14T09:33:46Z"
+    mac: ENC[AES256_GCM,data:R5ular4bAyV0cFPGUGYg4NWCGI64rWTax6ObBnCadORwSTh5/VQN3bsDDPFC3dep/7nKzY71d2X4qAcVU3RkWa9eMP+e9dhaGV9/8gvY/qDXZiNEuAXsmpaSATgUo6mUwqrwl5tn4ono4ID8gr7FRVpneTbYX/HpiWDbBa9l1Xk=,iv:wQ552gswkX5aOy/Cht1zY56camnb8EhEwy711osyf4c=,tag:t+U/1wRD7/z39KY9zjNcMQ==,type:str]
+    pgp:
+        - created_at: "2026-05-14T09:33:46Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7uy4qQr71wiAQ/+JAzu9u2Dgn+lA58pIhRbM1064juEOvebtBK0FdJCi7AG
+            /Up2oooBmLMxybk16q0800kZHgOAcqTWkRcDq3QhC7nK+xcs03plTLLAlqfnh2x0
+            XyqQVk4du9caRdgvgN96tG+oWUJcuUJ/uFunXAzRvPnNysS5sGXVKJmbVVKfTjqk
+            UPyA5sBbCIxW10kPZJjprR1HaRl2dkgz7jZI/q2RXhFjCOhthMErBFr4f6xD3LnN
+            H5XVtixNcVmIinsGUIgvPW+qknjrf17ammgEtOqjtuu4PUevQFt4zkVyjU0Y/ASj
+            HAyYgSNIAXanb3u9ulL6CCg/CXJSofTrexw5RPM9eTQQ7S1KqHm/Ns6jjl/jXtEW
+            cIQZ5bQJPTJu7W9gxGpgaLmWwGfoDWvmT2rIFYC9tf+61F4EbRvY6KepKET9NYTJ
+            EnyDoxRsfVgxwQjyqpIpmNewWpgWwcLbD8INoJUVx/Yr284F9pBCgKqKRmeNH/Sy
+            kEt3QD1ElohuwTx7XLkYf6LuDFy8kA5wFUPKUgxmoFsGZhMhmi8ysUkUxtYPPMD8
+            YLVOK8UX3sYUDdY7tQjlgz6nhMqGL7ekqxyA5PSCGlhg5siKIhltz1CzadNOrsqF
+            jHkiUCrDNu1ToRPllOw4WMwSzII/sf2oP3FJyE+/Rsl49rVjELLfC8eWPhG0yhXS
+            XgGHbmvrm1QPl70dF+896QE/XtSydiqLUynCeIAvh61//ipS9lSZXpdDKEP5Q7ZD
+            /lTbPRH7Y7EZUgarjBtc2wYg3iaBkELtS5lnQeJawHQ8/M3TxdWmgEeBim/qr+A=
+            =K+50
+            -----END PGP MESSAGE-----
+          fp: DC6910268E657FF70BA7EC289974494E76938DDC
+    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
+    version: 3.10.2

kubernetes/system/blocky/values.yaml

@@ -58,35 +58,35 @@ probes:
             failureThreshold: 30
 resources:
     limits:
+        cpu: 600m
+        memory: 768Mi
+    requests:
         cpu: 200m
         memory: 256Mi
-    requests:
-        cpu: 50m
-        memory: 64Mi
 # Full list of options https://github.com/0xERR0R/blocky/blob/main/docs/config.yml
 config: "upstreams:\n    groups:\n        default:\n            - 1.1.1.1\n            - 1.0.0.1\n        lan:\n            - 10.101.207.1\n\nconditional:\n    mapping:\n        lan: 10.101.207.1\n        cluster.local: 10.96.0.10\n        in-addr.arpa: 10.96.0.10\n\nblocking:\n    allowlists:\n        ads:\n            - |\n                dealabs.digidip.net\n                s.click.aliexpress.com\n                fonts.googleapis.com\n                fonts.gstatic.com\n                wl.spotify.com\n                www.googleadservices.com\n    \n    denylists:\n        ads:\n            - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts\n            - https://adaway.org/hosts.txt\n    \n    clientGroupsBlock:\n        default:\n            - ads\n    \n    blockType: zeroIp\n    blockTTL: 1m\n    loading:\n        refreshPeriod: 4h\n        downloads:\n            timeout: 60s\n\ncaching:\n    minTime: 5m\n    maxTime: 30m\n    # Disable negative caching (NXDOMAIN responses) for dynamic DNS\n    cacheTimeNegative: 0\n    prefetching: true\n    prefetchExpires: 2h\n    prefetchThreshold: 5\n\nprometheus:\n    enable: true\n    path: /metrics\n\nports:\n    dns: 53\n    http: 4000\n\nbootstrapDns: tcp+udp:1.1.1.1\n\nlog:\n    level: info\n    format: text\n    timestamp: true\n"
 sops:
-    lastmodified: "2026-05-02T17:51:26Z"
-    mac: ENC[AES256_GCM,data:J7EovwsXi2L9XocZoi5ann71DQ+wWZk2aCUbjvaGpv0yZC5g2HNccPVRvAj3y9SyMttLT8QlESXzHpEV2A6bOfmJf5v0ACYuWn5wKNlkaBdmTs1xwXp/RcpeOb+FCL9D+9hzjBO9XF6iXZLSj4pO/n1C0IhfeqYKdDC4tHkxOHA=,iv:Qm3Uh+UUSDWCxh7gWJ9x597aWXdMHxtpixE2BVlb6c8=,tag:aHbK26P4f9YV2uGLhpT6OA==,type:str]
+    lastmodified: "2026-05-26T22:01:30Z"
+    mac: ENC[AES256_GCM,data:PkXQH3Y+r4JUSRXJbNO+nQUhEvlQecvz5Jxwlb0bL3PPTi8Y8dCx9kxQAvMM9cijpcavGI04Fy0jRS07draTxlddzZ6FYqvVeu1FzQNtnVsobW/KNZ9mYIYPr9YEvybgHpdbbuO6lVjbERRrOLIFuECIpLoPX5D8+p8+43zBpAE=,iv:XJi6BsIC7wk7bqwSUFZMOwR3shYKjydvqBKNC55mmck=,tag:4C+QU5EAvUU+maw9txgGPQ==,type:str]
     pgp:
-        - created_at: "2026-05-02T17:51:25Z"
+        - created_at: "2026-05-26T22:01:29Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA7uy4qQr71wiAQ/+Po8UdkiFGt0LmcvCeSE23aoWwY4qi2FsGKdik+7sL3RN
-            gOt/VQ6geefhd4YDhH0jfd7TDXs7UTtYvKQ+IaKcRUyOrZzhrfTpNeT/lXuaTkHf
-            LAUiqyprq1RDzxxIPvgMh4DynfehgN8B81iMJox2/fD0oV7B6dIIABvAl87gzANw
-            7snQLJwdhNXFylKfrdC9A4AfYz7ycXBzEyYlY5BMZENw9yBGgZ1dZITU2KxeYCo/
-            gdVTCevybSBQ/Cq0+hI25ZF+nEIGjrVCN2AxPEUO98ljp4OZEu0p6KsMB4xgCD2j
-            l5LN6YPAu95TRx/bZinoHMMzth6WhFdUG0Anj2cIIYXOcreyzPxYGj+vwRlZFrkZ
-            gTU2vfpt/1Wx8ORRqocCkxZ3dMtm4KsGqe3xpd1y84ezL/bMLxSApn5e7Zzn1cEg
-            DoLwJGnZzSY4nRzfoGXOv6mjyTUVkqNexRlL2wIsgDP9VP/ohS9K2fFZzzJ/fXa1
-            G9DUg64SwfYIFzAgsyWwdE3kCJ/GSIAgrgNwBfZlLGdfB/PB2BkHNpzX4LROUEcD
-            HqqHtVlUIikiFdDQWwB5tS+APBCO6VuzKl1z3ROgV6xhvr4ZYkd9CHYu1S1r1XAs
-            JRCyow0zTLRYGQnDD8+RPQ4MsbzJsugA8Ac4bE4sVJpP8hloZBqHb38AkoUruDTS
-            XgE+Nxcy0/aznBgEscE/VuY/GTH1vwYl5/dAcV8GDYcNmd1tE9E1QwWsSurHt39u
-            +QdGZYoUbHPtsk/zODgEVqn0iTsqO7Y4Qmu93bYlYFQwCygAPKKpCaqmmu2U+rI=
-            =hq5F
+            hQIMA7uy4qQr71wiAQ//USgWAGbn6zOOTw0agC/U0bVyWv9Ez0QTqi/TD9Yv+p1U
+            ksQhSFLs12LiBcH2j/fWs8KdEYJAwDqr7nZJsddz2gEVua223Z94cRiby10SvXfU
+            bH4jpRsdWXj3dH9AET6N+uqiXocfDASE7G2WZalmVOQtsFi1SSVsrcAm/ODts4As
+            7H224kR4/rxWaCEZ0i6S6r9n9wIZiUZGrBk80W8bK/JWBbl4zfgJ9tkzk4NMpJXh
+            TDpaYJxV0T8/kqk/gPaECfN5Il+WgvVL95hS5FI+AxWyeHwWPd5sUgeil0dPoDOj
+            DlNuCyVepSqOo325JH7VoU19YRwYZwh0By//0WHOI8WIjQYUxXTAvHJyg61RLNK9
+            eqwIO6t2QZRol03MjXE7DCeoWraCG0nS+DDF0qHu8bNnhYHcBpiG8d8Lj9xpME51
+            UL1iXSyh461jEcX+8yTImAFMn9Pvt9r+Iv2vT0ZJH8k2Fzxxli+RPL6CQY2qKY7E
+            ibPM0S7nVc8Kb7214xkniped4muzZF2vQJ8qmbcLu9sr9LV5d5Y13OF1NUdc3DTX
+            aRAiVErL2QJujoM5xxDC9CTu11e6TfLN9XysM31sCgDIXMb4fKjxYbJxKY99Y1+S
+            nQO2CiCUCb+hDLaWdmdSv/FY+1tKX67vrU9YeJ6XVJQhVhR+Rt30bvGkNwy34C/S
+            XAHh0aE8KlrY1eCIf5RAygKgLEa1cehKvaGQMOoHWrPfOQUrA6lCvFVSxnwwduIm
+            pJRbIgcsoLUPFffYcDdDmnvmSOfdCNm84k/CUiCtZxqgUkIX98KrZhAVXzCf
+            =mAAM
             -----END PGP MESSAGE-----
           fp: DC6910268E657FF70BA7EC289974494E76938DDC
     encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$

kubernetes/system/caddy/caddyfile.yaml

@@ -0,0 +1,93 @@
+# Caddy Routes - External ConfigMap
+# This file contains all route definitions, imported by the main Caddyfile.
+# Edit this file to add/modify routes.
+#
+# Certificate files are mounted from the caddy-certificates Secret
+# at /etc/caddy/certs/
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: caddy-routes
+  namespace: caddy
+  labels:
+    app.kubernetes.io/name: caddy
+    app.kubernetes.io/component: routes
+data:
+  Caddyfile: |
+    vhaudiquet.fr {
+      tls /etc/caddy/certs/vhaudiquet-fr.crt /etc/caddy/certs/vhaudiquet-fr.key
+      reverse_proxy 10.1.2.171:80
+    }
+
+    *.vhaudiquet.fr {
+        tls /etc/caddy/certs/wildcard-vhaudiquet-fr.crt /etc/caddy/certs/wildcard-vhaudiquet-fr.key
+
+        # Kubernetes services (via Traefik)
+        @authentik   host authentik.vhaudiquet.fr
+
+        @auth-nook   host auth-nook.vhaudiquet.fr
+        @nook-mg     host n.vhaudiquet.fr
+        @nook        host nook.vhaudiquet.fr
+        @sse-nook    host sse-nook.vhaudiquet.fr
+
+        @gitea       host git.vhaudiquet.fr
+
+        @flux-wh     host flux-webhook.vhaudiquet.fr
+
+        @umami       host umami.vhaudiquet.fr
+
+        handle @authentik {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @auth-nook {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @nook-mg {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @nook {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @sse-nook {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @gitea {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @flux-wh {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @umami {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+
+        # Docker VM services (via Traefik)
+        @alexscript     host alexscript.vhaudiquet.fr
+        @clips          host clips.vhaudiquet.fr
+        @jellyfin       host flix.vhaudiquet.fr
+        @mail           host mail.vhaudiquet.fr
+
+        handle @alexscript {
+            reverse_proxy 10.1.2.212:80
+        }
+        handle @clips {
+            reverse_proxy 10.1.2.212:80
+        }
+        handle @jellyfin {
+            reverse_proxy 10.1.2.212:80
+        }
+        handle @mail {
+            reverse_proxy 10.1.2.212:80
+        }
+    }
+
+    semery.fr {
+      tls /etc/caddy/certs/semery-fr.crt /etc/caddy/certs/semery-fr.key
+      reverse_proxy 10.1.2.212:80
+    }
+
+    buildpath.win {
+      tls /etc/caddy/certs/buildpath-win.crt /etc/caddy/certs/buildpath-win.key
+      reverse_proxy 10.1.2.212:80
+    }

kubernetes/system/caddy/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: caddy
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml
+  - certificates-secret.yaml
+  - caddyfile.yaml
+secretGenerator:
+  - name: caddy-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml

kubernetes/system/caddy/kustomizeconfig.yaml

@@ -0,0 +1,6 @@
+nameReference:
+- kind: Secret
+  version: v1
+  fieldSpecs:
+  - path: spec/valuesFrom/name
+    kind: HelmRelease

kubernetes/system/caddy/namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: caddy
+  labels:
+    app.kubernetes.io/name: caddy
+    app.kubernetes.io/component: edge-proxy

kubernetes/system/caddy/release.yaml

@@ -0,0 +1,30 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: caddy
+  namespace: caddy
+spec:
+  interval: 1m
+  chart:
+    spec:
+      sourceRef:
+        kind: HelmRepository
+        name: caddy
+        namespace: caddy
+      chart: caddy
+      interval: 1m
+      version: "0.7.1"
+  valuesFrom:
+    - kind: Secret
+      name: caddy-values
+  # Patch the Service to add loadBalancerIP since the chart doesn't support it
+  postRenderers:
+    - kustomize:
+        patches:
+          - target:
+              kind: Service
+              name: caddy
+            patch: |
+              - op: add
+                path: /spec/loadBalancerIP
+                value: "10.1.2.152"

kubernetes/system/caddy/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: caddy
+  namespace: caddy
+spec:
+  interval: 1m
+  url: https://charts.alekc.dev/

kubernetes/system/caddy/values.yaml

@@ -0,0 +1,99 @@
+# Caddy Edge Proxy
+replicaCount: 2
+# Listen on standard HTTP port
+listenPort: 80
+# Enable HTTPS
+https:
+    enabled: true
+    port: 443
+image:
+    repository: caddy
+    pullPolicy: IfNotPresent
+    tagSuffix: ""
+    tag: 2.11.2
+service:
+    type: LoadBalancer
+    externalTrafficPolicy: Local
+# Disable ingress - Caddy IS the edge proxy
+ingress:
+    enabled: false
+resources:
+    requests:
+        cpu: 100m
+        memory: 128Mi
+    limits:
+        cpu: 500m
+        memory: 256Mi
+# Caddy needs root to bind to ports 80/443 and write runtime data
+# Using restrictive security context causes "operation not permitted"
+podSecurityContext: {}
+securityContext: {}
+health:
+    path: /
+    port: 9999
+# Extra volumes: certificates + external routes ConfigMap
+volumes:
+    - name: certificates
+      secret:
+        secretName: ENC[AES256_GCM,data:Er1F+5xhWKUT43+7jU/pwxWP,iv:Ohc3jFIQ4Enmbhd0F44SYWJiHlj1oFOrMdtM4oYKQEU=,tag:Kk8Y8aFSKMyGmY/uRVvyLw==,type:str]
+        optional: ENC[AES256_GCM,data:JdlpGQ==,iv:xaoqonC9cGHXizHuAFrjhC4ZEtZ2IICeg2hxvGjyFM4=,tag:JYmlIXgIMON7z4++FrBGKQ==,type:bool]
+    - name: routes
+      configMap:
+        name: caddy-routes
+# Extra volume mounts
+volumeMounts:
+    - name: certificates
+      mountPath: /etc/caddy/certs
+      readOnly: true
+    - name: routes
+      mountPath: /etc/caddy/routes
+      readOnly: true
+# Caddy configuration
+config:
+    debug: false
+    # Global options (goes inside the global {} block)
+    global: |
+        auto_https off
+    # The main Caddyfile content - imports routes from external ConfigMap
+    # This keeps routes in a separate, easily editable file
+    caddyFile: |
+        :80 {
+            redir https://{host}{uri} permanent
+        }
+
+        import /etc/caddy/routes/Caddyfile
+affinity:
+    podAntiAffinity:
+        preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              podAffinityTerm:
+                labelSelector:
+                    matchLabels:
+                        app.kubernetes.io/name: caddy
+                topologyKey: kubernetes.io/hostname
+sops:
+    lastmodified: "2026-05-08T11:43:14Z"
+    mac: ENC[AES256_GCM,data:K0HWw8yTPKy6e3aQV4SdiVwrCjiyCFlFbeycAiyJq4IdlKX9v4wFvjVFLR8VziH8oXJXdUUhr+LOiqNI5HwghXkVn2dOP2ij9jvXZtMic4P0AUN16PfWoedu9ozA+xsGHZ1OTUv+sxvKEUo5Z5Wp+u761w/Xqdn5hHmU2Komatk=,iv:ICwn/LvizIjXVfgiMje50dQ11JAH37wSla29bGAnjuA=,tag:mV7rtahUy4ODZaA7baM12w==,type:str]
+    pgp:
+        - created_at: "2026-05-08T11:43:13Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7uy4qQr71wiAQ//aGnCSLLWTkhToTh833OJ1GwgN82F8R+RgsfpKIW+XNvI
+            YdTCgaFrYdCGXsaLHijb7vVwCU0VRf/ufZfQp2+GupqRHCbMLSmlkoiyr9ImGlYX
+            VWQDajv74H/3CcyCQNjqfFRdUHLE+rfNuYaH/p3+/Ee2bgJi52f3uRdJ4lXSCWIf
+            KW9lLbwjlfGnOnsnDkaPwcZW9QL353Mi82yXOu7OihobUaVgr83nESXbAS/k4mx1
+            whOXAoEDeLQZfZrITEewOQ0PHjWJwKc0x2YCiQ0If33GSfDjzWPoDuXmQo/xhk98
+            Nt3aNTMDvjriGNOIcZyUlEjq1HqCmd3pQSD5h8soR9Do/NsTocyK1da49iz91dha
+            jwoEga2iFis9Zd9rr7Caf3pWtmKENUGFJl15tpaelvk13jUebSyDubw0OIYbbILr
+            dVZAeiOHrRMD5crxG05zvOeLMASuL/IrK97RLBAonZLEkRrfgAwZHK2U0rq2HXpI
+            wlp4yDlF/eILvmMgAruP7lW0q/m5+DfxQtcZdamtm3FWj9m0iUAthvw02fplmFci
+            xJ82rkfkPAZSm7/yPJ9yiea+tKgX8yk1uArRtf8rsG6SED2lCRKmux8ElcZc5DYV
+            hyLivTN7X5Nr05mvaPIptCVm1iYoWaiQNZcPDax/LBZJhNaJgPUz1ue1Ppf422PS
+            XgE4dh3x1ulcUhXm4nK/0FzKmJUOjcygPeGWmia0ZOEHub/ju+z8LgRAkBasqRXP
+            4aepPm5xVY0g/Z0xksxIWpYUnLRzs0uUKd+zz1MvmWlZckxUO5wWJUWRcwCBDz4=
+            =Ql2K
+            -----END PGP MESSAGE-----
+          fp: DC6910268E657FF70BA7EC289974494E76938DDC
+    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
+    version: 3.10.2

kubernetes/system/cilium/pool.yaml

@@ -6,3 +6,4 @@ spec:
   blocks:
   - cidr: "10.1.2.171/32"
   - cidr: "10.1.2.148/32"
+  - cidr: "10.1.2.152/32"

kubernetes/system/coredns/zone-configmap.yaml

@@ -65,3 +65,4 @@ data:
     webmail         IN  A   10.1.2.212
     wizarr          IN  A   10.1.2.212
     zigbee2mqtt     IN  A   10.1.2.212
+    nodered         IN  A   10.1.2.212

kubernetes/system/traefik/values.yaml

@@ -8,35 +8,32 @@ ports:
                 - 127.0.0.1/32
                 # nginx-proxy
                 - 10.1.2.11/32
+                # caddy
+                - 10.1.2.152/32
+                - 10.0.0.0/8
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2025-03-22T13:26:30Z"
-    mac: ENC[AES256_GCM,data:PMUHyPCnIhmUo5N1mdoMhDLXaFN6Cl0IGuq8EG3MGtY5X1g1QboL5nI5o25evFbuXdZn9KB2AqgzPZBxykhVpz8W+mj987g4VeDJ7sU/OnJibHSo+ibqoo0NvQaAMukWevqI7fAQZoyI3PZi07mMGYw23h2cmaJmsuAuDnQ0CvA=,iv:RRV/BF7OXFmBJX5lXZjrG4+4jjbjzMrR8BByMo5hfwA=,tag:+lVLSfdjHeJjA3dKMiRIGA==,type:str]
+    lastmodified: "2026-05-26T11:18:08Z"
+    mac: ENC[AES256_GCM,data:mA5hLNB0rwSiGhnyi24AhZIPJsLpZ6PpbXDyoxZ0q6YjitrClxBEnn2dHtEl2MD6dSLmNMVxnnGyGtl7j4ahfqhuct+oPSepeWT1QX8Xj/mJ2Yrt8UZfGQ1R0Ye+rKGFybluMguCRufioGQpU3TLs2TxB6RxUAiGMI1GyT3JBDY=,iv:Pf617ZQBgYbGEsF7AOtyZBCPUycQ7U/D+Sdl+MCF4y0=,tag:tleTblRukBO0V+zfL05fQw==,type:str]
     pgp:
-        - created_at: "2025-03-22T13:26:30Z"
+        - created_at: "2026-05-26T11:18:08Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA7uy4qQr71wiAQ/8DGnKyC/pNGEAuuxcZjoLQhK8TJ3NgNQ3HBVLGpbVBb3S
-            P/n94oPwwEbWXpdq1/MapFgaiAP3kXyv308c0CeIICQvg9xFeXK7/o/X3ucJu/YV
-            TiMsBUCAIWKrN4lmNr3wgnMDQiRs9myzgmzJv3KOpbQr5cYnrT51spWCD2Nnt6Xm
-            HfLyZrxGscW0lrRi6jeg/7lts3HYEs75i8xUS95pj5/a+7i83sfpaAFdkGcxV6Vq
-            285Ys7S86Hrp2T0QkADHMJMXmbeTV18Psfy2v9SXgqeRMq1XHQDn+nPPkYY0kmhs
-            7xVEwGHYLkKuyNmTm+ygsQAVGd/kCeqO+hsdKRtmJ5f4vh0w1ePftScqbfEwNuDl
-            ygEVUIoVhDYdUKnjwqjgiOxsx3Y6+RS4g3vg6gNWk1HunM24bzkFRP4w1lVYB07n
-            hDcQeP0bqo7hopJjvM0VtXbSJq81duBup9DyyPaXOf30p0c+l9it4XdoeR7JaZ/y
-            nJ22POfQYCoJyKpgdB/eReLd/2MqLhdnsCUTd+CNTS1+nCz1M4JziagXU9CspnqP
-            sCYylw6aC9XfzScZldpysdqes1/1ZC9F2QeL6ZO66IRV3xBk/5eSsyZ275DRZYAj
-            P4jf1UhA4U0LQoVPAjh9cA8SLm29MgfEwoFSLGx6wsJ//ibxMIlxku9gkiRRTkPU
-            aAEJAhCQKhc7EsDKh7GgrlPh0763p+CuZR7yMp2W1kY9nU/w/802SgYEyLdPW1aY
-            gG3zMpt1roTOQI7D0jM7NjcYOLeOHWR0ac00wqv3S7I9+4tXOxuHyTX6Og19Z3GV
-            OUgA2wzhUFtj
-            =2DEs
+            hQIMA7uy4qQr71wiAQ/+PJv3xyn1nqVN4ENsKv1GgMaCrmD+F1bpyCEM6quoOe1V
+            Q3jnfTrHNKQySQFS+56KdWkpvf54jUtl2N+v+mAT+02FkdH+fkFQc0rSfqfpwE7H
+            8peu9wY5+nVRp3sUEacJjCgu44dzzIu0MzO9aHZw/JMr1Z+OF3mMeZ1vVEp43i6E
+            ZwCd3HYBQVJ8DaSdkrT/a3r69dJZKYq3mL9XLYzc/6C4JFAF3oOO5Xzkx4BAQKrM
+            CDyVCJ6RihOyysiexRFGu72wIbiE1gSVqLAYzl8XDJyCcVOX8ZRuMh2ImGyuCXtI
+            8dANf39gf57Z3qM9ljNHgtUkFqcpeE66SdNCSeLK7pDl/02k6dPJr98+e0VtZPfv
+            xt/sFUnAppi5dI4I4AZ1upqFWH3zpud+3G+5CYnfn0yqSgysuJyqzSYv7rjJVStY
+            oMdKprkLGcdLc9FJm3yaPluCnTGpPCaBpvx1bUlQSCIHcrbNj98kHjnuSDcUjgBc
+            xpcWmknbsZ0SFnU8fhe/p80Ud7h2Ya5Hp+GY+FPV2YDeQf03YKLGXujsVhm0scpo
+            KtAALuJo8uP3vniAaY6E1eQVZ09psqR3lFHgaRIyLVbOGkvOoE/sMVcS/odcKhgw
+            Gr6bb2iQ9b0seITxk09HV84uRirzgR+R2A2bxD38ASRzbYwDyA0UnJMSJK+ZttfS
+            XgERXIWVWlTL77IVifpdu+7EU+ElyCzlTLHIb0uqywVS2o/LzE+OgR+1tSj0SVl0
+            +NvGYouZlrecytaBj8MG9thv9kK/vNShrl0QeAWNch3Qza7Xb8eLOhumqZVFI9U=
+            =JbZl
             -----END PGP MESSAGE-----
           fp: DC6910268E657FF70BA7EC289974494E76938DDC
-    encrypted_regex: ^(password|ssh-key|api-key|user|username|privateKey|apiKey|extraArgs.*|extraEnvVars|.*secret.*|key|.*Password|.*\.ya?ml)$
-    version: 3.9.4
+    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
+    version: 3.10.2