Merge pull request #294 from vhaudiquet/dependabot/docker_compose/docker/personal/media/films-series/jackett/hotio/jackett-release-0.24.900

build(deps): bump hotio/jackett from release-0.24.834 to release-0.24.900 in /docker/personal/media/films-series/jackett

.github/dependabot.yml

@@ -5,7 +5,6 @@ updates:
     schedule:
       interval: weekly
     directories:
-      - "/docker/gitea-actions"
       - "/docker/home/esphome"
       - "/docker/home/matter-server"
       - "/docker/home/mosquitto-mqtt"
@@ -46,7 +45,6 @@ updates:
       - "/kubernetes/code/gitea"
       - "/kubernetes/code/harbor"
       - "/kubernetes/home/home-assisant"
-      - "/kubernetes/home/zigbee2mqtt"
       - "/kubernetes/infrastructure/authentik"
       - "/kubernetes/personal/linkwarden"
       - "/kubernetes/personal/notesnook"
@@ -55,4 +53,5 @@ updates:
       - "/kubernetes/system/csi-driver-nfs"
       - "/kubernetes/system/external-dns"
       - "/kubernetes/system/traefik"
+      - "/kubernetes/tools/dashy"
       - "/kubernetes/tools/glance"

.swarmcd/stacks.yaml

@@ -1,10 +1,3 @@
-gitea-actions:
-  repo: homeprod
-  branch: main
-  compose_file: docker/gitea-actions/docker-compose.yml
-  sops_files:
-    - docker/gitea-actions/.env
-
 esphome:
   repo: homeprod
   branch: main

docker/gitea-actions/.env

@@ -1,11 +0,0 @@
-GITEA_INSTANCE_URL=ENC[AES256_GCM,data:PYjmpgDEvPEC1S7MrN6d91IUBnGbFA9Xag==,iv:m7YQOMnuEoT5wDyy47aaTqjJG+dhqTJKf5i3hQs6GwY=,tag:2ldKTNRqdJEXTxr3uAyLLQ==,type:str]
-GITEA_RUNNER_REGISTRATION_TOKEN=ENC[AES256_GCM,data:RDnENtxQw80C7SwmMZV2DTlEx4+uvzVMy95leGb/1RR6egc6S4xWnQ==,iv:wThZ2+qukJqC+ApvXC9GBdneXJ00jkkTyq+2VXSDG+w=,tag:KygPnxauOpaI1goZ4+uf3g==,type:str]
-GITEA_RUNNER_NAME=ENC[AES256_GCM,data:HvNmmQyKxk16WQV8dRfPOfCO39w=,iv:z1YuNWvglBYaXQwZXjMzXD4ZN2d7c3eD9GdSaG1maNY=,tag:FtX6wG47uTGjTQ8UNvGfcg==,type:str]
-GITEA_RUNNER_LABELS=
-sops_lastmodified=2025-09-16T19:22:00Z
-sops_mac=ENC[AES256_GCM,data:JIp7wyaIsy2Jg9p3ybHAljkDn8vpDRHtf7Zm2/M4exe6CbWCRn1jGMle+SnKBv2DKVciquQ9B9cKtKnVCpEAQOceZ1WakwS/mCmjYTIHqcvm8/vst1BYiL1Ovbw2dDstzWo8g+UTKAmVC7E0TJ01vAbsOab+fVacKLHF97pBqW8=,iv:5tcuJntPXrWCeNTGQbXzLaGZnCc8rr+gKG+UTRBNUaY=,tag:g7EYMAaOmwjKFYfz1ID5xQ==,type:str]
-sops_pgp__list_0__map_created_at=2025-09-16T19:22:00Z
-sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ//c0J+b0XwnMbLlQku3tAEutXuEkQPMMrdOpPYwrua9nNu\nSVPBSiamnTeoaP2kM5lcaQ7HUaRLiS1qjXNVPsnAdkGPPID3SxUJzUo7Ca/JOq7e\n39ihqetWAcn9dNDofTxVKyvKXhXKGaDFy2LhaKugj4tkx6qdMA/XAldvRD6ik1jK\nAZjl2xGYTvZ+XgTGtFs6u3Z9ugD6Q3yPjKRSfeIO8NPT5OFFzY70wqlZflxcpupD\npnsvXQkAK1Rnz6F9+dh6jJYYijTdEe9Q0i+0Uy3q+wMsf8KRWs4ARD05DpgIOnUA\nG0s2kdOOlvqoJ/m2fSV7vkIcCvCwhEirn5kfrdUGi3ENazh0g3vpppAfE0ynZdSo\nDiXI7dzCwMxYi8edieOhK3RrOn8bx7B8F1WE+mHL6StQmD2G+xfvgtKlsEJGY2Ed\n1CpMZSQ0TwFx58fYiK+HsZrwAw/3YVzPWryaYvJ6P8QnY3oJOJihSYGRMmyH5WRo\nle1Rxd+Lrt1UnWyZQ7rpqMsYiIzihsNgNix/2wS1R9R1wRFXPdNDfzjrv1BGm/aJ\nOOqUFo6Hd3jEwYcSsG7mbe+hCAAXoJjZSU43dVzeZ0k5ls/lpOjqjQrZZLgz33uF\nNVNRAKTYD2y+/mQ4vpDUsHhu5rtjxh8u1CJf0++q1W/w+Z4ooq5hcNm3ud3DHYjS\nXgF1JA9ThTS+Hs1fV5SFzGMyFMFGeiTVJeww26R+1Vws7fFwbyAYugOqAgkiNkIf\nS2dsxlH1TRjBq1XD4GYk6P3VDUU5UyxG/5XiOexGEVSxBL/wg6TwpyL1hjvgc9k=\n=fmOe\n-----END PGP MESSAGE-----
-sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
-sops_unencrypted_suffix=_unencrypted
-sops_version=3.10.2

docker/gitea-actions/docker-compose.yml

@@ -1,6 +0,0 @@
-services:
-  runner:
-    image: docker.io/gitea/act_runner:nightly
-    env_file: .env
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock

docker/home/esphome/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   esphome:
-    image: ghcr.io/esphome/esphome:2025.12.2
+    image: ghcr.io/esphome/esphome:2026.1.0
     ports:
       - "6052"
     networks:

docker/home/matter-server/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   matter-server:
-    image: ghcr.io/home-assistant-libs/python-matter-server:8.1.0
+    image: ghcr.io/matter-js/python-matter-server:8.1.2
     container_name: matter-server
     restart: unless-stopped
     network_mode: host

docker/home/n8n/docker-compose.yml

@@ -1,9 +1,10 @@
 services:
   n8n:
-    image: docker.n8n.io/n8nio/n8n:2.1.4
+    image: docker.n8n.io/n8nio/n8n:2.4.5
     environment:
       - TZ=Europe/Paris
       - N8N_SECURE_COOKIE=false
+      - NODES_EXCLUDE="[]"
     ports:
       - "5678"
     networks:

docker/home/zigbee2mqtt/docker-compose.yml

@@ -2,7 +2,7 @@ services:
   zigbee2mqtt:
     container_name: zigbee2mqtt
     restart: unless-stopped
-    image: koenkk/zigbee2mqtt:2.7.1
+    image: koenkk/zigbee2mqtt:2.7.2
     networks:
       - default
       - proxy

docker/infrastructure/mail/stalwart/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   stalwart:
-    image: stalwartlabs/stalwart:v0.15.2
+    image: stalwartlabs/stalwart:v0.15.4
     container_name: stalwart
     networks:
       - default

docker/personal/media/films-series/jackett/docker-compose.yml

@@ -1,7 +1,7 @@
 services:
   jackett:
     container_name: jackett
-    image: ghcr.io/hotio/jackett:release-0.24.545
+    image: ghcr.io/hotio/jackett:release-0.24.900
     ports:
       - "9117"
     networks:

docker/personal/media/films-series/jellyfin/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   jellyfin:
-    image: jellyfin/jellyfin:2025122205
+    image: jellyfin/jellyfin:2026011205
     container_name: jellyfin
     networks:
       - default

docker/personal/paperless/docker-compose.yml

@@ -16,7 +16,7 @@ services:
       POSTGRES_DB: paperless
 
   paperless-webserver:
-    image: ghcr.io/paperless-ngx/paperless-ngx:2.20.3
+    image: ghcr.io/paperless-ngx/paperless-ngx:2.20.5
     restart: unless-stopped
     networks:
       - default

docker/personal/radicale/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   radicale:
-    image: tomsquest/docker-radicale:3.5.10.0
+    image: tomsquest/docker-radicale:3.6.0.0
     container_name: radicale
     ports:
       - 5232

docker/production/buildpath/.env

@@ -1,15 +1,17 @@
-ME_CONFIG_MONGODB_ADMINUSERNAME=ENC[AES256_GCM,data:GjWjDw==,iv:kBzyj+UsDd/el38BJFmn8CiDH0ojagZo91qyOAF7M8k=,tag:M7oaKZltblyTUp0ekD927w==,type:str]
+ME_CONFIG_MONGODB_ADMINUSERNAME=ENC[AES256_GCM,data:FdAhZA==,iv:YXd83wy5lKSybwYdmhXA2DwbVnffX/6R7gn3doDnI1E=,tag:BLYvP9IFNky37COZOgyJvw==,type:str]
-ME_CONFIG_MONGODB_ADMINPASSWORD=ENC[AES256_GCM,data:diSSmsCxW5A=,iv:6kEac9UIlp/ksuqbLrB75eoJA3ReGoJNs/Pnr3C26yA=,tag:xY+J92/KtEsoN2ziqGNZ6Q==,type:str]
+ME_CONFIG_MONGODB_ADMINPASSWORD=ENC[AES256_GCM,data:uvZn2q5dpbc=,iv:4ExRNf2gYK1W/VMKrcXNO5kPKjJmxml1uj44j643mvw=,tag:Xf2wKugbuOU3GlPYlLttIg==,type:str]
-ME_CONFIG_MONGODB_URL=ENC[AES256_GCM,data:bUO+B5Bm7m/DUtCFpguFHQSyA7vkRbXcuPhYSNlpfnATVcgf,iv:WDSHNQyM5cnh1dxKAl0QXfXBmNfeoDjtZvKOeunvJAI=,tag:E0zwMGNECKYWvL/hFdanVg==,type:str]
+ME_CONFIG_MONGODB_URL=ENC[AES256_GCM,data:porEOpLQZF2J5pvRaktvnoh76MhfjBZ3PN8dNwhNAfKs8ipO,iv:7kl+7+C1MaOGM0Gu0jzJEp1Wvl/xz0i5oW5U8EACMKs=,tag:3+xIM62x+2HMA1AggM4mww==,type:str]
-ME_CONFIG_BASICAUTH=ENC[AES256_GCM,data:nj4ofzIdqw==,iv:PkWzZ7mRaftatgX7Whk43S5W2r/M/QGgmLoJ2MIC3Dc=,tag:/J6R5bRgsUFiOectNaKnIw==,type:str]
+ME_CONFIG_BASICAUTH=ENC[AES256_GCM,data:lxxYUfK5cA==,iv:hbw6UUCxTZ9h+XJd0Wesz5T3L5MkBc+JA0SNUogtsOE=,tag:gCyyA6hOIcIvs+HyeqKs/A==,type:str]
-MONGO_USER=ENC[AES256_GCM,data:XopGfw==,iv:r2uoRr5k/nWSGiSOnseVze8UxeMxTnA174E2mWcxcO4=,tag:VWp076qsVpugr96cAwgiHQ==,type:str]
+MONGO_USER=ENC[AES256_GCM,data:osGR9w==,iv:648Yv0sPTvq95q0jcRWSD14HZr6tN2I4ffw/STe38xY=,tag:rVK7sBlAuhsisPPyfnIPMg==,type:str]
-MONGO_PASS=ENC[AES256_GCM,data:QY4VoeaySJU=,iv:STKUpM03rSmfSzkK1mmOP6IDmC4gOnyBUpYzTYylguo=,tag:AFx59JJavyf/qW4eEdn5Ug==,type:str]
+MONGO_PASS=ENC[AES256_GCM,data:2SloANMJ1mQ=,iv:PK2LyBfivEH1EjtRk76BPlnLXfAykC/F40skCeoK7NQ=,tag:JEZXKe4gNj36yLX5wlW5tQ==,type:str]
-MONGO_HOST=ENC[AES256_GCM,data:iIPq+z4=,iv:Xrs9Z01H1/SnTGBTBHuFTCjU0CuCmHs0GABB6AL191E=,tag:LvgyigEAvac1tP6hF0O3+Q==,type:str]
+MONGO_HOST=ENC[AES256_GCM,data:fwvt86U=,iv:YJam2joeQkaVCFUPpc7sPw6ucHpTauiJzC754VsgLPY=,tag:nUQVmxsYbmhlWwz01kHpsw==,type:str]
-RIOT_API_KEY=ENC[AES256_GCM,data:Zi8LX8LuFcAtvX0gLUOOH2KjqOLWUeFWy//MQ1PBdUy/YXqbUJEOsszQ,iv:am8ZA80GQ/pxavda0AR5S3ps6WUXfnpVHb36hZvxroo=,tag:LFvcViq8GZhWD+f4d0904Q==,type:str]
+MONGO_INITDB_ROOT_USERNAME=ENC[AES256_GCM,data:dSNu/Q==,iv:jJYxTZw06/npxgw5zaS5SSC4LyGzr/TLdu5JdDUtqFQ=,tag:d+q5DLS6AHakPnk9089XpQ==,type:str]
-sops_lastmodified=2025-11-24T00:00:31Z
+MONGO_INITDB_ROOT_PASSWORD=ENC[AES256_GCM,data:uD3YRK4xCx8=,iv:jJVjuUBfDuiWa23UGa/n2z0uAkbr4N6Zo9Ee45R1tTs=,tag:RBn0jse9u795RHNc09cBqA==,type:str]
-sops_mac=ENC[AES256_GCM,data:z/Va9k5vTCwmoVntX693PcV95D+fKrlmfe75ldyfkowCrgG/vl7s8uglKjn+wUixMdjz+bDYqR/RXovq9KmXhJO4TYOJd0JZdTXWqn+Ekk8OxooPLOgUdPvrL6rc3Iz53AhplSvAcoLzstZf8Z2WRGNIGve3jONJLFdFI+rL1HQ=,iv:SKTJDTBB6OGqBSfKLjj+xHG7c3ierdCo7mmQ9/+Z/gg=,tag:J92wwQtIyofqqnbm/sYtpA==,type:str]
+RIOT_API_KEY=ENC[AES256_GCM,data:E+w0JQlYW7Bjn2wwnkb0hlYmq3ZteS2LB4NWo2l/o+30+uOTAYzpeDgy,iv:xPZmat+pexxgYxqlkBLlD6sorxRpPlBcwMbo8QDFwjg=,tag:5Loj4AGmr13HGKyVbDozqg==,type:str]
-sops_pgp__list_0__map_created_at=2025-11-24T00:00:31Z
+sops_lastmodified=2025-12-31T13:08:07Z
-sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ/+Ny6UKLVYWP+9bmkZcKBvQXuCti45eWD2NsEKWMtO2LoF\nw5qqzLS1DLWLMBFQz+sn35a6N/RBHfN2LeZehM0c3MKXeTQvkozoxY0Qsj/B4pds\n5XTYpF73wjBCqm48A3Bh3Y9JNl7IiEbbQmGfeunloAr2WWrKsX2ugb3Emay8UrQL\nNvaK8yLV8WfvOWopgeJfGTjV7IPEgW6CBKif8meSq1+D6YLNRbmqpup5eMnZPOWn\ngrH821Q3O8XrKKuALM9N7b+pyBWCqA/R2ohxkLsxHCHNVdDKMQiwGha7y+pu4Fz6\nfEymEw+BPFvwPhcpxMCeT3h1kEX1dbyrvuayrqilCuiSuWNybRNUr/Awpigc9swR\nslW4Tf8ojvnWurBrVbIHxT7uP6xpO9ByzrYCtHauPLuyerlt50GC4Rc6bcJ40Mml\ne0vhrCvoJfUNX+Hfy280rP8NP+K7tPXIhwAK8JRTIwebF1Z1V4qSbvblZlgjglPt\nq/kSy2QTkPfhAohCNEGQK2xkaCAgWhMHPZoYV2We4GCaPT81g6DH/JH/wwGg3uTD\nY15vhHitcgoe9Z9B4V+rW3LQcx59vfvsMkjdPpkzfjCPcOLicR+ZzmmACuZal6aa\n09N4nqd6ESLUc11u4ojcExfbRNbS8IrVRnJxUKe8neI8ANTBAQn/oIidi1OjixvS\nXgHF3afYw7it86b51pEhgwTQ3TxMC5rIix2UUk9EUHOMUxG86Dtf4Cs4S6x/a5q+\nfJ9q+931YCyRQDN3C9H+MSIYWa8d+xAf76ShVS0hW3+//X0Hel2HMb/VNX53jOY=\n=OcbU\n-----END PGP MESSAGE-----
+sops_mac=ENC[AES256_GCM,data:h+aeLcXC3s8gcIlwrU7fHwGIkp1caqMqJcQLdQmFnrtlP9gmx1iOZlZo8yRC8m+imIezhLfjI0yfHdPjyfxw9KTeNoCjNRKyDGfDhbHr0vfPQsrifjeaZj477634WA8MVcL8HrfVwZIHjh+I3fcgVI0kFbcI8/3lkEws/T4oD70=,iv:lc8ltcjngeHueLgXee539iIpIMjvcJpUAec1TGmJuY0=,tag:FkwHdQ0C4QxObEQFL6aefg==,type:str]
+sops_pgp__list_0__map_created_at=2025-12-31T13:08:07Z
+sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ/+LVciLRpDVh/AlYawgSfwVs8ltal1+3MCHYhdwjFAggJ8\ng6twtj4szAVR7UbT0Qh2hP+my7KLLN1K+Rv/jnsXPhOFo0o8AB0Un+hCFB1i+KLd\ni6cWbv+jCqxRALf98TYe0xDMIfoPKXaIYjV2qlYmGWe3/Sd2+7KbwAKZCehZD1jV\nh21YVeVn7dlv3zPAp5mpH+6yPMp3ZSTAYa8MkUnnS3cUWlWSMHsGwlA9CUvJtKaz\ndkW6n90zEGJrfb6ATH2dPJawWNOp0q/Gcx2uci4Ro09U1jOK7ugSDWxjGOuV9TAL\nYsRYz7LH5yOLpz9HlrZH882SJWZS9xoEV8jOZN1I3NmtJY1KsgAW3BFEsbCA58Q5\nTZFKhH7XK9FW4NbRzHYxHCCZSfGtBCQyUpusGALXnQmkKHJ4MlnrxH9yBX7Go8ph\nCqQ7gvBmNjUZrgp+VWb8+ziDCfYbZDADV4cva4STcjnmFxRiFO1xvYEJpEo2H1gK\nQcMsOruazL3UGkZxWh2Od7bi1K+2Io/TNSKMTboTqgJAOcMO4Ssxn59yYhfDdS2i\n8/mlv4ADPOL4be1400/Tp33QpPnRojyJAM9b8IdJ6ahevVGjGuKPuvrzDs8lYwht\n6eKrbV3mHBv5ZUvSmeTOIwxE8moePDEkUrr3HCfxaaJcMrcjgSkGhCCN4KHbj8TS\nXgFGOX7/BZNOR1SyfBY1gc30Vdy3d7513Gpfcuwsd7Rc+0Ue+p4ysA3dBp+KWhVO\nPkfwdiVFOOvEPoUoanyUqMlvj3ENabNNmHc8jZ23FRxtlfbcyecTT+uckRXgvpU=\n=5/Ac\n-----END PGP MESSAGE-----
 sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.10.2

docker/production/buildpath/docker-compose.yml

@@ -1,15 +1,16 @@
 services:
   mongo:
     hostname: mongo
-    image: mongo:7.0.12
+    image: mongo:8.2.3
     restart: always
+    user: root:root
     volumes:
-      - mongo_data:/data/db
+      - bpmongo_data:/data/db:Z
-      - mongo_data:/data/configdb
+      - bpmongo_config:/data/configdb:Z
     env_file: .env
 
   patch_detector:
-    image: git.vhaudiquet.fr/vhaudiquet/lolstats-patch_detector:5ecd5f8a954031909425346d40c18ec89d97406c
+    image: git.vhaudiquet.fr/vhaudiquet/lolstats-patch_detector:e0a39dab0a5130d8f98e956e3a1c5676410b2d25
     build: ./patch_detector
     restart: "no"
     deploy:
@@ -21,7 +22,7 @@ services:
 
 
   match_collector:
-    image: git.vhaudiquet.fr/vhaudiquet/lolstats-match_collector:5ecd5f8a954031909425346d40c18ec89d97406c
+    image: git.vhaudiquet.fr/vhaudiquet/lolstats-match_collector:e0a39dab0a5130d8f98e956e3a1c5676410b2d25
     build: ./match_collector
     restart: "no"
     deploy:
@@ -32,7 +33,7 @@ services:
     env_file: .env
 
   frontend:
-    image: git.vhaudiquet.fr/vhaudiquet/lolstats-frontend:5ecd5f8a954031909425346d40c18ec89d97406c
+    image: git.vhaudiquet.fr/vhaudiquet/lolstats-frontend:e0a39dab0a5130d8f98e956e3a1c5676410b2d25
     build: ./frontend
     restart: always
     networks:
@@ -47,12 +48,8 @@ services:
     env_file: .env
 
 volumes:
-  mongo_data:
+  bpmongo_data:
-    driver: local
+  bpmongo_config:
-    driver_opts:
-      type: 'none'
-      o: 'bind'
-      device: '/app/buildpath/data/_data'
 
 networks:
   proxy:

docker/production/vhaudiquetfr/docker-compose.yml

@@ -1,7 +1,7 @@
 services:
   vhaudiquetfr:
     container_name: vhaudiquetfr
-    image: git.vhaudiquet.fr/vhaudiquet/vhaudiquet.fr:1aa8d9c7fba12aecad1505e0b61052fd878dae7a
+    image: git.vhaudiquet.fr/vhaudiquet/vhaudiquet.fr:93dda1dd8445d885d96e8d3ec5937492a620b0d0
     networks:
       - default
       - proxy

infra/r740/docker/main.tf

@@ -0,0 +1,49 @@
+terraform {
+  required_providers {
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "3.6.2"
+    }
+  }
+}
+
+# Docker configuration
+provider "docker" {
+  host = "ssh://root@${var.docker_host}"
+}
+
+resource "docker_image" "swarm-cd" {
+  name = "swarm-cd:latest"
+  # For now, custom-built image based on custom development branch
+  # Once this reaches upstream, back to upstream tag, like:
+  # ghcr.io/m-adawi/swarm-cd:1.9.0
+}
+
+resource "docker_container" "swarm-cd" {
+  name  = "swarm-cd"
+  image = docker_image.swarm-cd.image_id
+  volumes {
+      host_path = "/var/run/docker.sock"
+      container_path = "/var/run/docker.sock"
+      read_only = true
+  }
+  volumes {
+    host_path = "/root/homeprod/.swarmcd/repos.yaml"
+    container_path = "/app/repos.yaml"
+    read_only = true
+  }
+  volumes {
+    host_path = "/root/homeprod/.swarmcd/stacks.yaml"
+    container_path = "/app/stacks.yaml"
+    read_only = true
+  }
+  volumes {
+    host_path = "/app/swarm-cd/data"
+    container_path = "/data"
+  }
+  env = [
+    "SOPS_GPG_PRIVATE_KEY=${var.sops_private_key}"
+  ]
+
+  depends_on = [ docker_image.swarm-cd ]
+}

infra/r740/docker/variables.tf

@@ -0,0 +1,8 @@
+variable "sops_private_key" {
+  description = "Private SOPS GPG key for SwarmCD to decrypt secrets"
+  type = string
+}
+variable "docker_host" {
+  description = "Docker machine hostname"
+  type = string
+}

infra/r740/kube/main.tf

@@ -0,0 +1,311 @@
+terraform {
+  required_providers {
+    talos = {
+      source  = "siderolabs/talos"
+      version = "0.9.0"
+    }
+    kubernetes = {
+      source = "hashicorp/kubernetes"
+      version = "2.36.0"
+    }
+    helm = {
+      source = "hashicorp/helm"
+      version = "2.17.0"
+    }
+  }
+}
+
+# Talos configuration
+provider "talos" {}
+
+# Kubernetes configuration
+provider "kubernetes" {
+  config_path = "${path.module}/kubeconfig"
+}
+# Helm configuration
+provider "helm" {
+  kubernetes {
+    config_path = "${path.module}/kubeconfig"
+  }
+}
+
+resource "talos_machine_secrets" "kube" {}
+
+data "talos_machine_configuration" "kube" {
+  cluster_name = "kube-${var.physical_hostname}"
+  machine_type = "controlplane"
+  cluster_endpoint = "https://${var.kube_host}:6443"
+  machine_secrets = talos_machine_secrets.kube.machine_secrets
+  config_patches = [
+    yamlencode({
+      machine = {
+        install = {
+          image = "factory.talos.dev/installer/ce4c980550dd2ab1b17bbf2b08801c7eb59418eafe8f279833297925d67c7515:v1.11.5"
+        }
+        network = {
+          nameservers = [
+            "10.1.2.3"
+          ]
+        }
+        certSANs = [
+          "${var.kube_host}", "${var.kube_hostname}"
+        ]
+      }
+      cluster = {
+        clusterName = "kube-${var.physical_hostname}"
+        allowSchedulingOnControlPlanes = true
+        apiServer = {
+          certSANs = [
+            "${var.kube_host}", "${var.kube_hostname}"
+          ]
+        }
+        network = {
+          dnsDomain = "cluster.local"
+          cni = {
+            name: "none"
+          }
+        }
+        proxy = {
+          disabled = true
+        }
+      }
+    })
+  ]
+}
+
+data "talos_client_configuration" "kube" {
+  cluster_name = "kube-${var.physical_hostname}"
+  client_configuration = talos_machine_secrets.kube.client_configuration
+  nodes = ["${var.kube_host}"]
+}
+
+resource "talos_machine_configuration_apply" "kube" {
+  client_configuration = talos_machine_secrets.kube.client_configuration
+  machine_configuration_input = data.talos_machine_configuration.kube.machine_configuration
+  node = var.kube_host
+  depends_on = [ talos_machine_secrets.kube ]
+}
+
+resource "talos_machine_bootstrap" "kube" {
+  node = var.kube_host
+  client_configuration = talos_machine_secrets.kube.client_configuration
+  depends_on = [ talos_machine_configuration_apply.kube, talos_machine_secrets.kube ]
+}
+
+resource "talos_cluster_kubeconfig" "kube" {
+  node = var.kube_host
+  depends_on = [ talos_machine_bootstrap.kube ]
+  client_configuration = talos_machine_secrets.kube.client_configuration
+}
+
+output "kubeconfig" {
+  sensitive = true
+  value = talos_cluster_kubeconfig.kube.kubeconfig_raw
+}
+
+resource "local_file" "kubeconfig" {
+    content     = "${talos_cluster_kubeconfig.kube.kubeconfig_raw}"
+    filename = "${path.module}/kubeconfig"
+    depends_on = [ talos_cluster_kubeconfig.kube ]
+}
+
+data "talos_client_configuration" "talosconfig" {
+  cluster_name = "kube-${var.physical_hostname}"
+  client_configuration = talos_machine_secrets.kube.client_configuration
+  nodes = [var.kube_host]
+}
+
+resource "local_file" "talosconfig" {
+    content     = "${data.talos_client_configuration.talosconfig.talos_config}"
+    filename = "${path.module}/talosconfig"
+    depends_on = [ data.talos_client_configuration.talosconfig ]
+}
+
+# TODO : Wait for talos_cluster_kubeconfig...
+resource "helm_release" "cilium" {
+  name = "cilium"
+  namespace = "kube-system"
+  repository = "https://helm.cilium.io/"
+  chart = "cilium"
+  wait = false
+  depends_on = [ local_file.kubeconfig, talos_cluster_kubeconfig.kube ]
+
+  set {
+    name = "ipam.mode"
+    value = "kubernetes"
+  }
+  set {
+    name = "kubeProxyReplacement"
+    value = true
+  }
+  set {
+    name = "securityContext.capabilities.ciliumAgent"
+    value = "{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}"
+  }
+  set {
+    name = "securityContext.capabilities.cleanCiliumState"
+    value = "{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}"
+  }
+  set {
+    name = "cgroup.autoMount.enabled"
+    value = false
+  }
+  set {
+    name = "cgroup.hostRoot"
+    value = "/sys/fs/cgroup"
+  }
+  set {
+    name = "k8sServiceHost"
+    value = "localhost"
+  }
+  set {
+    name = "k8sServicePort"
+    value = 7445
+  }
+  set {
+    name = "etcd.clusterDomain"
+    value = "cluster.local"
+  }
+  set {
+    name = "hubble.relay.enabled"
+    value = true
+  }
+  # Enable hubble ui
+  set {
+    name = "hubble.ui.enabled"
+    value = true
+  }
+  # Gateway API support
+  set {
+    name = "gatewayAPI.enabled"
+    value = true
+  }
+  set {
+    name = "gatewayAPI.enableAlpn"
+    value = true
+  }
+  set {
+    name = "gatewayAPI.enableAppProtocol"
+    value = true
+  }
+  # Gateway API trusted hops : for reverse proxy
+  set {
+    name = "gatewayAPI.xffNumTrustedHops"
+    value = 1
+  }
+  # Single-node cluster, so 1 operator only
+  set {
+    name = "operator.replicas"
+    value = 1
+  }
+  # L2 announcements
+  set {
+    name = "l2announcements.enabled"
+    value = true
+  }
+  set {
+    name = "externalIPs.enabled"
+    value = true
+  }
+  # Disable ingress controller (traefik will be used for now)
+  set {
+    name = "ingressController.enabled"
+    value = false
+  }
+  set {
+    name = "ingressController.loadbalancerMode"
+    value = "shared"
+  }
+  # Ingress controller for external : behind reverse proxy, trust 1 hop
+  set {
+    name = "envoy.xffNumTrustedHopsL7PolicyIngress"
+    value = 1
+  }
+  # Set cilium as default ingress controller
+  set {
+    name = "ingressController.default"
+    value = true
+  }
+  set {
+    name = "ingressController.service.externalTrafficPolicy"
+    value = "Local"
+  }
+}
+
+resource "kubernetes_namespace" "flux-system" {
+  metadata {
+    name = "flux-system"
+  }
+
+  lifecycle {
+    ignore_changes = [ metadata[0].annotations, metadata[0].labels ]
+  }
+
+  depends_on = [ talos_cluster_kubeconfig.kube, local_file.kubeconfig, helm_release.cilium ]
+}
+
+resource "kubernetes_secret" "flux-sops" {
+  metadata {
+    name = "flux-sops"
+    namespace = "flux-system"
+  }
+
+  type = "generic"
+
+  data = {
+    "sops.asc"=var.sops_private_key
+  }
+
+  depends_on = [ kubernetes_namespace.flux-system ]
+}
+
+resource "helm_release" "flux-operator" {
+  name = "flux-operator"
+  namespace = "flux-system"
+  repository = "oci://ghcr.io/controlplaneio-fluxcd/charts"
+  chart = "flux-operator"
+  wait = true
+  depends_on = [ kubernetes_secret.flux-sops ]
+}
+
+resource "helm_release" "flux-instance" {
+  name = "flux"
+  namespace = "flux-system"
+  repository = "oci://ghcr.io/controlplaneio-fluxcd/charts"
+  chart = "flux-instance"
+
+  values = [
+    file("values/components.yaml")
+  ]
+  set {
+    name = "instance.distribution.version"
+    value = "2.x"
+  }
+  set {
+    name = "instance.distribution.registry"
+    value = "ghcr.io/fluxcd"
+  }
+  set {
+    name = "instance.sync.name"
+    value = "homeprod"
+  }
+  set {
+    name = "instance.sync.kind"
+    value = "GitRepository"
+  }
+  set {
+    name = "instance.sync.url"
+    value = "https://github.com/vhaudiquet/homeprod"
+  }
+  set {
+    name = "instance.sync.path"
+    value = "kubernetes/"
+  }
+  set {
+    name = "instance.sync.ref"
+    value = "refs/heads/main"
+  }
+
+
+  depends_on = [ helm_release.flux-operator ]
+}

infra/r740/kube/variables.tf

@@ -0,0 +1,16 @@
+variable "sops_private_key" {
+  description = "Private SOPS GPG key for flux/kubernetes to decrypt secrets"
+  type = string
+}
+variable "kube_hostname" {
+  description = "Kubernetes cluster hostname"
+  type = string
+}
+variable "kube_host" {
+  description = "Kubernetes cluster host"
+  type = string
+}
+variable "physical_hostname" {
+  description = "Host name of the physical host for the kubernetes VM"
+  type = string
+}

infra/r740/proxmox/docker.tf

@@ -24,6 +24,7 @@ resource "proxmox_virtual_environment_file" "docker-machine-cloud-config" {
       - qemu-guest-agent
       - nfs-common
     runcmd:
+      - systemctl mask tmp.mount
       - systemctl enable --now qemu-guest-agent
       - install -m 0755 -d /etc/apt/keyrings
       - curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc

kubernetes/code/gitea/values.yaml

@@ -1,5 +1,5 @@
 image:
-    tag: 1.24.3
+    tag: 1.25.3
 ingress:
     enabled: true
     hosts:
@@ -17,10 +17,10 @@ postgresql:
     global:
         postgresql:
             auth:
-                postgressPassword: ENC[AES256_GCM,data:Lqe5Sx1rYyHK6g==,iv:nORpoyPzjAMghIeufPNrUnG7pi0YszOYwaWUdl2IyEc=,tag:cOzImE2HlZhItR7OGoJmgQ==,type:str]
+                postgressPassword: ENC[AES256_GCM,data:wi0/uHE8IGcy+g==,iv:zSKYKgJ5SkGMJnJstUZIESpo03BhDOeG7ZKlZzaSsog=,tag:d5Vye+jdCrLXmv8tAqFSnw==,type:str]
-                password: ENC[AES256_GCM,data:AkUd6d32sjBZig==,iv:IaMaIvyCKQy2lq82HxsEeiLf7j+6+p3rV8jCMRysgTo=,tag:tLK1tim6i1EeK4bJyFptfg==,type:str]
+                password: ENC[AES256_GCM,data:w8x48V/wQlgRPQ==,iv:m1BvWULmBVriSygqIkhkB/91wsAP62HZySy4KgpLJLw=,tag:bw+f0orhIqtfzXozNHuyHQ==,type:str]
                 database: gitea
-                username: ENC[AES256_GCM,data:jVMd2yM=,iv:bKIg47uWcsHZIB9o3LFrppWY/HvNAGRra1gHtt9zOf8=,tag:6872w7HOGAoVy6RhayqwbQ==,type:str]
+                username: ENC[AES256_GCM,data:ES78eak=,iv:9Pw1v/0CyZXoboevc99+jpAs+6INV+KM4HZt1XRFlVU=,tag:Q2n8Amg9tB3f09VwSVebtA==,type:str]
     volumePermissions:
         enabled: true
 postgresql-ha:
@@ -41,8 +41,8 @@ gitea:
     oauth:
         - name: Authentik
           provider: openidConnect
-          key: ENC[AES256_GCM,data:taMkaU5kqwgKbSjPOT345KIE5SICdnjQRzVs6YKGcMGomkUKJRq7Cw==,iv:9UhNZ4jj1Hl4gS5xcBLTTGtlELqvNfGjxB08nRk9Gig=,tag:fRMTXQRyEgs2euN4bj7H+w==,type:str]
+          key: ENC[AES256_GCM,data:3e/XN6dAoE2J6ag5xkRP9LU2FT4rrsWB0DXv6ucksPW9Fkg6ZPwVLg==,iv:toID+fZWmMemwQt6DEZPk97xmdTbujVYUdNYesJykDM=,tag:2MTySscnX/PMruEbJhe4iA==,type:str]
-          secret: ENC[AES256_GCM,data:D/14Oe3iE02HgiQ/dC5pfXHEC8HFoFm8Xp7LAC4kMlj0F2hx/ep516IJrC9J8s2KuutqT9WLRO4Fh6eaLh4M4zOr3rlxiLEq/fnIc5hvDsTxZAyWK7QUHv7d5/zCa8XCib0xxeX180lIR/DUNTv4OrtQBYg/uSUO/8x/Kze83Z0=,iv:X+XWtvYn8w+LUsXk4j1mFdEoRdpEIVMzw6TNGFY5YzQ=,tag:WcQ6MT3mdsxQOsTqA5PZbQ==,type:str]
+          secret: ENC[AES256_GCM,data:8WBfYnDZsBnHm7FkS3cvgo7rIFwfnf9hw71oLdzTjhZkVVYA7nFk7FhhxFtA+WaFfZlhjemcYhhbHCw6zekwaKqNmczto8lbYgbhvDfx2oOUkVk33EbNb/3VTfZbIfsII0lBNanGBP/GsD+TPq535QPLnoTa70cgo5ihzYqJzQA=,iv:+GDXnjLrzKSwHNR3h/TXR1h3ZaVwAG9SdbDOS4CQikc=,tag:NAfSSp7reK5JpMgVLigExA==,type:str]
           autoDiscoverUrl: https://authentik.vhaudiquet.fr/application/o/gitea/.well-known/openid-configuration
     config:
         APP_NAME: Gitea
@@ -69,27 +69,27 @@ gitea:
             ISSUE_INDEXER_TYPE: bleve
             REPO_INDEXER_ENABLED: true
 sops:
-    lastmodified: "2025-12-05T19:41:30Z"
+    lastmodified: "2026-01-03T10:30:06Z"
-    mac: ENC[AES256_GCM,data:vnq6D9k/4JOdkMr4YOJRRZhWjJBakzmtuk50vmTzO5cpkK97sjCZRm4CtCnolmUZxvUgLtENjUKxt3Mr8IWbd+xWQDx+sa/ZEoncK2zxOOJnMsdRtbVY0zeuK2wWgncEFxbudGo2tewBd4qLiwBeIaMgMrhIHluB+iahKgoTqw0=,iv:ENoRWvGBtvfaBbLytmd1gAyeg7L6iyewfTkUYmee8Cg=,tag:IF7Df8OOxH2HAhJeOhW3zA==,type:str]
+    mac: ENC[AES256_GCM,data:cPqxcS0hMiof5YqTTcop9ofH77Teuf6pqp8zInQ9a9rqz7QxjOA88jLBOV/RitirwADebs0E3RnH8z6QdEv62xrOvbBO2BxLFOSnnWQtuAUXSuVxaDLiLiUQIzo53A8mB14jh9i6VfHzlScQg0u4gHzQkQy5ejato80uHqdlIxY=,iv:fKRjCeS8VRauzPCodW2aZhMQlyoqnzc9zsHPBgrOrg8=,tag:z3ZTTaKtU/SmH3skQ+Qsqg==,type:str]
     pgp:
-        - created_at: "2025-12-05T19:41:30Z"
+        - created_at: "2026-01-03T10:30:06Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA7uy4qQr71wiAQ//S/uYUC8ZESfaeLPGbat+vWkqyqimnfA5XEeJN/6KPtC6
+            hQIMA7uy4qQr71wiAQ//QE//P/iZi988famrsHGf8+LohKQM31uj8lr+tlwAp2UC
-            sAyQAkzdecJCKqVHo/4MC31ICpzQG1KEUAxnfuPWHaGNY8DDaFAo1H5Ici+Wji6S
+            yZGRcxwCskx4zO2xYgq695vz7ZU+xCgQdcBfZW5SHUEuw+6tL0hMShj6McHXeKdC
-            KP9Ti7NqRhiJ+IeImAPObeqBxi+vnAepCuzac/SWoulyIYT/l90bdYmT71x362pw
+            5tA17ejv6tspMyBxs3jyMFp1YqzrIOBt/E9WMSBi66LVmynxfITT14CJUT8hJCzD
-            QrDGbeiwulHAWAHA7O9/Baob01vlKH6+oGHl2gT5biabMxUVXYZ4s1KZt6W3znq6
+            21/10AeCS9uVUwQLDwqSChtW5JVJ/lKkCfp75/tml53rlVAKJQWuJ2XUW2iIydcU
-            2I1L8nKGZCR2R64diOG06i8Yom57c41cdlOio7m4hoZ13Phuwna7mQrqrGyLtGwj
+            F/Y8yWGCeLiaXxX9as/h1CmUwdkjywHHIFK4YwqudzzQ+oB4z+C0PipJAUibqkpC
-            2N5NvaijoxNtetCOLkZ9eh2IwvO4f4CvN55RWZVg+Kc5kyhtUlr9dCx+wj/DY4rn
+            V+jhIyCpjUDEjzqEOtZH3b9T8TNIpL56ecYOmjF7i+IIMFaBnPzQoIUwP8kGkv0p
-            SYBfAWJUhFC7RfTLhv3qUn5OQmPxt0xrrW7ijJTBX+bb5FZyiH/SztA9o0OJDnwV
+            1HQJaXPYWlchrG/DNwmtyP2wzIdT+N75Lbq/zu6YI7pXkByF2KpsxeMa0pWbnt5+
-            icMlKEiPD4Ip5UxSR8ZRj0lvJkbTf/KJ52dzhklIpiweb1nLG8YUAP2MEu73USS7
+            neDrcyttXmd7VkJEWYa+74lPKoza+Q9zdrG0rzSVpB/oYXcJBtvtC3euoxQA8sSa
-            jgaC4PpBTwNsEclQ8E8/Y7sS2uDeyfwntpYsKSQsvLS6HWjpn3ymWX6sVr7N303q
+            sEnbjnORh9QROwzJ+J+RaIF1JbMOnIqhyeAO6t1ANhJFh+Y+JtAr4am+kCfMdB9k
-            CrWH5NfTe9aETbOdGU/DT3g8Ie51YpIId6fYXPp9SNXW1omAFVS1jrxSWCwyrz+w
+            7q5bRUvBtBtwVbJAjW1LiixrmaqhTaKnUmqoMxjUWuqAdvdPOqFNzIYChBVD/avp
-            frQ6ZYWEU26C+9eY9uqLTNveJ6YSTnbDvL8pS5qf4o04014WSgYJfr+0MkXO/SbS
+            aWs76Wjipm57GOVmL3qjkBufznyAMaf04BdW/lN+BtPr9dAMr7Cd6ttv+WvVUYvS
-            XgGZk59IZXXZ8gzqD93ZFrDAD40DYUqb6nRN8Dupn4zdYAlMxk/V98vKyJ3W9y9r
+            XgEY4RkuRJqrnKpGlfOpng/O9f0MBRat1by8D9/9T858k34plMEts6G0tE0H8GQt
-            28qlvoWagN/To2EP40jc6qTYdKVVS73asEadcG6IZV2A9J7htqiGRvTvQN51oQs=
+            2LwVen6E/6yUCTjpxz+FW5+TMxtBLZppebyNQ5eDrF4a9ZnhtReExpm7gBs9waA=
-            =CQiX
+            =EW1c
             -----END PGP MESSAGE-----
           fp: DC6910268E657FF70BA7EC289974494E76938DDC
     encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$

kubernetes/tools/dashy/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: dashy
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml
+secretGenerator:
+  - name: dashy-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml

kubernetes/tools/dashy/kustomizeconfig.yaml

@@ -0,0 +1,6 @@
+nameReference:
+- kind: Secret
+  version: v1
+  fieldSpecs:
+  - path: spec/valuesFrom/name
+    kind: HelmRelease

kubernetes/tools/dashy/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dashy

kubernetes/tools/dashy/release.yaml

@@ -0,0 +1,19 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: dashy
+  namespace: dashy
+spec:
+  interval: 1m
+  chart:
+    spec:
+      reconcileStrategy: Revision
+      sourceRef:
+        kind: HelmRepository
+        name: dashy
+        namespace: dashy
+      chart: dashy
+      interval: 1m
+  valuesFrom:
+    - kind: Secret
+      name: dashy-values

kubernetes/tools/dashy/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: dashy
+  namespace: dashy
+spec:
+  interval: 1m
+  url: https://ivanwongtf.github.io/nas-helm-charts/

kubernetes/tools/dashy/values.yaml

@@ -0,0 +1,11 @@
+ingress:
+  main:
+    enabled: true
+    hosts:
+        - host: dashy.lan
+          paths:
+            - path: /
+              pathType: ImplementationSpecific
+persistence:
+  data:
+    enabled: true