Merge branch 'main' of https://github.com/vhaudiquet/homeprod

* 'main' of https://github.com/vhaudiquet/homeprod:
  build(deps): bump tomsquest/docker-radicale in /docker/personal/radicale

.github/dependabot.yml

@@ -16,6 +16,7 @@ updates:
       - "/docker/infrastructure/network/traefik"
       - "/docker/infrastructure/squid"
       - "/docker/infrastructure/sshportal"
+      - "/docker/personal/fireshare"
       - "/docker/personal/gramps"
       - "/docker/personal/media/films-series/jackett"
       - "/docker/personal/media/films-series/jellyfin"
@@ -52,6 +53,7 @@ updates:
       - "/kubernetes/personal/photoprism"
       - "/kubernetes/production/umami"
       - "/kubernetes/system/blocky"
+      - "/kubernetes/system/caddy"
       - "/kubernetes/system/coredns"
       - "/kubernetes/system/csi-driver-nfs"
       - "/kubernetes/system/external-dns"

.sops.yaml

@@ -3,7 +3,7 @@ creation_rules:
     encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
     pgp: DC6910268E657FF70BA7EC289974494E76938DDC
   - path_regex: .*.yaml
-    encrypted_regex: ^(data|stringData)$
+    encrypted_regex: ^(data|stringData|.*.key|.*.crt)$
     pgp: DC6910268E657FF70BA7EC289974494E76938DDC
   - path_regex: .*.env$
     input_type: dotenv

.swarmcd/stacks.yaml

@@ -53,6 +53,13 @@ sshportal:
   branch: main
   compose_file: docker/infrastructure/sshportal/docker-compose.yml
 
+fireshare:
+  repo: homeprod
+  branch: main
+  compose_file: docker/personal/fireshare/docker-compose.yml
+  sops_files:
+    - docker/personal/fireshare/.env
+
 gramps:
   repo: homeprod
   branch: main

dns/production/vhaudiquet.fr.yaml

@@ -355,6 +355,13 @@ canada:
   ttl: 300
   type: A
   value: 192.99.6.159
+clips:
+  octodns:
+    cloudflare:
+      auto-ttl: true
+  ttl: 300
+  type: A
+  value: 83.113.30.49
 flix:
   octodns:
     cloudflare:

docker/home/esphome/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   esphome:
-    image: ghcr.io/esphome/esphome:2026.4.3
+    image: ghcr.io/esphome/esphome:2026.4.5
     ports:
       - "6052"
     networks:

docker/home/n8n/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   n8n:
-    image: docker.n8n.io/n8nio/n8n:2.18.4
+    image: docker.n8n.io/n8nio/n8n:2.19.5
     environment:
       - TZ=Europe/Paris
       - N8N_SECURE_COOKIE=false

docker/infrastructure/mail/stalwart/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   stalwart:
-    image: stalwartlabs/stalwart:v0.16.3
+    image: stalwartlabs/stalwart:v0.16.4
     container_name: stalwart
     networks:
       - default

docker/infrastructure/network/traefik/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   traefik:
-    image: traefik:3.6
+    image: traefik:v3.7
     command: 
       - "--configFile=/etc/traefik/traefik.yml"
     ports:

docker/personal/fireshare/.env

@@ -0,0 +1,11 @@
+ADMIN_USERNAME=ENC[AES256_GCM,data:8ngfC8VHpaaGCQ==,iv:Ze7ThfWmAWj0ZvV3A7Pd+aqAW/pahkTZhdFC/TnAwZ0=,tag:KCFdGV1dEw3e+q6FBgy2cw==,type:str]
+ADMIN_PASSWORD=ENC[AES256_GCM,data:UhxEMnqYDyfgffqUf3Q=,iv:VvNX867P+w20Y7laG0R0c4BUw1uICeyF5SU3+waosRE=,tag:JL4GC+UZY3TqSmCq14CTpg==,type:str]
+SECRET_KEY=ENC[AES256_GCM,data:uahYXYr4DvavNMTTdcDA0hdp5wj3OLret3fPF1DEc2lis+E7/fe45DWFuhUu8RAK76tuheA=,iv:Lofc+PP7Rtg99l36yOx6bt0i8hg1DJXzwSKQNJCRYPw=,tag:AiUGZOiLyjKItf++Gya+eA==,type:str]
+DOMAIN=ENC[AES256_GCM,data:LyJ7RAgrioTltNQ/BKoPbEN8XQ==,iv:IHrT5TkaXuIhkfN/nHcapz4CNBG0t9lbzrHDjp04JLw=,tag:gjSa/tSVEqk6pXrfhjs7gQ==,type:str]
+sops_lastmodified=2026-05-06T17:05:48Z
+sops_mac=ENC[AES256_GCM,data:wRtDnVQkNsc1MtxSpbuVDuACkCwunYeyYSaQX2Tglm2kwOnx9iCyhuWY6RMYu5nfyJ1CT1kfqeGrGxhJ5uMDee29eLUv844X3hIXwpMT50jHFXEtfKLfRMfqpv9r9mbp2EP9VNDUtPyIwDk5vSjGeaYqEWtHW/q5y9qIrzqqy5g=,iv:UG4XGi3Qo8/nAddY+rzJm1AKIAmJjtR+2bDqSeaVxG4=,tag:SL2rvrxFmMfgyUyMqFIZEQ==,type:str]
+sops_pgp__list_0__map_created_at=2026-05-06T17:05:48Z
+sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ//b6zlRVKrqzzszBJmnOUlfeZd5m2ekYv/zIBr4oxHyn5L\neLLff+N7hjBVSajg9Qg7GBQv7s3DX70vHTpdUP38UEO1aM0l3eU1JCwA4Hdh7Ds5\nnq330vUKhIAd+K8Vv4Ei9YHpj+kgMnt+R780qZUg18D39TAnx36q9b5SKzZCUsks\n3YM+G8pHLRipZhxp6zwhOPHVSnImOFjty4d6JV6Zes9zfslaETgva7p5DIKP0ttf\nI2JRacvL75MMp1USyqGKt7Bpl6Yz4VxY49aea+FxDlbzCVLuBBgZMoEjhPQifQfh\nB6OObmu1cVhECidrMHmqDBNqgKsNLble+g3Le+gJdn/zKxVc+q+cPPuk/JdT8tfv\nZTei6jg66IREZOrZCP3Gt4OB5LbkLdS0NET2CMVAYkGQvGrSC+diwUnFkI+WEh+p\noZhvgp/ytBgaw6ZyNPmvkGkFeFg1/ISpOHkVQ+P6Pnot8h4HvuI/KcBwJRCrtdbg\n+XMpqeQdmCnM04v5Uq1NVqRWHD0yvd7GHDOZCqJPMFHP0M6R+SwHq+8+pgbO3jxt\n+426MvhNKw8xWMtnUIO8sSSkzgOfT6vFXmzQvIawbXvitjGjiElkpmT5Hz3hn1Bm\nnu8CivqLwL4Gs1Uc2m6qHGkvGqxWwcHABWqftAk3VfhmjcFDwAyWROlCuD+A15PS\nXgE1wn9jLesXaiCwzAp4AOstkk0fR2yio4fa9dCeenzuedULNLuCyJfYtSm4QlSU\nvffH4iL8X/R24s6SdPsCIuNnAeKc0P4E55AlOaeZN4HcZzfspVikAZx+bK14JS8=\n=KGp6\n-----END PGP MESSAGE-----
+sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.10.2

docker/personal/fireshare/docker-compose.yml

@@ -0,0 +1,58 @@
+services:
+  fireshare:
+    container_name: fireshare
+    image: shaneisrael/fireshare:1.6.10-lite
+    ports:
+      - "80"
+    volumes:
+      - data:/data
+      - processed:/processed
+      - video:/videos
+      - images:/images
+    env_file:
+      - .env
+    environment:
+      # PUID/PGID: the user/group ID the container runs as. Files written to your
+      # volumes (data, processed, videos, images) will be owned by this user. Set these to
+      # match the owner of your host directories to avoid permission errors.
+      # Run `id` on your host to find your UID and GID.
+      - PUID=1000
+      - PGID=1000
+    networks:
+      - default
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.fireshare.rule=Host(`clips.vhaudiquet.fr`)"
+      - "traefik.http.services.fireshare.loadbalancer.server.port=80"
+
+volumes:
+  data:
+    driver: local
+    driver_opts:
+      type: 'none'
+      o: 'bind'
+      device: '/app/fireshare/data'
+  processed:
+    driver: local
+    driver_opts:
+      type: 'none'
+      o: 'bind'
+      device: '/app/fireshare/processed'
+  video:
+    driver: local
+    driver_opts:
+      type: 'none'
+      o: 'bind'
+      device: '/app/fireshare/video'
+  images:
+    driver: local
+    driver_opts:
+      type: 'none'
+      o: 'bind'
+      device: '/app/fireshare/images'
+
+networks:
+  proxy:
+    external: true
+    name: proxy

docker/personal/gramps/docker-compose.yml

@@ -1,7 +1,7 @@
 services:
   grampsweb:
     container_name: grampsweb
-    image: ghcr.io/gramps-project/grampsweb:26.4.3
+    image: ghcr.io/gramps-project/grampsweb:26.5.0
     restart: always
     networks:
       - default
@@ -31,7 +31,7 @@ services:
 
   grampsweb_celery:
     container_name: grampsweb_celery
-    image: ghcr.io/gramps-project/grampsweb:26.4.3
+    image: ghcr.io/gramps-project/grampsweb:26.5.0
     restart: always
     environment:
       - GRAMPSWEB_TREE="Gramps Web"  # will create a new tree if not exists
@@ -52,7 +52,7 @@ services:
     command: celery -A gramps_webapi.celery worker --loglevel=INFO --concurrency=2
 
   grampsweb_redis:
-    image: docker.io/library/redis:8.6.2-alpine
+    image: docker.io/library/redis:8.6.3-alpine
     container_name: grampsweb_redis
     restart: always
 

docker/personal/media/films-series/jackett/docker-compose.yml

@@ -1,7 +1,7 @@
 services:
   jackett:
     container_name: jackett
-    image: ghcr.io/hotio/jackett:release-v0.24.1813
+    image: ghcr.io/hotio/jackett:release-v0.24.1822
     ports:
       - "9117"
     networks:

docker/personal/media/films-series/jellyfin/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   jellyfin:
-    image: jellyfin/jellyfin:2026042706
+    image: jellyfin/jellyfin:2026050514
     container_name: jellyfin
     networks:
       - default

docker/personal/radicale/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   radicale:
-    image: tomsquest/docker-radicale:3.7.1.0
+    image: tomsquest/docker-radicale:3.7.2.0
     container_name: radicale
     ports:
       - 5232

infra/r740/proxmox/ai.tf

@@ -47,7 +47,9 @@ resource "proxmox_virtual_environment_file" "ai-cloud-config" {
 resource "proxmox_virtual_environment_vm" "ai" {
   name = "ai-${var.proxmox_node_name}"
   node_name = var.proxmox_node_name
-  on_boot = true
+  
+  on_boot = false
+  started = false
 
   agent {
     enabled = true

infra/r740/proxmox/docker.tf

@@ -61,7 +61,7 @@ resource "proxmox_virtual_environment_vm" "docker-machine" {
   }
 
   memory {
-    floating = 22222
+    floating = 32000
     dedicated = 38768
   }
 

infra/r740/proxmox/kube.tf

@@ -29,7 +29,7 @@ resource "proxmox_virtual_environment_vm" "kube" {
 
   memory {
     dedicated = 32768
-    floating = 16192
+    floating = 22222
   }
 
   boot_order = ["scsi0", "ide0"]
@@ -89,6 +89,12 @@ resource "proxmox_virtual_environment_vm" "kube" {
     vlan_id = 2
   }
 
+  network_device {
+    bridge = "vmbr0"
+    model = "virtio"
+    vlan_id = 2
+  }
+
   operating_system {
     type = "l26"
   }

kubernetes/system/caddy/caddyfile.yaml

@@ -0,0 +1,93 @@
+# Caddy Routes - External ConfigMap
+# This file contains all route definitions, imported by the main Caddyfile.
+# Edit this file to add/modify routes.
+#
+# Certificate files are mounted from the caddy-certificates Secret
+# at /etc/caddy/certs/
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: caddy-routes
+  namespace: caddy
+  labels:
+    app.kubernetes.io/name: caddy
+    app.kubernetes.io/component: routes
+data:
+  Caddyfile: |
+    vhaudiquet.fr {
+      tls /etc/caddy/certs/vhaudiquet-fr.crt /etc/caddy/certs/vhaudiquet-fr.key
+      reverse_proxy 10.1.2.212:80
+    }
+
+    *.vhaudiquet.fr {
+        tls /etc/caddy/certs/wildcard-vhaudiquet-fr.crt /etc/caddy/certs/wildcard-vhaudiquet-fr.key
+
+        # Kubernetes services (via Traefik)
+        @authentik   host authentik.vhaudiquet.fr
+
+        @auth-nook   host auth-nook.vhaudiquet.fr
+        @nook-mg     host n.vhaudiquet.fr
+        @nook        host nook.vhaudiquet.fr
+        @sse-nook    host sse-nook.vhaudiquet.fr
+
+        @gitea       host git.vhaudiquet.fr
+
+        @flux-wh     host flux-webhook.vhaudiquet.fr
+
+        @umami       host umami.vhaudiquet.fr
+
+        handle @authentik {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @auth-nook {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @nook-mg {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @nook {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @sse-nook {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @gitea {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @flux-wh {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @umami {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+
+        # Docker VM services (via Traefik)
+        @alexscript     host alexscript.vhaudiquet.fr
+        @clips          host clips.vhaudiquet.fr
+        @jellyfin       host flix.vhaudiquet.fr
+        @mail           host mail.vhaudiquet.fr
+
+        handle @alexscript {
+            reverse_proxy 10.1.2.212:80
+        }
+        handle @clips {
+            reverse_proxy 10.1.2.212:80
+        }
+        handle @jellyfin {
+            reverse_proxy 10.1.2.212:80
+        }
+        handle @mail {
+            reverse_proxy 10.1.2.212:80
+        }
+    }
+
+    semery.fr {
+      tls /etc/caddy/certs/semery-fr.crt /etc/caddy/certs/semery-fr.key
+      reverse_proxy 10.1.2.212:80
+    }
+
+    buildpath.win {
+      tls /etc/caddy/certs/buildpath-win.crt /etc/caddy/certs/buildpath-win.key
+      reverse_proxy 10.1.2.212:80
+    }

kubernetes/system/caddy/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: caddy
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml
+  - certificates-secret.yaml
+  - caddyfile.yaml
+secretGenerator:
+  - name: caddy-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml

kubernetes/system/caddy/kustomizeconfig.yaml

@@ -0,0 +1,6 @@
+nameReference:
+- kind: Secret
+  version: v1
+  fieldSpecs:
+  - path: spec/valuesFrom/name
+    kind: HelmRelease

kubernetes/system/caddy/namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: caddy
+  labels:
+    app.kubernetes.io/name: caddy
+    app.kubernetes.io/component: edge-proxy

kubernetes/system/caddy/release.yaml

@@ -0,0 +1,30 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: caddy
+  namespace: caddy
+spec:
+  interval: 1m
+  chart:
+    spec:
+      sourceRef:
+        kind: HelmRepository
+        name: caddy
+        namespace: caddy
+      chart: caddy
+      interval: 1m
+      version: "0.7.1"
+  valuesFrom:
+    - kind: Secret
+      name: caddy-values
+  # Patch the Service to add loadBalancerIP since the chart doesn't support it
+  postRenderers:
+    - kustomize:
+        patches:
+          - target:
+              kind: Service
+              name: caddy
+            patch: |
+              - op: add
+                path: /spec/loadBalancerIP
+                value: "10.1.2.152"

kubernetes/system/caddy/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: caddy
+  namespace: caddy
+spec:
+  interval: 1m
+  url: https://charts.alekc.dev/

kubernetes/system/caddy/values.yaml

@@ -0,0 +1,99 @@
+# Caddy Edge Proxy
+replicaCount: 2
+# Listen on standard HTTP port
+listenPort: 80
+# Enable HTTPS
+https:
+    enabled: true
+    port: 443
+image:
+    repository: caddy
+    pullPolicy: IfNotPresent
+    tagSuffix: ""
+    tag: 2.11.2
+service:
+    type: LoadBalancer
+    externalTrafficPolicy: Local
+# Disable ingress - Caddy IS the edge proxy
+ingress:
+    enabled: false
+resources:
+    requests:
+        cpu: 100m
+        memory: 128Mi
+    limits:
+        cpu: 500m
+        memory: 256Mi
+# Caddy needs root to bind to ports 80/443 and write runtime data
+# Using restrictive security context causes "operation not permitted"
+podSecurityContext: {}
+securityContext: {}
+health:
+    path: /
+    port: 9999
+# Extra volumes: certificates + external routes ConfigMap
+volumes:
+    - name: certificates
+      secret:
+        secretName: ENC[AES256_GCM,data:Er1F+5xhWKUT43+7jU/pwxWP,iv:Ohc3jFIQ4Enmbhd0F44SYWJiHlj1oFOrMdtM4oYKQEU=,tag:Kk8Y8aFSKMyGmY/uRVvyLw==,type:str]
+        optional: ENC[AES256_GCM,data:JdlpGQ==,iv:xaoqonC9cGHXizHuAFrjhC4ZEtZ2IICeg2hxvGjyFM4=,tag:JYmlIXgIMON7z4++FrBGKQ==,type:bool]
+    - name: routes
+      configMap:
+        name: caddy-routes
+# Extra volume mounts
+volumeMounts:
+    - name: certificates
+      mountPath: /etc/caddy/certs
+      readOnly: true
+    - name: routes
+      mountPath: /etc/caddy/routes
+      readOnly: true
+# Caddy configuration
+config:
+    debug: false
+    # Global options (goes inside the global {} block)
+    global: |
+        auto_https off
+    # The main Caddyfile content - imports routes from external ConfigMap
+    # This keeps routes in a separate, easily editable file
+    caddyFile: |
+        :80 {
+            redir https://{host}{uri} permanent
+        }
+
+        import /etc/caddy/routes/Caddyfile
+affinity:
+    podAntiAffinity:
+        preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              podAffinityTerm:
+                labelSelector:
+                    matchLabels:
+                        app.kubernetes.io/name: caddy
+                topologyKey: kubernetes.io/hostname
+sops:
+    lastmodified: "2026-05-08T11:43:14Z"
+    mac: ENC[AES256_GCM,data:K0HWw8yTPKy6e3aQV4SdiVwrCjiyCFlFbeycAiyJq4IdlKX9v4wFvjVFLR8VziH8oXJXdUUhr+LOiqNI5HwghXkVn2dOP2ij9jvXZtMic4P0AUN16PfWoedu9ozA+xsGHZ1OTUv+sxvKEUo5Z5Wp+u761w/Xqdn5hHmU2Komatk=,iv:ICwn/LvizIjXVfgiMje50dQ11JAH37wSla29bGAnjuA=,tag:mV7rtahUy4ODZaA7baM12w==,type:str]
+    pgp:
+        - created_at: "2026-05-08T11:43:13Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7uy4qQr71wiAQ//aGnCSLLWTkhToTh833OJ1GwgN82F8R+RgsfpKIW+XNvI
+            YdTCgaFrYdCGXsaLHijb7vVwCU0VRf/ufZfQp2+GupqRHCbMLSmlkoiyr9ImGlYX
+            VWQDajv74H/3CcyCQNjqfFRdUHLE+rfNuYaH/p3+/Ee2bgJi52f3uRdJ4lXSCWIf
+            KW9lLbwjlfGnOnsnDkaPwcZW9QL353Mi82yXOu7OihobUaVgr83nESXbAS/k4mx1
+            whOXAoEDeLQZfZrITEewOQ0PHjWJwKc0x2YCiQ0If33GSfDjzWPoDuXmQo/xhk98
+            Nt3aNTMDvjriGNOIcZyUlEjq1HqCmd3pQSD5h8soR9Do/NsTocyK1da49iz91dha
+            jwoEga2iFis9Zd9rr7Caf3pWtmKENUGFJl15tpaelvk13jUebSyDubw0OIYbbILr
+            dVZAeiOHrRMD5crxG05zvOeLMASuL/IrK97RLBAonZLEkRrfgAwZHK2U0rq2HXpI
+            wlp4yDlF/eILvmMgAruP7lW0q/m5+DfxQtcZdamtm3FWj9m0iUAthvw02fplmFci
+            xJ82rkfkPAZSm7/yPJ9yiea+tKgX8yk1uArRtf8rsG6SED2lCRKmux8ElcZc5DYV
+            hyLivTN7X5Nr05mvaPIptCVm1iYoWaiQNZcPDax/LBZJhNaJgPUz1ue1Ppf422PS
+            XgE4dh3x1ulcUhXm4nK/0FzKmJUOjcygPeGWmia0ZOEHub/ju+z8LgRAkBasqRXP
+            4aepPm5xVY0g/Z0xksxIWpYUnLRzs0uUKd+zz1MvmWlZckxUO5wWJUWRcwCBDz4=
+            =Ql2K
+            -----END PGP MESSAGE-----
+          fp: DC6910268E657FF70BA7EC289974494E76938DDC
+    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
+    version: 3.10.2

kubernetes/system/cilium/pool.yaml

@@ -6,3 +6,4 @@ spec:
   blocks:
   - cidr: "10.1.2.171/32"
   - cidr: "10.1.2.148/32"
+  - cidr: "10.1.2.152/32"