build(deps): bump caddy in /kubernetes/system/caddy

Bumps caddy from 2.11.2 to 2.11.4.

---
updated-dependencies:
- dependency-name: caddy
  dependency-version: 2.11.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/dependabot.yml

@@ -54,6 +54,7 @@ updates:
       - "/kubernetes/production/vhaudiquet-fr"
       - "/kubernetes/system/blocky"
       - "/kubernetes/system/caddy"
+      - "/kubernetes/system/cert-manager"
       - "/kubernetes/system/coredns"
       - "/kubernetes/system/csi-driver-nfs"
       - "/kubernetes/system/external-dns"

.pre-commit-config.yaml

@@ -16,3 +16,8 @@ repos:
         entry: generate-docker-swarmcd.sh
         language: script
         pass_filenames: false
+      - id: validate-kustomize
+        name: validate kustomize build
+        entry: bash -c 'kubectl kustomize kubernetes/ > /dev/null'
+        language: system
+        pass_filenames: false

README.md

@@ -7,17 +7,17 @@ Personal home production environment mono-repo
 
 ### Hardware and operating systems
 
-<img align="left" width="100" src="https://vhaudiquet.fr/public/github_assets/homeprod/p330_sff.png"/>
+#### Dell R740
-
-#### Lenovo ThinkStation P330 SFF
 
 Specifications :
 ```
-Intel Xeon E-2134 @ 3.50GHz (4 cores, 8 threads)
+2* Intel Xeon Gold 6138 @ 2GHz (20 cores, 40 threads)
-64 GiB DDR4 ECC RAM
+144 GiB DDR4 ECC RAM
-1 TiB nVME SSD
+2* 2 TiB SAS SSD (mirror)
-Intel X520-DA2 SFP+ 10Gbps network card
+10Gbps 4* RJ45 network card
-nVIDIA Quadro P620 graphics card
+H730P, 16* SFF 2.5 drive bays
+SAS9300-8E external SAS card
+NVIDIA RTX 3060 12G graphics card
 ```
 
 Running as single-node Proxmox

docker/home/esphome/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   esphome:
-    image: ghcr.io/esphome/esphome:2026.4.5
+    image: ghcr.io/esphome/esphome:2026.5.3
     ports:
       - "6052"
     networks:

docker/home/mosquitto-mqtt/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   mosquitto:
-    image: eclipse-mosquitto
+    image: eclipse-mosquitto:2.0.22
     container_name: mosquitto
     restart: unless-stopped
     ports:

docker/home/n8n/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   n8n:
-    image: docker.n8n.io/n8nio/n8n:2.21.2
+    image: docker.n8n.io/n8nio/n8n:2.25.6
     environment:
       - TZ=Europe/Paris
       - N8N_SECURE_COOKIE=false

docker/home/zigbee2mqtt/docker-compose.yml

@@ -2,7 +2,7 @@ services:
   zigbee2mqtt:
     container_name: zigbee2mqtt
     restart: unless-stopped
-    image: koenkk/zigbee2mqtt:2.9.2
+    image: koenkk/zigbee2mqtt:2.12.0
     networks:
       - default
       - proxy

docker/infrastructure/mail/roundcube/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   roundcube:
-    image: roundcube/roundcubemail:1.6.15-apache
+    image: roundcube/roundcubemail:1.7.1-apache
     container_name: roundcube
     networks:
       - default

docker/infrastructure/mail/stalwart/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   stalwart:
-    image: stalwartlabs/stalwart:v0.16.5
+    image: stalwartlabs/stalwart:v0.16.8
     container_name: stalwart
     networks:
       - default

docker/personal/fireshare/docker-compose.yml

@@ -1,7 +1,7 @@
 services:
   fireshare:
     container_name: fireshare
-    image: shaneisrael/fireshare:1.6.10-lite
+    image: shaneisrael/fireshare:1.6.16-lite
     ports:
       - "80"
     volumes:

docker/personal/gramps/docker-compose.yml

@@ -1,7 +1,7 @@
 services:
   grampsweb:
     container_name: grampsweb
-    image: ghcr.io/gramps-project/grampsweb:26.5.1
+    image: ghcr.io/gramps-project/grampsweb:26.6.0
     restart: always
     networks:
       - default
@@ -31,7 +31,7 @@ services:
 
   grampsweb_celery:
     container_name: grampsweb_celery
-    image: ghcr.io/gramps-project/grampsweb:26.5.1
+    image: ghcr.io/gramps-project/grampsweb:26.6.0
     restart: always
     environment:
       - GRAMPSWEB_TREE="Gramps Web"  # will create a new tree if not exists
@@ -52,7 +52,7 @@ services:
     command: celery -A gramps_webapi.celery worker --loglevel=INFO --concurrency=2
 
   grampsweb_redis:
-    image: docker.io/library/redis:8.6.3-alpine
+    image: docker.io/library/redis:8.8.0-alpine
     container_name: grampsweb_redis
     restart: always
 

docker/personal/media/films-series/jackett/docker-compose.yml

@@ -1,7 +1,7 @@
 services:
   jackett:
     container_name: jackett
-    image: ghcr.io/hotio/jackett:release-v0.24.1846
+    image: ghcr.io/hotio/jackett:release-v0.24.2040
     ports:
       - "9117"
     networks:

docker/personal/media/films-series/jellyfin/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   jellyfin:
-    image: jellyfin/jellyfin:2026051106
+    image: jellyfin/jellyfin:2026060919
     container_name: jellyfin
     networks:
       - default

docker/personal/media/music/navidrome/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   navidrome:
-    image: deluan/navidrome:0.61.2
+    image: deluan/navidrome:0.62.0
     user: 1000:1000 # should be owner of volumes
     ports:
       - "4533"

docker/personal/radicale/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   radicale:
-    image: tomsquest/docker-radicale:3.7.2.0
+    image: tomsquest/docker-radicale:3.7.3.0
     container_name: radicale
     ports:
       - 5232

docker/production/buildpath/docker-compose.yml

@@ -10,7 +10,7 @@ services:
     env_file: .env
 
   match_collector:
-    image: git.vhaudiquet.fr/vhaudiquet/lolstats-match_collector:0224b7812c8631bde3e9513adace64341152fc20
+    image: git.vhaudiquet.fr/vhaudiquet/lolstats-match_collector:f2827f85eb71942bbe905b5d83fefaddc3df8e7d
     build: ./match_collector
     volumes:
       - bpcdragon_cache:/cdragon
@@ -23,7 +23,7 @@ services:
     env_file: .env
 
   frontend:
-    image: git.vhaudiquet.fr/vhaudiquet/lolstats-frontend:0224b7812c8631bde3e9513adace64341152fc20
+    image: git.vhaudiquet.fr/vhaudiquet/lolstats-frontend:f2827f85eb71942bbe905b5d83fefaddc3df8e7d
     build: ./frontend
     restart: always
     volumes:

docker/tools/obsidian-livesync/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   couchdb:
-    image: couchdb:3.5.1
+    image: couchdb:3.5.2
     container_name: couchdb
     env_file: .env
     volumes:

infra/pve/docker.tf

@@ -1,137 +0,0 @@
-/* 
-* Docker machine terraform file
-*/
-
-resource "proxmox_virtual_environment_download_file" "debian-latest-cloudimg" {
-  content_type = "iso"
-  datastore_id = "local"
-  file_name = "debian-12-generic-amd64.qcow2.img"
-  node_name = "pve"
-  url = "https://cloud.debian.org/images/cloud/bookworm/latest/debian-12-generic-amd64.qcow2"
-}
-
-resource "proxmox_virtual_environment_file" "docker-machine-cloud-config" {
-  content_type = "snippets"
-  datastore_id = "local"
-  node_name    = "pve"
-
-  source_raw {
-    data = <<-EOF
-    #cloud-config
-    package_update: true
-    packages:
-      - git
-      - ca-certificates
-      - wget
-      - curl
-      - gnupg2
-      - qemu-guest-agent
-      - nfs-common
-    runcmd:
-      - systemctl enable --now qemu-guest-agent
-      - install -m 0755 -d /etc/apt/keyrings
-      - curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
-      - chmod a+r /etc/apt/keyrings/docker.asc
-      - echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
-      - apt-get update
-      - apt-get -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
-      - docker swarm init
-      - git clone https://github.com/vhaudiquet/homeprod /root/homeprod
-      - mkdir /app
-      - echo "truenas.lan:/mnt/fast_app_data/docker-homeprod      /app     nfs     defaults,_netdev    0 0" >>/etc/fstab
-      - mount -t nfs truenas.lan:/mnt/fast_app_data/docker-homeprod /app
-      - echo "${var.sops_private_key}" | gpg --import
-    EOF
-    file_name = "docker-machine-cloud-config.yaml"
-  }
-}
-
-resource "proxmox_virtual_environment_vm" "docker-machine" {
-  name = "docker-machine"
-  node_name = "pve"
-  on_boot = true
-
-  agent {
-    enabled = true
-  }
-
-  tags = ["debian", "debian-latest", "docker", "terraform"]
-
-  cpu {
-    type = "host"
-    cores = 4
-    sockets = 1
-    flags = []
-  }
-
-  memory {
-    dedicated = 16192
-  }
-
-  network_device {
-    bridge = "vmbr0"
-    model = "virtio"
-    vlan_id = 2
-  }
-
-  lifecycle {
-    ignore_changes = [
-      network_interface_names,
-      mac_addresses,
-      ipv4_addresses,
-      ipv6_addresses,
-      id,
-      disk,
-      initialization,
-      vga
-    ]
-  }
-
-  boot_order = ["scsi0"]
-  scsi_hardware = "virtio-scsi-single"
-
-  vga {
-    type = "serial0"
-  }
-
-  disk {
-    interface = "scsi0"
-    iothread = true
-    datastore_id = "local-lvm"
-    size = 128
-    discard = "ignore"
-    file_id = proxmox_virtual_environment_download_file.debian-latest-cloudimg.id
-  }
-
-  vm_id = 701
-
-  initialization {
-    datastore_id = "local-lvm"
-    interface = "ide2"
-    
-    ip_config {
-      ipv4 {
-        address = "10.1.2.175/24"
-        gateway = "10.1.2.1"
-      }
-    }
-
-    user_account {
-      keys = [trimspace(var.ssh_public_key)]
-      password = var.machine_root_password
-      username = "root"
-    }
-
-    vendor_data_file_id = proxmox_virtual_environment_file.docker-machine-cloud-config.id
-  }
-
-  operating_system {
-    type = "l26"
-  }
-
-  tpm_state {
-    version = "v2.0"
-  }
-
-  serial_device {}
-}

infra/pve/docker/main.tf

@@ -1,39 +0,0 @@
-terraform {
-  required_providers {
-    docker = {
-      source  = "kreuzwerker/docker"
-      version = "3.6.2"
-    }
-  }
-}
-
-# Docker configuration
-provider "docker" {
-  host = "ssh://root@docker-machine.lan"
-}
-
-resource "docker_image" "swarm-cd" {
-  name = "ghcr.io/m-adawi/swarm-cd:latest"
-}
-
-resource "docker_container" "swarm-cd" {
-  name  = "swarm-cd"
-  image = docker_image.swarm-cd.image_id
-  volumes {
-      host_path = "/var/run/docker.sock"
-      container_path = "/var/run/docker.sock"
-      read_only = true
-  }
-  volumes {
-    host_path = "/root/homeprod/.swarmcd/repos.yaml"
-    container_path = "/app/repos.yaml"
-    read_only = true
-  }
-  volumes {
-    host_path = "/root/homeprod/.swarmcd/stacks.yaml"
-    container_path = "/app/stacks.yaml"
-    read_only = true
-  }
-
-  depends_on = [ docker_image.swarm-cd ]
-}

infra/pve/kube.tf

@@ -1,381 +0,0 @@
-/* 
-* Kubernetes cluster terraform file
-*/
-
-resource "proxmox_virtual_environment_download_file" "talos-cloudimg" {
-  content_type = "iso"
-  datastore_id = "local"
-  file_name = "talos-v1.11.1-nocloud-amd64.iso"
-  node_name = "pve"
-  url = "https://factory.talos.dev/image/ce4c980550dd2ab1b17bbf2b08801c7eb59418eafe8f279833297925d67c7515/v1.11.1/nocloud-amd64.iso"
-}
-
-resource "proxmox_virtual_environment_vm" "kube" {
-  name = "kube-talos"
-  description = "Kubernetes Talos Linux"
-  tags = ["kubernetes", "talos", "terraform"]
-
-  node_name = "pve"
-  vm_id = 703
-  machine = "q35"
-  keyboard_layout = "fr"
-
-  agent {
-    enabled = true
-  }
-  stop_on_destroy = true
-
-  cpu {
-    cores = 4
-    type = "x86-64-v3"
-  }
-
-  memory {
-    dedicated = 16192
-    floating = 16192
-  }
-
-  boot_order = ["scsi0", "ide0"]
-  scsi_hardware = "virtio-scsi-single"
-
-  cdrom {
-    file_id = proxmox_virtual_environment_download_file.talos-cloudimg.id
-    interface = "ide0"
-  }
-
-  disk {
-    interface = "scsi0"
-    iothread = true
-    datastore_id = "local-lvm"
-    size = 128
-    discard = "ignore"
-    file_format = "raw"
-  }
-
-  vga {
-    type = "serial0"
-  }
-
-  initialization {
-    datastore_id = "local-lvm"
-    interface = "ide2"
-
-    ip_config {
-      ipv4 {
-        address = "10.1.2.187/24"
-        gateway = "10.1.2.1"
-      }
-    }
-
-    user_account {
-      keys = [trimspace(var.ssh_public_key)]
-      password = var.machine_root_password
-      username = "root"
-    }
-  }
-
-  lifecycle {
-    ignore_changes = [ 
-      ipv4_addresses, ipv6_addresses, network_interface_names
-     ]
-  }
-
-  network_device {
-    bridge = "vmbr0"
-    model = "virtio"
-    vlan_id = 2
-  }
-
-  operating_system {
-    type = "l26"
-  }
-
-  tpm_state {
-    version = "v2.0"
-  }
-
-  serial_device {}
-}
-
-resource "talos_machine_secrets" "kube" {}
-
-data "talos_machine_configuration" "kube" {
-  cluster_name = "kube"
-  machine_type = "controlplane"
-  cluster_endpoint = "https://kube-talos.lan:6443"
-  machine_secrets = talos_machine_secrets.kube.machine_secrets
-  config_patches = [
-    yamlencode({
-      machine = {
-        install = {
-          image = "factory.talos.dev/installer/ce4c980550dd2ab1b17bbf2b08801c7eb59418eafe8f279833297925d67c7515:v1.11.1"
-        }
-        network = {
-          nameservers = [
-            "10.1.2.3"
-          ]
-        }
-      }
-      cluster = {
-        allowSchedulingOnControlPlanes = true
-        apiServer = {
-          certSANs = [
-            "kube-talos.lan"
-          ]
-        }
-        network = {
-          dnsDomain = "kube-talos.lan"
-          cni = {
-            name: "none"
-          }
-        }
-        proxy = {
-          disabled = true
-        }
-      }
-    })
-  ]
-}
-
-data "talos_client_configuration" "kube" {
-  cluster_name = "kube"
-  client_configuration = talos_machine_secrets.kube.client_configuration
-  nodes = ["kube-talos"]
-}
-
-resource "talos_machine_configuration_apply" "kube" {
-  client_configuration = talos_machine_secrets.kube.client_configuration
-  machine_configuration_input = data.talos_machine_configuration.kube.machine_configuration
-  node = "10.1.2.187" #proxmox_virtual_environment_vm.kube.ipv4_addresses[7][0] # lo + 6 talos-created interfaces before eth0
-  depends_on = [ proxmox_virtual_environment_vm.kube ]
-  lifecycle {
-    replace_triggered_by = [ proxmox_virtual_environment_vm.kube ]
-  }
-}
-
-resource "talos_machine_bootstrap" "kube" {
-  node = "10.1.2.187" #proxmox_virtual_environment_vm.kube.ipv4_addresses[7][0] # lo + 6 talos-created interfaces before eth0
-  client_configuration = talos_machine_secrets.kube.client_configuration
-  depends_on = [ talos_machine_configuration_apply.kube ]
-  lifecycle {
-    replace_triggered_by = [ proxmox_virtual_environment_vm.kube ]
-  }
-}
-
-resource "talos_cluster_kubeconfig" "kube" {
-  node = proxmox_virtual_environment_vm.kube.ipv4_addresses[7][0] # lo + 6 talos-created interfaces before eth0
-  depends_on = [ talos_machine_bootstrap.kube ]
-  client_configuration = talos_machine_secrets.kube.client_configuration
-}
-
-output "kubeconfig" {
-  sensitive = true
-  value = talos_cluster_kubeconfig.kube.kubeconfig_raw
-}
-
-resource "local_file" "kubeconfig" {
-    content     = "${talos_cluster_kubeconfig.kube.kubeconfig_raw}"
-    filename = "${path.module}/kubeconfig"
-    depends_on = [ talos_cluster_kubeconfig.kube ]
-}
-
-data "talos_client_configuration" "talosconfig" {
-  cluster_name = "homeprod"
-  client_configuration = talos_machine_secrets.kube.client_configuration
-  nodes = [proxmox_virtual_environment_vm.kube.ipv4_addresses[7][0]]
-}
-
-resource "local_file" "talosconfig" {
-    content     = "${data.talos_client_configuration.talosconfig.talos_config}"
-    filename = "${path.module}/talosconfig"
-    depends_on = [ data.talos_client_configuration.talosconfig ]
-}
-
-# TODO : Wait for talos_cluster_kubeconfig...
-resource "helm_release" "cilium" {
-  name = "cilium"
-  namespace = "kube-system"
-  repository = "https://helm.cilium.io/"
-  chart = "cilium"
-  wait = false
-  depends_on = [ local_file.kubeconfig ]
-
-  set {
-    name = "ipam.mode"
-    value = "kubernetes"
-  }
-  set {
-    name = "kubeProxyReplacement"
-    value = true
-  }
-  set {
-    name = "securityContext.capabilities.ciliumAgent"
-    value = "{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}"
-  }
-  set {
-    name = "securityContext.capabilities.cleanCiliumState"
-    value = "{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}"
-  }
-  set {
-    name = "cgroup.autoMount.enabled"
-    value = false
-  }
-  set {
-    name = "cgroup.hostRoot"
-    value = "/sys/fs/cgroup"
-  }
-  set {
-    name = "k8sServiceHost"
-    value = "localhost"
-  }
-  set {
-    name = "k8sServicePort"
-    value = 7445
-  }
-  set {
-    name = "etcd.clusterDomain"
-    value = "kube-talos.lan"
-  }
-  set {
-    name = "hubble.relay.enabled"
-    value = true
-  }
-  # Enable hubble ui
-  set {
-    name = "hubble.ui.enabled"
-    value = true
-  }
-  # Gateway API support
-  set {
-    name = "gatewayAPI.enabled"
-    value = true
-  }
-  set {
-    name = "gatewayAPI.enableAlpn"
-    value = true
-  }
-  set {
-    name = "gatewayAPI.enableAppProtocol"
-    value = true
-  }
-  # Gateway API trusted hops : for reverse proxy
-  set {
-    name = "gatewayAPI.xffNumTrustedHops"
-    value = 1
-  }
-  # Single-node cluster, so 1 operator only
-  set {
-    name = "operator.replicas"
-    value = 1
-  }
-  # L2 announcements
-  set {
-    name = "l2announcements.enabled"
-    value = true
-  }
-  set {
-    name = "externalIPs.enabled"
-    value = true
-  }
-  # Disable ingress controller (traefik will be used for now)
-  set {
-    name = "ingressController.enabled"
-    value = false
-  }
-  set {
-    name = "ingressController.loadbalancerMode"
-    value = "shared"
-  }
-  # Ingress controller for external : behind reverse proxy, trust 1 hop
-  set {
-    name = "envoy.xffNumTrustedHopsL7PolicyIngress"
-    value = 1
-  }
-  # Set cilium as default ingress controller
-  set {
-    name = "ingressController.default"
-    value = true
-  }
-  set {
-    name = "ingressController.service.externalTrafficPolicy"
-    value = "Local"
-  }
-}
-
-resource "kubernetes_namespace" "flux-system" {
-  metadata {
-    name = "flux-system"
-  }
-
-  lifecycle {
-    ignore_changes = [ metadata[0].annotations, metadata[0].labels ]
-  }
-
-  depends_on = [ talos_cluster_kubeconfig.kube, local_file.kubeconfig, helm_release.cilium ]
-}
-
-resource "kubernetes_secret" "flux-sops" {
-  metadata {
-    name = "flux-sops"
-    namespace = "flux-system"
-  }
-
-  type = "generic"
-
-  data = {
-    "sops.asc"=var.sops_private_key
-  }
-
-  depends_on = [ kubernetes_namespace.flux-system ]
-}
-
-resource "helm_release" "flux-operator" {
-  name = "flux-operator"
-  namespace = "flux-system"
-  repository = "oci://ghcr.io/controlplaneio-fluxcd/charts"
-  chart = "flux-operator"
-  wait = true
-  depends_on = [ kubernetes_secret.flux-sops ]
-}
-
-resource "helm_release" "flux-instance" {
-  name = "flux"
-  namespace = "flux-system"
-  repository = "oci://ghcr.io/controlplaneio-fluxcd/charts"
-  chart = "flux-instance"
-
-  values = [
-    file("values/components.yaml")
-  ]
-  set {
-    name = "instance.distribution.version"
-    value = "2.x"
-  }
-  set {
-    name = "instance.distribution.registry"
-    value = "ghcr.io/fluxcd"
-  }
-  set {
-    name = "instance.sync.name"
-    value = "homeprod"
-  }
-  set {
-    name = "instance.sync.kind"
-    value = "GitRepository"
-  }
-  set {
-    name = "instance.sync.url"
-    value = "https://github.com/vhaudiquet/homeprod"
-  }
-  set {
-    name = "instance.sync.path"
-    value = "kubernetes/"
-  }
-  set {
-    name = "instance.sync.ref"
-    value = "refs/heads/main"
-  }
-
-
-  depends_on = [ helm_release.flux-operator ]
-}

infra/pve/main.tf

@@ -1,46 +0,0 @@
-# Terraform providers configuration
-terraform {
-  required_providers {
-    proxmox = {
-      source = "bpg/proxmox"
-      version = "0.83.2"
-    }
-    talos = {
-      source  = "siderolabs/talos"
-      version = "0.9.0"
-    }
-    kubernetes = {
-      source = "hashicorp/kubernetes"
-      version = "2.38.0"
-    }
-    helm = {
-      source = "hashicorp/helm"
-      version = "2.17.0"
-    }
-  }
-}
-
-# Proxmox configuration
-provider "proxmox" {
-  endpoint = "https://pve.lan:8006/"
-  api_token = var.api_token
-  insecure = true
-  ssh {
-    agent    = true
-    username = "root"
-  }
-}
-
-# Talos configuration
-provider "talos" {}
-
-# Kubernetes configuration
-provider "kubernetes" {
-  config_path = "${path.module}/kubeconfig"
-}
-# Helm configuration
-provider "helm" {
-  kubernetes {
-    config_path = "${path.module}/kubeconfig"
-  }
-}

infra/pve/variables.tf

@@ -1,19 +0,0 @@
-variable "api_token" {
-  description = "Token to connect Proxmox API"
-  type = string
-}
-
-variable "machine_root_password" {
-  description = "Root password for VMs and containers"
-  type = string
-}
-
-variable "ssh_public_key" {
-  description = "Public SSH key authorized access for VMs and containers"
-  type = string
-}
-
-variable "sops_private_key" {
-  description = "Private SOPS GPG key for flux/kubernetes to decrypt secrets"
-  type = string
-}

infra/r740/kube/main.tf

@@ -44,7 +44,10 @@ data "talos_machine_configuration" "kube" {
         }
         network = {
           nameservers = [
-            "10.1.2.3"
+            # We need a set of nameservers that can work independently of kube
+            # to bootstrap. 
+            "10.1.2.148",
+            "1.1.1.1"
           ]
         }
         certSANs = [

infra/r740/kube/values/components.yaml

@@ -10,7 +10,7 @@ instance:
     type: kubernetes
     multitenant: false
     networkPolicy: true
-    domain: "kube-talos.lan"
+    domain: "cluster.local"
   kustomize:
     patches:
       - target:

kubernetes/code/gitea/release.yaml

@@ -12,6 +12,7 @@ spec:
         name: gitea
         namespace: gitea
       chart: gitea
+      version: '12.6.0'
       interval: 1m
   valuesFrom:
     - kind: Secret

kubernetes/code/gitea/values.yaml

@@ -1,5 +1,5 @@
 image:
-    tag: 1.25.5
+    tag: 1.26.2
 ingress:
     enabled: true
     hosts:
@@ -17,12 +17,27 @@ postgresql:
     global:
         postgresql:
             auth:
-                postgressPassword: ENC[AES256_GCM,data:MGHcVoXxZmaAaA==,iv:jzp5H+mT1mwbJvuDnlgfQBMsilAZcR9Wpdv1Bem8zvc=,tag:9vPppIbycDJfgRV45jkwFg==,type:str]
+                postgressPassword: ENC[AES256_GCM,data:iS1hZgegYcjUYA==,iv:sQopZNgQvktuVPTcSHGIXe8Vcx0QRrkOBmvCU+lXeYo=,tag:EzQXgSj6Mw8Sj342P6qoKQ==,type:str]
-                password: ENC[AES256_GCM,data:jm4ffAcu06Rqog==,iv:pBWzn+/Udl99Vv7bLRv37uNZjPY/xMqrvDgUw6o+Am8=,tag:Y8PEv+NoEr9YU86WVebZqQ==,type:str]
+                password: ENC[AES256_GCM,data:D9ajgAcbx6XJwQ==,iv:JXipoz3yEj85jvyfgTkt8UmACO1R94vrpTCUdQPhS/s=,tag:nJrhXFdtdlrE7CrgrsFHUQ==,type:str]
                 database: gitea
-                username: ENC[AES256_GCM,data:OmrAE7E=,iv:ABU5b4rhwtxz0n8kwI7Nxqn0Cn//B4ScWJdYU3cE5ds=,tag:q/g0741vR06c5nDWGnTvYA==,type:str]
+                username: ENC[AES256_GCM,data:ynRejXA=,iv:XxPBPLUywl4rDKo6RMJT1rOzAeK9lkUsYT5DlL+vqyY=,tag:lJFJGebHtj7nC+PFL1f6jw==,type:str]
     volumePermissions:
         enabled: true
+    primary:
+        livenessProbe:
+            enabled: true
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            timeoutSeconds: 10
+            successThreshold: 1
+            failureThreshold: 10
+        readinessProbe:
+            enabled: true
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 10
+            successThreshold: 1
+            failureThreshold: 6
 postgresql-ha:
     enabled: false
 persistence:
@@ -32,7 +47,7 @@ extraVolumes:
     - name: git
       nfs:
         server: truenas.lan
-        path: /mnt/main_storage/git
+        path: /mnt/fast_app_data/git
 extraContainerVolumeMounts:
     - name: git
       mountPath: /git
@@ -41,8 +56,8 @@ gitea:
     oauth:
         - name: Authentik
           provider: openidConnect
-          key: ENC[AES256_GCM,data:BvrQCp1uuKsU+ghFqGDtDSXkx71byFQnOKSCU2iMLQebhsZdocZbJQ==,iv:WY3p4ygfc7CuEjK18Ktr2c/a5bDnCoyNSfKqjXwjZuY=,tag:INMKosSqPzJOCcZ9m3UKKQ==,type:str]
+          key: ENC[AES256_GCM,data:aU+rNnGTT4pji75ZJtBDmAkE0bX1alWTzUG0+DywCjQ66nSCqCa8DQ==,iv:DUxx8EFFBgnIivyf9CPpFx3sDeiu2NkIFDcoj6lVDeo=,tag:Zm6rEsXaCBuFmChgzdb2zA==,type:str]
-          secret: ENC[AES256_GCM,data:7kWuHYZ+2UlLrlRC6bX54xu0EJ264pP3EkfycleNnE647+VNInviZ9OFdz+2E+Ujw5ktuU8Edl49ex/TZ3BLyBv5bgHgCySLIHrB9keEZIxuhnfV53csq7KmIvO+NALDbU2OlZZaiAyNMbJjRCSAxXRT2WtPVzadt6HkW3niiRE=,iv:4uWctDxVpRzqdErKp05WKuz7WYH5frktMe3gly4+VW0=,tag:isaFJX5Q+XaZnY1F2HFdfw==,type:str]
+          secret: ENC[AES256_GCM,data:mkh0p931YVQ/kqpHdeZHEndQpxNYk+t4LqTkZFLyEFVOuy5ZdxyT/PbhiW4Uw2L9XGO6JyAaJaO89K77HdEjpLU9TntkuU4ETBW3V3vzM+42EysMqmeud8hQSUdtGa4UsRd3dDb354CM7S7i7Gr22CT5/a8ujO9HIXDTuf+UXkU=,iv:QnPOyVft4vvtaOrrhoXQXXXbH1DbdSA0mAu2IextLxs=,tag:0dxGssjnv4DoXylPZsvYrw==,type:str]
           autoDiscoverUrl: https://authentik.vhaudiquet.fr/application/o/gitea/.well-known/openid-configuration
     config:
         APP_NAME: Gitea
@@ -69,27 +84,27 @@ gitea:
             ISSUE_INDEXER_TYPE: bleve
             REPO_INDEXER_ENABLED: true
 sops:
-    lastmodified: "2026-04-05T11:32:32Z"
+    lastmodified: "2026-06-05T20:21:53Z"
-    mac: ENC[AES256_GCM,data:etLsvUBjDtzqpwdP9jontcVmFRvvsy7z70Rcztvm6kNybRsWKss2hRarl+IhxBqI5rQYaWjON9BNpjIBjnmKVPiwV7lYF7cSTEiHrCCBrFyhwYKxgsgwZCWCfSgOLMlhTjI55wISPFyhHaC/O6CsuzcGRAQ52B2PZBaeY0vNgF4=,iv:aag0M1SJn7uVLu99wmGMp3Ms5jlJCTzkyGUsdzcrGAE=,tag:H2+gdObpNEnoDKaW3IT+wQ==,type:str]
+    mac: ENC[AES256_GCM,data:CySJzul7ciMGGQqt33RUG7sVp0xOt1ylK/uV0hibYDYk/s8JudcAO5bEDRfkeEaQuiURALAgCpg0ooA4wFlhklcfNYP5g2JqEtcwfR1e7DUW3KHmUTA3ViaLo3M7EtP9ALvZlE/L6cPqolIae4tjawIXnUSlZQ3d7O4m50VFHC0=,iv:DxvxcAE1N/J14S+j9N6YkF0885hi1CZoFB6dk1IqNxM=,tag:tbqHPJocfGlRJFDIuoW8VQ==,type:str]
     pgp:
-        - created_at: "2026-04-05T11:32:28Z"
+        - created_at: "2026-06-05T20:21:52Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA7uy4qQr71wiAQ/+KsQV7ZuIF9YaJQjnLJk88FP661mApTJeQRo7MI/SIGTK
+            hQIMA7uy4qQr71wiAQ//VC/fnusp5oupWvPbCJCRl46OfetfXIsY/J8JP3Npp2XB
-            Xrj2j9EU2QRny/56YD6x/vqENQ8Appnew4ejtLEJY/wWmfSaSuO0JWk40tOa95od
+            Yz2u3gxwPLDZxLnBsR/jafym1/1wi42SV3eka16j8dKjm4cICA27ycAmU4zSC2/O
-            YxQhYBi0/DuCTtLdLs1lrOH+GEKSQNbE8Srv6gmaWweu1yLHUye44M8DxOd+/dbf
+            Os3s5wo4e7ajNHnRZ+SyXzBPeg6LEbv9O/mx2tiQZBHIs5bhQ1ZxQ7lTwiKYP8Es
-            5q4sRtldgpAm8EFjdZQcollzoFyUDiE/G1bpml4hbkHVJhlSfJHTGN6bq96yuG2l
+            kFf8oVO5rEEpMAd0RpiSlzsTWVWuOEfw0uQXjQOP+ZFAqcf9lPnQp273MbxUe0jL
-            et0MnNAMW2EJh3w6vGk1CJfEB6LUfR6KNUM4oPI3qVy9GeGDgTi4xv1cYAiVIcEv
+            e58OLp3wO+LWRlRnixrx9vLuUsFou+JcSfKoTFbcBXzDs0SSUiAOwz5nELNtlENT
-            hXfDrwDGm1pUakLklzKcJ9TpNokPCimax5O2dNDKBdFaGuGVfYzIzcSIY1W3qZV9
+            dHGzaplWMnHFWPd3Ef7AUGwUlb23mxJNv/yuM6CNgkTec6qYdr3Arc84kGT9qdz3
-            KfpaCtkfIDOtwUdjvxcdhpGbYYckcEz0TFtwTIIPeznQvyhtqNcNV9TDxmDoQiYG
+            pktw94Wiw3uPLpiGVkFMdBynzVUBbbiWPGByVF0NBRnp8+NABsiekAjFrV2I1wdr
-            l1iY2dSoi7Fae7HT0QDrxw8rV9L2d+1qPkiEz9yOq+oJGYzuIy7ygPO7X1x2vkYm
+            rGmNtTS66jf2yEBMP5w64BbVH8zQ/FA4wSEQxFGm02Cp0dv/HSy07aPDUBWZZzr/
-            lXoxVyFrbH3K4Wb4ibukdAkrqQKZYnhqpxtvB/SFTlS90r2wewQSfivBTHT3yh3d
+            b9j6EUBZ7DKDLDY4uC05GJqeZFWf3M9disXnUbHQifMNIaRveoKPvBOg58ZpyUrA
-            j0Zjr2Ga8fiFdmy5ELyj7oKO4AWY67eFe1TdfV9dPb0qO7tVph2NbcNyhgp59ejk
+            rffDkBJmy5Cvwll3+8uomsYrU9sWVCs1dHOG3xfbHNmh4XB0J3G59S1+PRBgsQi9
-            lUjJCJKlDyysu7VAvF8RzzQhfwBrZqar55Mou+HvrypOJpoCCKH9GNiemoudSx3S
+            zHTDuh9tF+ehCdMQjje+Cq9f6Aajv/S9HDaKxLfVkAVgdzP/Tu5ARZPIoYxyhR3S
-            XAH+uZb87/xPqJP5XyXqOvW4WvLNRxCUcHwur9USiluKZYhdtaYicTOy3iif+sD+
+            XgGfZASrRdk9XjmjrBRt5wBl0MjVr9vXEVxNqEGcpcDM5Q9MznRRhGKtAQ4BcC84
-            m80ahUph//L/9qTbNQU51AF1Lq0X6Mh0GkBa1b61iJu/PWizjlEEJS+/xpN5
+            bajKkGp9+6vas0tKR+Mp2wq4T+GMqLQVa3KedBuwXVdk3gE3jxhzd7rdT8chZbQ=
-            =FJi9
+            =kMPK
             -----END PGP MESSAGE-----
           fp: DC6910268E657FF70BA7EC289974494E76938DDC
     encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$

kubernetes/infrastructure/authentik/values.yaml

@@ -1,14 +1,14 @@
 authentik:
-    secret_key: ENC[AES256_GCM,data:nS0n+g3riD47shHDhs8JzfHT+a8oOKvFJDvO72mUU3bVslFYRBueJK+rWCGYjXwwyZzUjAcb638sqA66THxaxebPLtZ/UCmT79qzOw7Rf3A=,iv:o9WztN8vb8Pag8WMKIEWDMgFVWiTB3dIjCx7nU/0hrc=,tag:6tx684P4cJSZrrmut7KVcA==,type:str]
+    secret_key: ENC[AES256_GCM,data:wnDvn9EdX2SYDoWn9tTrbKvBx11fGfGlTk+9MSz8cBzwMDaY5W1bCwjtH7TmAnwYhbUQxXdVIxgPpj7k0FVqM5fuMHZwcb2AgtDMGbxRXtM=,iv:jwUq7dbl+V1t+Ek7vyBEfwX1B/fVmE0TIFMVGj40kVI=,tag:G1bDdR9OUqOtZQmvUcAfRA==,type:str]
     postgresql:
-        password: ENC[AES256_GCM,data:ES3BL3tEiv+NSg==,iv:oOKiH38wi5zqKkgvezIgj5Qg8+1bcFZXpoEewMucygM=,tag:YigQ3X8pRXVqhkoycGNjbA==,type:str]
+        password: ENC[AES256_GCM,data:G0KPHz7zZ5ivtA==,iv:w4m21LqGEtvEGAp7NlsoV9bwRkE/Mga4Nxp5mqBIJHs=,tag:kKHC3yXqJKZX9jiYuYXt9Q==,type:str]
     email:
         from: webbot@vhaudiquet.fr
         host: mail.vhaudiquet.fr
         port: 587
-        username: ENC[AES256_GCM,data:EmE524Yp3Ihv+FnO3GfTilzLwGo=,iv:XzJW6v4owBETgLHfqvvELhkDLQJSH962eEByQF0zeSQ=,tag:rkvVWCX3JwNO+j9MIB/+LQ==,type:str]
+        username: ENC[AES256_GCM,data:s0L1fCp8aObv5j6jlBiGDfj0aIM=,iv:cbvXxI3DIjnhnfHmUpeDF5KKRxUC2+YdvwU5FPcEe0s=,tag:rR8HpXUEabNZ36xabVkSIA==,type:str]
         use_tls: true
-        password: ENC[AES256_GCM,data:b6joibJRT46C+XeH2eI=,iv:Lo+28oE5mv3uxI8CUAQ1OgNhN+3iv1JfdxvkZWZC05c=,tag:VAIrnXSg9w82N00oT+d8JA==,type:str]
+        password: ENC[AES256_GCM,data:rb6o5MGQWK7LIT7gass=,iv:NjI0iqRk2usrqcH6kSo72T337y6avHz5whg9bLfAYDA=,tag:DnRJaixjmNY31V1h9Et5PA==,type:str]
 postgresql:
     enabled: true
     volumePermissions:
@@ -17,12 +17,26 @@ postgresql:
             repository: bitnamilegacy/os-shell
             tag: 12-debian-12-r51
     auth:
-        password: ENC[AES256_GCM,data:NWk6kvOp1RRs4A==,iv:q0GoRFQ15LBXDxDnOiKWHX6/K8DwX+k2Myxk7iaBo2U=,tag:6qfY+5TF2oy4cRfeJKr7IA==,type:str]
+        password: ENC[AES256_GCM,data:9PI//cgxRlmjNw==,iv:q0SLpmaTIC3OUulPDxiDWie0+oI7w17V2fPmJ52o8ao=,tag:2lwG95Remzqt1dj8H4CG0w==,type:str]
     image:
         repository: bitnamilegacy/postgresql
         tag: 15.9.0
     primary:
         args: []
+        livenessProbe:
+            enabled: true
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            timeoutSeconds: 10
+            successThreshold: 1
+            failureThreshold: 10
+        readinessProbe:
+            enabled: true
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 10
+            successThreshold: 1
+            failureThreshold: 6
 redis:
     enabled: true
 server:
@@ -31,27 +45,27 @@ server:
         hosts:
             - authentik.vhaudiquet.fr
 sops:
-    lastmodified: "2025-12-05T21:18:24Z"
+    lastmodified: "2026-06-05T20:13:55Z"
-    mac: ENC[AES256_GCM,data:DpKXYMtn+01IVQ98t/oVG4bqRVBBSQojqKGmt1A0vco8EJKNtHxyykVuuouO4mhmx+UWKjxEg+KvgvV2Ptk4uGs64x2sCSnMuqnpwfd8xpxLukqVxVd60ICKFeeVt4MgwRrlOBO2WKMDoZE5pi7pxVoGDb86P2J4XHzWqVkGGX8=,iv:W1OZznwbmlZJzICIuEVszGwFGFOgPLiThX4uxVpaOiw=,tag:s1HhjGwGt/mkWMhsqmXjZw==,type:str]
+    mac: ENC[AES256_GCM,data:rtrnY4XXaovFr/oXuZWJQa17Ihlgb9W7WMKYeN10qqx8REf6a3zqlUUGGSndYhjAZwpUjo3qixqAjW6kItBDgeF3DLpQ2T6acyOgXmbYNN+dWK4zb7jE0yZz69XIkUirabBWTkLqDACvw3iW5x4EAjg6/VYRVt4g5eugET5F/IU=,iv:eM+Z4SEJ6/y6gHzlYjLxcbqRn4dP4gbkaQqN2EGL4BY=,tag:EXklnS8lNeQErKcdP0XD6Q==,type:str]
     pgp:
-        - created_at: "2025-12-05T21:18:24Z"
+        - created_at: "2026-06-05T20:13:55Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA7uy4qQr71wiAQ//ZrmaLqypfT4HvrAO8tV/I8tl3PDZgLot0pQyv3Idu3s3
+            hQIMA7uy4qQr71wiARAAsreeLsc0Qhc/RDFP3GmusT0PCFq0XTnin9THWE+7YC/5
-            0e+Pn7zGBUvZXNYfgd20ilCatPVzt4x2KvFgaAkEMkqHnE2btLSrN66QiwHZDxF5
+            +kPcfKfyQGQGImzkl6niBxzl4jjxiyOyhdDWzwFw34Ets+1wXLlur9mo0v8GLfZG
-            1G+TNWs6ZOUSpUn7P1UdfroSm/Gy5sdUc8cTuolOkLqq0r88Wh3+RkxoR9Nv4f4p
+            DEO+1VEzFheZzjM6pVNOWCJdGKR8WEuadjmMMCsux463JiEPtatRJgcAim3ux6uV
-            XDDNRo4al8t0QT+WHKlGwaD/58Vgu0CRzBsjZodZWrG+4VgzxHK+3rqPGY7s0Mpy
+            TbtDNNF9yc9yp7GN8p0/kF3tnD40zaszM8+UznrWbDIFJOrixyVTZ3O9tKcjl55S
-            /epq73LBFRzgVagMqjH8LBJ60jjScWHVlGjRg4TtXDyhHYizEvlWt63sbWeYBLwC
+            m5upCrrbc4rcp+uRiYrsiMZoEg3KvlqtxUw9mHoeVce83l7bziobixzBhnGRtAar
-            Uz0QHR3jWZoErbb71JpEhHa5P+QuUaZTeEq/groWsD1I7cceDC9EorhbcyWm7SNa
+            zYUKsuu5PPpljV+ghDSIkcTrwLGQnInhlbOxKwDNVb0LiL/1c6dP4zPfZNh+Nvne
-            swTx23zjfdM/Hqi5Wz9UeTN8CkdSpb1mbG9YTvhB510wcpdVPTJNM1hVF+9OJycu
+            XhUDx90WnGCFOI2t5tXelAymCBDgak2qCX4IxkxddBhL9lONwYIM8zmszjPQf7r1
-            RP6YH6dXuWNK7aSx62ppaz+UJb27tF+KXafO4yDIu5hY1vaeFSgCUgJTpYae4tS1
+            Gx4vFrUTqceEXI+JLiPog4/+gGHX1qzifdHBZR0ZtTi/XJfnhdH3fkJndLA65Pkg
-            pWBLR51FikImgkkEFjzDwAWGBwfYzvqWqGOjO6E2yaVRTSYYdZQbTj8Owq49zizT
+            K4vY6KfomQLEmHurMVzEkoeXH95qSWmfmai4SJmKWqm33VFPZRFoVonnx4dP27SM
-            A4eZpPEeq+Z1FmQ7kjV7+tAV/GTDrSyvtytQ+fgebhVf+0KrcNUzQDEsQfV1htNl
+            vZGmfgjOl5eeRk/jdrApJNTkCi/dkGUfNRDffwcYQgjCJaWOs1agchBSC/RLZVWN
-            mnR590NnBp83jlHVAFYUwaCEzcrfRrfGzrlacUVuOO2c4orSeRI2FOro+2AOjvzS
+            3FPmohgmGa/MBOX3qS1r/5G3XBdKuUxd/NJ2Bw8L0wodteGSEClEiMEXGGZLkOzS
-            XgGkpLEkrINUIuI27G838z9/9cFUqMqL6MTThuJjUmKphgLAZ1iqhyfEm/2kwXZz
+            XAFSk/qmO3tJGViwOVtnb0ZXyTRritW9uR13N+LcaKJhC0PB/m/lXR6IlrfLJXnu
-            oJnnbBWIxN2/vltsuu/WprLHzbL5dBusLiBUeuSbPPron4r9Do2cNcFIT2hyAfA=
+            AMD7w42wKMeBgGuQQ/Xm/iOVlS2H0kvbm1b1WEZMQUJlEleKSyQKbmQPujoi
-            =1NR0
+            =KjtC
             -----END PGP MESSAGE-----
           fp: DC6910268E657FF70BA7EC289974494E76938DDC
     encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$

kubernetes/kustomization.yaml

@@ -0,0 +1,34 @@
+# Root Kustomization for Flux
+# Explicitly lists all components to exclude:
+# - cert-manager: managed by separate Flux Kustomization (CRD dependency)
+# - cert-manager-issuer: managed by separate Flux Kustomization (depends on cert-manager)
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  # System components
+  - system/cilium # cilium IP pool is managed here
+  - system/blocky
+  - system/caddy
+  - system/coredns
+  - system/csi-driver-nfs
+  - system/external-dns
+  - system/flux
+  - system/traefik
+  # Code
+  - code/gitea
+  - code/harbor
+  # Home
+  - home/home-assisant
+  - home/zigbee2mqtt
+  # Infrastructure
+  - infrastructure/authentik
+  # Personal
+  - personal/linkwarden
+  - personal/notesnook
+  - personal/photoprism
+  # Production
+  - production/umami
+  - production/vhaudiquet-fr
+  # Tools
+  - tools/dashy
+  - tools/glance

kubernetes/system/blocky/values.yaml

@@ -58,35 +58,35 @@ probes:
             failureThreshold: 30
 resources:
     limits:
+        cpu: 600m
+        memory: 768Mi
+    requests:
         cpu: 200m
         memory: 256Mi
-    requests:
-        cpu: 50m
-        memory: 64Mi
 # Full list of options https://github.com/0xERR0R/blocky/blob/main/docs/config.yml
-config: "upstreams:\n    groups:\n        default:\n            - 1.1.1.1\n            - 1.0.0.1\n        lan:\n            - 10.101.207.1\n\nconditional:\n    mapping:\n        lan: 10.101.207.1\n        cluster.local: 10.96.0.10\n        in-addr.arpa: 10.96.0.10\n\nblocking:\n    allowlists:\n        ads:\n            - |\n                dealabs.digidip.net\n                s.click.aliexpress.com\n                fonts.googleapis.com\n                fonts.gstatic.com\n                wl.spotify.com\n                www.googleadservices.com\n    \n    denylists:\n        ads:\n            - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts\n            - https://adaway.org/hosts.txt\n    \n    clientGroupsBlock:\n        default:\n            - ads\n    \n    blockType: zeroIp\n    blockTTL: 1m\n    loading:\n        refreshPeriod: 4h\n        downloads:\n            timeout: 60s\n\ncaching:\n    minTime: 5m\n    maxTime: 30m\n    # Disable negative caching (NXDOMAIN responses) for dynamic DNS\n    cacheTimeNegative: 0\n    prefetching: true\n    prefetchExpires: 2h\n    prefetchThreshold: 5\n\nprometheus:\n    enable: true\n    path: /metrics\n\nports:\n    dns: 53\n    http: 4000\n\nbootstrapDns: tcp+udp:1.1.1.1\n\nlog:\n    level: info\n    format: text\n    timestamp: true\n"
+config: "upstreams:\n    groups:\n        default:\n            - 1.1.1.1\n            - 1.0.0.1\n        lan:\n            - 10.101.207.1\n\nconditional:\n    mapping:\n        lan: 10.101.207.1\n        cluster.local: 10.96.0.10\n\nblocking:\n    allowlists:\n        ads:\n            - |\n                dealabs.digidip.net\n                s.click.aliexpress.com\n                fonts.googleapis.com\n                fonts.gstatic.com\n                wl.spotify.com\n                www.googleadservices.com\n    \n    denylists:\n        ads:\n            - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts\n            - https://adaway.org/hosts.txt\n    \n    clientGroupsBlock:\n        default:\n            - ads\n    \n    blockType: zeroIp\n    blockTTL: 1m\n    loading:\n        refreshPeriod: 4h\n        downloads:\n            timeout: 60s\n\ncaching:\n    minTime: 5m\n    maxTime: 30m\n    # Disable negative caching (NXDOMAIN responses) for dynamic DNS\n    cacheTimeNegative: 0\n    prefetching: true\n    prefetchExpires: 2h\n    prefetchThreshold: 5\n\nprometheus:\n    enable: true\n    path: /metrics\n\nports:\n    dns: 53\n    http: 4000\n\nbootstrapDns: tcp+udp:1.1.1.1\n\nlog:\n    level: info\n    format: text\n    timestamp: true\n"
 sops:
-    lastmodified: "2026-05-02T17:51:26Z"
+    lastmodified: "2026-06-05T16:01:30Z"
-    mac: ENC[AES256_GCM,data:J7EovwsXi2L9XocZoi5ann71DQ+wWZk2aCUbjvaGpv0yZC5g2HNccPVRvAj3y9SyMttLT8QlESXzHpEV2A6bOfmJf5v0ACYuWn5wKNlkaBdmTs1xwXp/RcpeOb+FCL9D+9hzjBO9XF6iXZLSj4pO/n1C0IhfeqYKdDC4tHkxOHA=,iv:Qm3Uh+UUSDWCxh7gWJ9x597aWXdMHxtpixE2BVlb6c8=,tag:aHbK26P4f9YV2uGLhpT6OA==,type:str]
+    mac: ENC[AES256_GCM,data:zcrVjYr3g0fDVMLP6T2kEDph3WbGh6nTGkqYwgfKuBOMQ/am+VxXmUJUh1YL0vvFjrwocK7hXFfJ6q/G5SNY+8GVLNeKfl+svfDEssmY9o9XOkSgmCh1MPHCUa6bP/+F1xXq0rU9umvRnjKfhC037iKkCDjEVm6KZt8v2OSvqJA=,iv:MjZtMcEuf9hwVRXGKn3BZnHXMJSeOp453J8SGyh6PTU=,tag:N1IxsGmaJr703gsQ0XjYjg==,type:str]
     pgp:
-        - created_at: "2026-05-02T17:51:25Z"
+        - created_at: "2026-06-05T16:01:29Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA7uy4qQr71wiAQ/+Po8UdkiFGt0LmcvCeSE23aoWwY4qi2FsGKdik+7sL3RN
+            hQIMA7uy4qQr71wiARAAikW2TqLZeBx2ERR7HF15cvCNDqCoTHwVUuTyc0qPUyoM
-            gOt/VQ6geefhd4YDhH0jfd7TDXs7UTtYvKQ+IaKcRUyOrZzhrfTpNeT/lXuaTkHf
+            Zy0X/wN3e0c4Ti0X4lUqJyICpH49sbKtygrRI4vVywr+4KgpKIwi/DTmPk358Cw2
-            LAUiqyprq1RDzxxIPvgMh4DynfehgN8B81iMJox2/fD0oV7B6dIIABvAl87gzANw
+            4E8DAVMcQDbpSPDgnl2DrrcPBa551MZusXs89nh3Eay4MW/gbEPpQvcuiI8tMQW8
-            7snQLJwdhNXFylKfrdC9A4AfYz7ycXBzEyYlY5BMZENw9yBGgZ1dZITU2KxeYCo/
+            f8759mNQHGxKUhSvdbJJO13+I7e1vhJz/twWJPJlieBRQ46QQjOuGSAo6YWEH4R2
-            gdVTCevybSBQ/Cq0+hI25ZF+nEIGjrVCN2AxPEUO98ljp4OZEu0p6KsMB4xgCD2j
+            Hkrp+7p8tWjFbJEnBlAW5lpcnqjCmoKPuOPXwi6mXpZfEssUsWE99DriCIuRM1ZQ
-            l5LN6YPAu95TRx/bZinoHMMzth6WhFdUG0Anj2cIIYXOcreyzPxYGj+vwRlZFrkZ
+            FBTroMHlwVESE58yBqxs1ZIMHxyncyj0rHfDnrOH08OpW9brTaardHZMcO2Kkil7
-            gTU2vfpt/1Wx8ORRqocCkxZ3dMtm4KsGqe3xpd1y84ezL/bMLxSApn5e7Zzn1cEg
+            uK5wTdTaNph1crLoWoiW6vuZv05OiHsuHe0miuhRakedmCcbC+dYGmBPDgo0mKYB
-            DoLwJGnZzSY4nRzfoGXOv6mjyTUVkqNexRlL2wIsgDP9VP/ohS9K2fFZzzJ/fXa1
+            0CzzSRL7MTB9LhGSxH6xrlm1hyRmVzNnYc35VPWf48S/jZi7iOOth/mRaxmi94VZ
-            G9DUg64SwfYIFzAgsyWwdE3kCJ/GSIAgrgNwBfZlLGdfB/PB2BkHNpzX4LROUEcD
+            O4XiAuwh77eXDaYoOgYaVpCicXXg2uoq3MVjl32yUeuwpDSxVfRUJz39s1rP3UMT
-            HqqHtVlUIikiFdDQWwB5tS+APBCO6VuzKl1z3ROgV6xhvr4ZYkd9CHYu1S1r1XAs
+            CgFc+Yen7aUmcBYlid69Le2UR3JTGlr1LXyuXR4ju3x0k84qfGKAwjottB2snKu9
-            JRCyow0zTLRYGQnDD8+RPQ4MsbzJsugA8Ac4bE4sVJpP8hloZBqHb38AkoUruDTS
+            twcxDzDMkjV4Maz3CmBxVglpxe6gOzOSk9BZujxogFHncRxMBo5BJO4/926iaWHS
-            XgE+Nxcy0/aznBgEscE/VuY/GTH1vwYl5/dAcV8GDYcNmd1tE9E1QwWsSurHt39u
+            XgEPMREJARCGq+N+8vc7PQ1xlNEqcwL0c0PJjRVqQIAeuvF4QK9kH+P8aR0k1MXK
-            +QdGZYoUbHPtsk/zODgEVqn0iTsqO7Y4Qmu93bYlYFQwCygAPKKpCaqmmu2U+rI=
+            WnUHF/3afdgPwpp4ZZJoxfna2AroRh2+Dns4KM7QN2oyFWPNPJuRKyAtaKewPp0=
-            =hq5F
+            =DIqZ
             -----END PGP MESSAGE-----
           fp: DC6910268E657FF70BA7EC289974494E76938DDC
     encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$

kubernetes/system/caddy/caddyfile.yaml

@@ -16,12 +16,12 @@ metadata:
 data:
   Caddyfile: |
     vhaudiquet.fr {
-      tls /etc/caddy/certs/vhaudiquet-fr.crt /etc/caddy/certs/vhaudiquet-fr.key
+      tls /etc/caddy/certs/vhaudiquet-fr/tls.crt /etc/caddy/certs/vhaudiquet-fr/tls.key
       reverse_proxy 10.1.2.171:80
     }
 
     *.vhaudiquet.fr {
-        tls /etc/caddy/certs/wildcard-vhaudiquet-fr.crt /etc/caddy/certs/wildcard-vhaudiquet-fr.key
+        tls /etc/caddy/certs/wildcard-vhaudiquet-fr/tls.crt /etc/caddy/certs/wildcard-vhaudiquet-fr/tls.key
 
         # Kubernetes services (via Traefik)
         @authentik   host authentik.vhaudiquet.fr
@@ -38,28 +38,28 @@ data:
         @umami       host umami.vhaudiquet.fr
 
         handle @authentik {
-            reverse_proxy traefik.traefik.svc.cluster.local:80
+            reverse_proxy traefik.traefik.svc.cluster.local.:80
         }
         handle @auth-nook {
-            reverse_proxy traefik.traefik.svc.cluster.local:80
+            reverse_proxy traefik.traefik.svc.cluster.local.:80
         }
         handle @nook-mg {
-            reverse_proxy traefik.traefik.svc.cluster.local:80
+            reverse_proxy traefik.traefik.svc.cluster.local.:80
         }
         handle @nook {
-            reverse_proxy traefik.traefik.svc.cluster.local:80
+            reverse_proxy traefik.traefik.svc.cluster.local.:80
         }
         handle @sse-nook {
-            reverse_proxy traefik.traefik.svc.cluster.local:80
+            reverse_proxy traefik.traefik.svc.cluster.local.:80
         }
         handle @gitea {
-            reverse_proxy traefik.traefik.svc.cluster.local:80
+            reverse_proxy traefik.traefik.svc.cluster.local.:80
         }
         handle @flux-wh {
-            reverse_proxy traefik.traefik.svc.cluster.local:80
+            reverse_proxy traefik.traefik.svc.cluster.local.:80
         }
         handle @umami {
-            reverse_proxy traefik.traefik.svc.cluster.local:80
+            reverse_proxy traefik.traefik.svc.cluster.local.:80
         }
 
         # Docker VM services (via Traefik)
@@ -83,11 +83,11 @@ data:
     }
 
     semery.fr {
-      tls /etc/caddy/certs/semery-fr.crt /etc/caddy/certs/semery-fr.key
+      tls /etc/caddy/certs/semery-fr/tls.crt /etc/caddy/certs/semery-fr/tls.key
       reverse_proxy 10.1.2.212:80
     }
 
     buildpath.win {
-      tls /etc/caddy/certs/buildpath-win.crt /etc/caddy/certs/buildpath-win.key
+      tls /etc/caddy/certs/buildpath-win/tls.crt /etc/caddy/certs/buildpath-win/tls.key
       reverse_proxy 10.1.2.212:80
     }

kubernetes/system/caddy/certificates.yaml

@@ -0,0 +1,52 @@
+# Certificates managed by cert-manager
+# These will automatically renew before expiry
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: vhaudiquet-fr
+  namespace: caddy
+spec:
+  secretName: vhaudiquet-fr-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: vhaudiquet.fr
+  dnsNames:
+    - vhaudiquet.fr
+  duration: 2160h # 90 days
+  renewBefore: 360h # 15 days before expiry
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-vhaudiquet-fr
+  namespace: caddy
+spec:
+  secretName: wildcard-vhaudiquet-fr-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "*.vhaudiquet.fr"
+  dnsNames:
+    - "*.vhaudiquet.fr"
+  duration: 2160h # 90 days
+  renewBefore: 360h # 15 days before expiry
+---
+# semery.fr certificates are managed manually in certificates-secret.yaml
+# until OVH DNS API credentials are added for DNS-01 challenges
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: buildpath-win
+  namespace: caddy
+spec:
+  secretName: buildpath-win-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: buildpath.win
+  dnsNames:
+    - buildpath.win
+  duration: 2160h # 90 days
+  renewBefore: 360h # 15 days before expiry

kubernetes/system/caddy/kustomization.yaml

@@ -5,6 +5,7 @@ resources:
   - namespace.yaml
   - repository.yaml
   - release.yaml
+  - certificates.yaml
   - certificates-secret.yaml
   - caddyfile.yaml
 secretGenerator:

kubernetes/system/caddy/values.yaml

@@ -10,7 +10,7 @@ image:
     repository: caddy
     pullPolicy: IfNotPresent
     tagSuffix: ""
-    tag: 2.11.2
+    tag: 2.11.4
 service:
     type: LoadBalancer
     externalTrafficPolicy: Local
@@ -31,19 +31,58 @@ securityContext: {}
 health:
     path: /
     port: 9999
-# Extra volumes: certificates + external routes ConfigMap
+# Extra volumes: TLS certificates from cert-manager + external routes ConfigMap
 volumes:
-    - name: certificates
+    - name: vhaudiquet-fr-tls
       secret:
-        secretName: ENC[AES256_GCM,data:Er1F+5xhWKUT43+7jU/pwxWP,iv:Ohc3jFIQ4Enmbhd0F44SYWJiHlj1oFOrMdtM4oYKQEU=,tag:Kk8Y8aFSKMyGmY/uRVvyLw==,type:str]
+        secretName: ENC[AES256_GCM,data:vc6kDDdxbluL/BmJb4w9TKs=,iv:FLsFMqUQWs3vzuH6fO64qikNpSx/RGneZyow8WYXlo0=,tag:TVsfs/pUmiA6mYYwHgxDLw==,type:str]
-        optional: ENC[AES256_GCM,data:JdlpGQ==,iv:xaoqonC9cGHXizHuAFrjhC4ZEtZ2IICeg2hxvGjyFM4=,tag:JYmlIXgIMON7z4++FrBGKQ==,type:bool]
+        optional: ENC[AES256_GCM,data:I1ftGg==,iv:P/KwiMPHM+YYUPJ+M5GBcgZGRTrIskbCir4fQH1XUug=,tag:hbqOTv6BrmkkQ/kE3bCx+A==,type:bool]
+    - name: wildcard-vhaudiquet-fr-tls
+      secret:
+        secretName: ENC[AES256_GCM,data:KSaPirEmnfOHqtwNr3SoK1IsCZ6HalzH2tw=,iv:TL9/VqSq2fW+2se9GK+bopfbcHu/lgpjlD4dHLKf7s0=,tag:SKgvfnPvca9o3bXxILLX9A==,type:str]
+        optional: ENC[AES256_GCM,data:65Ht9Q==,iv:EM0rH3i8MVVDXXrARxL6djISin8ScCEdZ/J43WL7A0I=,tag:rOcLiIOaDAqW4C5j6Zv+tA==,type:bool]
+    # semery.fr certs from manual secret (until OVH DNS API is configured)
+    - name: semery-fr-tls
+      secret:
+        secretName: ENC[AES256_GCM,data:kDiP6Hg4nLMM4FY6/C21YnFn,iv:bFgsIMkgHfSy8ZsK3NLc9cZ/5TRV3B2WzWkCFBGl5uc=,tag:atz2qInNTSX3u9b5N4fPnQ==,type:str]
+        optional: ENC[AES256_GCM,data:vfjgpQ==,iv:XZBZyekKMQQzrFE05vG2w6Pwd2ZQ+RerjF/T8FKbuc4=,tag:SVRfxbOLG7z8fWyxclrvzQ==,type:bool]
+        items:
+            - key: ENC[AES256_GCM,data:UumzQqzt/iy7oS7P+Q==,iv:3zV2rTEpHclFVRYRACzrs4+IXLOIw8HMSgWLyQ6fLp0=,tag:rOlhuN2qIN0vtwgahtvKvQ==,type:str]
+              path: ENC[AES256_GCM,data:QfXoPe/t8Q==,iv:Cj/4ngLtDha5fd5d7gn6OONGNdAjoEwq1zJc+xxYJTM=,tag:9q1DbomT9p4DonVsu3OBEw==,type:str]
+            - key: ENC[AES256_GCM,data:m72H1Se5snCNyNpe9w==,iv:ybvgDs1PNalk3i50mkIbph5KWEUefaDyoVUvKjqoJP0=,tag:+0c/3vDxjbOp6qn5VXvPxg==,type:str]
+              path: ENC[AES256_GCM,data:DJT6fW8uZQ==,iv:ImJQ19fJ2PBwil64M/vUu2TAhVjTYK14rfiTojK2E7A=,tag:2OkaIF6u7hCqsS2Bkp9v9w==,type:str]
+    - name: wildcard-semery-fr-tls
+      secret:
+        secretName: ENC[AES256_GCM,data:AZVY6PS2tzVnU5mSVlbH621e,iv:HToh6ymWjFGK+xw1+MKAP2RGKJd+PuFC4My7erFeAOc=,tag:W2pksdZFrEFKzPrGwJ+d8g==,type:str]
+        optional: ENC[AES256_GCM,data:LbarYQ==,iv:FUiIoSlbc/5Tj1t2LIxEPC6Ey7DgSaezrr2+lTr8roY=,tag:dlqb5SFpm1JDwn9qwaTP8A==,type:bool]
+        items:
+            - key: ENC[AES256_GCM,data:8xY5dDL5KSNDAk1mTB58WtriIRNeFw==,iv:Ng7twP5cr/TfKpENug7kgZ1Pa24vhV0/wFtxCelRLZU=,tag:powPtyjVogU/NO4LSyT2pA==,type:str]
+              path: ENC[AES256_GCM,data:AIvmIcXtDQ==,iv:JshIK8HzTkMlZsDcdX0AIsrkyLST3qUdtLkEP29E/O8=,tag:njYcODU/bWN7XXDwsHV9Uw==,type:str]
+            - key: ENC[AES256_GCM,data:NqW+4UFJx3AjfS9BFoG3dhOsbHoy4g==,iv:TMMd96OebuBwBT80BzXDYHD/38l+cSDQ9q067/Dqkk0=,tag:IOL89DD3vDjbNm/qYbSUig==,type:str]
+              path: ENC[AES256_GCM,data:f5PVx/WfxQ==,iv:4aFgPWiyp0lnQFboQCprI9lAGCkSfrO03TlD/Pvx0do=,tag:aIvncQKaqtNu15jnpVSSww==,type:str]
+    - name: buildpath-win-tls
+      secret:
+        secretName: ENC[AES256_GCM,data:nUF53gg1cNg5fEWLsXmEh1Q=,iv:XUxXBDMrddGey7eoIebW/myOD0P/UDhY6bX4QSzT3X0=,tag:foE8OG/JcknTRzsxiKKzuA==,type:str]
+        optional: ENC[AES256_GCM,data:tCGcgw==,iv:LxIjr/EsHifL36wFkc1rb1irfk9fyWAoBxGaf+ksu1U=,tag:A96i+w6cTAk7NTxumcXzGw==,type:bool]
     - name: routes
       configMap:
         name: caddy-routes
-# Extra volume mounts
+# Extra volume mounts - each secret mounted as a directory with tls.crt/tls.key
 volumeMounts:
-    - name: certificates
+    - name: vhaudiquet-fr-tls
-      mountPath: /etc/caddy/certs
+      mountPath: /etc/caddy/certs/vhaudiquet-fr
+      readOnly: true
+    - name: wildcard-vhaudiquet-fr-tls
+      mountPath: /etc/caddy/certs/wildcard-vhaudiquet-fr
+      readOnly: true
+    - name: semery-fr-tls
+      mountPath: /etc/caddy/certs/semery-fr
+      readOnly: true
+    - name: wildcard-semery-fr-tls
+      mountPath: /etc/caddy/certs/wildcard-semery-fr
+      readOnly: true
+    - name: buildpath-win-tls
+      mountPath: /etc/caddy/certs/buildpath-win
       readOnly: true
     - name: routes
       mountPath: /etc/caddy/routes
@@ -72,27 +111,27 @@ affinity:
                         app.kubernetes.io/name: caddy
                 topologyKey: kubernetes.io/hostname
 sops:
-    lastmodified: "2026-05-08T11:43:14Z"
+    lastmodified: "2026-06-16T10:08:07Z"
-    mac: ENC[AES256_GCM,data:K0HWw8yTPKy6e3aQV4SdiVwrCjiyCFlFbeycAiyJq4IdlKX9v4wFvjVFLR8VziH8oXJXdUUhr+LOiqNI5HwghXkVn2dOP2ij9jvXZtMic4P0AUN16PfWoedu9ozA+xsGHZ1OTUv+sxvKEUo5Z5Wp+u761w/Xqdn5hHmU2Komatk=,iv:ICwn/LvizIjXVfgiMje50dQ11JAH37wSla29bGAnjuA=,tag:mV7rtahUy4ODZaA7baM12w==,type:str]
+    mac: ENC[AES256_GCM,data:HeWRLHO8x7tJ3fGpSW0Pz6tkuYgQh6QJHF3q9KZD8EgCyuxxrnRh74sEOF9e/KjtmaNKF2ak6QkR2Taa9qD3yblMJp9Zjc3ivC2aMEKxtdJN8B3bxRr1Ln1Na2kSny3+X/c1nC1swWyNNgeQJvKQlvhXjK5S56Y5NG/n/PBT3Q4=,iv:HyiLtk4ueORKezmpmY/I4vXPBwEudqkwNpk4fgDheeY=,tag:2W46a3geF4Fi8jDsSCPNjA==,type:str]
     pgp:
-        - created_at: "2026-05-08T11:43:13Z"
+        - created_at: "2026-06-16T10:08:07Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA7uy4qQr71wiAQ//aGnCSLLWTkhToTh833OJ1GwgN82F8R+RgsfpKIW+XNvI
+            hQIMA7uy4qQr71wiARAAhoTczAWaCpuZbHq+NrssLQG4Ys0yYNYM9nflFEOkD1Sa
-            YdTCgaFrYdCGXsaLHijb7vVwCU0VRf/ufZfQp2+GupqRHCbMLSmlkoiyr9ImGlYX
+            rTEAhJACKNFYKJ6P2V4rBQtKHRdqMdVfrtaumgSvuKBX4wJW+nG/LUSXENJV/UD9
-            VWQDajv74H/3CcyCQNjqfFRdUHLE+rfNuYaH/p3+/Ee2bgJi52f3uRdJ4lXSCWIf
+            VqxiujfWKgps4XfNfuM/a7w9IbU7rk+mh+LBwwRpQeqEs7j1eZnJjQCBW4zGFeav
-            KW9lLbwjlfGnOnsnDkaPwcZW9QL353Mi82yXOu7OihobUaVgr83nESXbAS/k4mx1
+            XWYx2VmqfwQ/XhVaiSCvJjeJJk/U54Dot9W2ZoKCX+5zyZ+dWsX2ggXQWsoQCfOK
-            whOXAoEDeLQZfZrITEewOQ0PHjWJwKc0x2YCiQ0If33GSfDjzWPoDuXmQo/xhk98
+            uSTjjVKw80VvrDMX/TfbvNQDHNsljOSSeScA+lx6HElbDcAyUHxE99UAi6RVQazm
-            Nt3aNTMDvjriGNOIcZyUlEjq1HqCmd3pQSD5h8soR9Do/NsTocyK1da49iz91dha
+            EjEHsVHvyR0Y/7hvVlo8FY7XS/81pXGLN22AcWbd1fIZlitRa9YbHZH1YWzWRzr5
-            jwoEga2iFis9Zd9rr7Caf3pWtmKENUGFJl15tpaelvk13jUebSyDubw0OIYbbILr
+            JB2S+UMEOigw8WPg/1BAiFj3bCRn8aDyAMdUEKlbcXCYwoLynG6zVbgeuntYq0Zl
-            dVZAeiOHrRMD5crxG05zvOeLMASuL/IrK97RLBAonZLEkRrfgAwZHK2U0rq2HXpI
+            Y4zAi4+G+fHvdAqQz44p+AyP9hgS/qMBQwsUnAxGfltfVBEew2I/Vz5OugtDyLIW
-            wlp4yDlF/eILvmMgAruP7lW0q/m5+DfxQtcZdamtm3FWj9m0iUAthvw02fplmFci
+            UYrk+5LR+7cfJNCyCHQEyJL/YPsL1GDR1SP5YCrsDnuXPCEgwyRRLHFW8j2KCtLu
-            xJ82rkfkPAZSm7/yPJ9yiea+tKgX8yk1uArRtf8rsG6SED2lCRKmux8ElcZc5DYV
+            YX59FbVLqo2xzT5nEaIYbLLhEq3+5KaVIBqzGWAwSBbu7bXru6jIG6prVwofJQxx
-            hyLivTN7X5Nr05mvaPIptCVm1iYoWaiQNZcPDax/LBZJhNaJgPUz1ue1Ppf422PS
+            HCz2leboRZ3ZrC4Y4itHHuMfmSCtiildRhgPtVnvUdiQz0dS+RLNesH4hRvvxBPS
-            XgE4dh3x1ulcUhXm4nK/0FzKmJUOjcygPeGWmia0ZOEHub/ju+z8LgRAkBasqRXP
+            XgF9gp+9JE/5XMxUmNNf0yUC1mlQuUHbC7JqLLpLBNAtQwljDLMIgPG0y5n2r0C3
-            4aepPm5xVY0g/Z0xksxIWpYUnLRzs0uUKd+zz1MvmWlZckxUO5wWJUWRcwCBDz4=
+            zokdaebVj2XV9r7X25SQMyLzTdoXYqgGsoPBFnqQNpycg2HpmBX9isvqjbZ6x/g=
-            =Ql2K
+            =AqxW
             -----END PGP MESSAGE-----
           fp: DC6910268E657FF70BA7EC289974494E76938DDC
     encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$

kubernetes/system/cert-manager-issuer/clusterissuer.yaml

@@ -0,0 +1,24 @@
+# Let's Encrypt ClusterIssuer
+# Supports multiple DNS providers via DNS-01 challenge
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: vhaudiquet343@hotmail.fr
+    privateKeySecretRef:
+      name: letsencrypt-production-account-key
+    solvers:
+      # Cloudflare solver for vhaudiquet.fr and buildpath.win
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cloudflare-api-token
+              key: api-token
+        selector:
+          dnsZones:
+            - vhaudiquet.fr
+            - buildpath.win

kubernetes/system/cert-manager-issuer/kustomization.yaml

@@ -0,0 +1,5 @@
+# ClusterIssuer resources for cert-manager
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - clusterissuer.yaml

kubernetes/system/cert-manager/cloudflare-api-token-secret.yaml

@@ -0,0 +1,47 @@
+# Cloudflare API Token for DNS-01 Challenges
+#
+# A Cloudflare API token with the following permissions:
+#   - Zone > DNS > Edit
+#   - Zone > Zone > Read
+#
+# Base64-encoded:
+#   echo -n "api-token" | base64
+#
+# This file will be SOPS-encrypted on pre-commit
+apiVersion: v1
+kind: Secret
+metadata:
+    name: cloudflare-api-token
+    namespace: cert-manager
+    labels:
+        app.kubernetes.io/name: cert-manager
+        app.kubernetes.io/component: cloudflare-api-token
+type: Opaque
+data:
+    api-token: ENC[AES256_GCM,data:Ty7PlsPTOUd1zjY5Z+YuKwQ9DbKuvZo8FPz4jdhQFbLGfSwkC8GkOE8LeqxxxdNCDm59luaoPmIVhmrog9SbZLjRw9Mfmh9E,iv:dSpHCC4E8JadygLfG3T3UObPic92fDLm1SDw/j9FxUA=,tag:9KoD5LNqR1WfXbv2upGwiw==,type:str]
+sops:
+    lastmodified: "2026-06-16T08:15:23Z"
+    mac: ENC[AES256_GCM,data:psnVaPRr7viLZPtR9CW0G8QJuO5fWHzlPs+iyuWPUSR3mqNadL9tZ5Waz90dlWpXrQnxXpna+mjTwKRYdIDiITEBMLE3dqMvDjPU4h74RhSO/HxgpU6GFQnm0V+yVh9qTnY6JAXM0lLelVvXLTi5mjQr6k/4+uoVUvQ8CvDOAnw=,iv:eJCaQGtzD67KRuMqWvNEWj+WN3YkyN6YEbWhrLM6Pv8=,tag:jrRSXYod7s5g/QoI3/i/xA==,type:str]
+    pgp:
+        - created_at: "2026-06-16T08:15:17Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7uy4qQr71wiAQ/+JlRMdXmo44Z0GBjsd4mfls2AHs9Jrcan674/rKx17Ixk
+            ucKBC+2GA9aLp3bGKB/7bExEgW9Wn0Ufa7Qf7KTjhr37Foz8FI4Nldq0v/GTQHTh
+            W/M/F+OtkBJDrcqN4cWIIfOTgkkTcgcChYaJYIpRinRzcTMCMC0EQQl6nZm3dFUw
+            6yPWEnbPRbEXVExq6tnU+zcGHazD9e03lUJiEWC1M7ot0sxpmzwrIFrIfJrfbQ9n
+            2fTlrYOKJk+M2XpiYojH8v6YCLKUTHCir1Nqfp2/xG/gT6zqfXODA2YRWxNQDMKr
+            39kinwny02F5tbTRxteni3rtgYEgkXUbvogYSbjNOYicEZ3PqmRuniF+L+6Bxxq2
+            3u5J3nhU1BncFjeWA1ZzyvfwenRRI+faO/nPRSuWe7Dt5c3+AodeFqIRAQNFZmor
+            WgiLTz6oOhvY9ieAp4nmcVRxl91luJzq1abtAvDLz4XN37uCqF0gwv1BAXCMW4NC
+            75IsfJU13Ctpccj5wQLuKMV2pQML1Q8MQluPr/dhqgAU3zFJVmGYtkvDemGEsMS/
+            xW6mgRPJXmClcoNhLYT9T0flSSrVRsAnGcMeoPhTePLxrrqZmEmZFNxo1+aSLnwJ
+            RP05RIZY//88R7MJidPkqqXekIQ9dmZb7M+43k9Re1nmi/CQs+ZxtnhGoz/DpZDS
+            XgGcVSS9GOEUcq7EOkxZZFHCR2VNGnpUyLPRtzsUJh0eAxOU3M5XLThFBk7yw8Co
+            ov0TDoVOo1cqCLkdiEOM2CNkXBTjlRdJg7pQMO1ytXzkoc1EFTTK6QMy7O0FL5U=
+            =xoE8
+            -----END PGP MESSAGE-----
+          fp: DC6910268E657FF70BA7EC289974494E76938DDC
+    encrypted_regex: ^(data|stringData|.*.key|.*.crt)$
+    version: 3.10.2

kubernetes/system/cert-manager/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cert-manager
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml
+  - cloudflare-api-token-secret.yaml
+secretGenerator:
+  - name: cert-manager-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml

kubernetes/system/cert-manager/kustomizeconfig.yaml

@@ -0,0 +1,11 @@
+nameReference:
+  - kind: HelmRepository
+    version: v1
+    fieldSpecs:
+      - path: spec/chart/spec/sourceRef/name
+        kind: HelmRelease
+  - kind: Secret
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease

kubernetes/system/cert-manager/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+  labels:
+    app.kubernetes.io/name: cert-manager

kubernetes/system/cert-manager/release.yaml

@@ -0,0 +1,19 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 1m
+  chart:
+    spec:
+      sourceRef:
+        kind: HelmRepository
+        name: cert-manager
+        namespace: cert-manager
+      chart: cert-manager
+      version: "v1.20.2"
+      interval: 1m
+  valuesFrom:
+    - kind: Secret
+      name: cert-manager-values

kubernetes/system/cert-manager/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 1h
+  url: https://charts.jetstack.io

kubernetes/system/cert-manager/values.yaml

@@ -0,0 +1,66 @@
+# Cert-Manager Values
+# Install CRDs as part of the Helm release
+crds:
+    enabled: true
+    keep: true
+# Enable DNS01 challenge providers
+extraArgs:
+    - ENC[AES256_GCM,data:yzuTi9Hu7Dx95MQN+H/6gul381m64KYv5ZsHwg92BE/aUZyJzYArniIC+Nio+SygUXXb,iv:eBizFSW1T2/VvN3k8VRsEIpllHs5MA6Nr+jh9fCzZCs=,tag:sz9WBU687eTgnDXWoE02Nw==,type:str]
+# Resource settings
+resources:
+    requests:
+        cpu: 10m
+        memory: 32Mi
+    limits:
+        cpu: 100m
+        memory: 128Mi
+webhook:
+    resources:
+        requests:
+            cpu: 10m
+            memory: 32Mi
+        limits:
+            cpu: 100m
+            memory: 128Mi
+cainjector:
+    resources:
+        requests:
+            cpu: 10m
+            memory: 32Mi
+        limits:
+            cpu: 100m
+            memory: 128Mi
+startupapicheck:
+    resources:
+        requests:
+            cpu: 10m
+            memory: 32Mi
+        limits:
+            cpu: 100m
+            memory: 128Mi
+sops:
+    lastmodified: "2026-06-16T08:15:29Z"
+    mac: ENC[AES256_GCM,data:ZB7igt7ciH6X0DmvDi2gzg1eA8EYXqq/VRBSbaLT9x2SUi+9ax9w0V+fcTwOTWlwCvHOtSAZ2RYgX/wKFmbnKgrwoSpskGFsRlY947oLkRTk4HbTRP5HbciAQsRw3AVB4pgkR7maVZ9n15gzNHTTkd9x1akAeGHJg9lzg9+N6rE=,iv:jqyi/ZGLjKFBe9XSj2WBBOUbn9xvV9Wf4wrYxSs4t/M=,tag:2u84qHa69IsYFtSwJ6yFqQ==,type:str]
+    pgp:
+        - created_at: "2026-06-16T08:15:28Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7uy4qQr71wiARAAiNHNEJjBOd6AK/moP1Xw7nvOidkRtIqw+QJRmfhPDG7B
+            CQy3y2armtFYzaWhDcMfiy1SkcD91kadbfxAifb5/Oit48VTv03bXZDvyrEdRwcI
+            n81rt3GQuyNDCj9aSUVi1nT5GHETrvdnyJp3u1dzfc/0i7GK+FiCbGAGzSnGdN77
+            +/caT5Jib+hIVskiOjhE85K3rTrh+aJMFKC6NG7Vw8GXh7N4r3EcazcX9KuJXxsn
+            NRT7XyYA8y15PlZQFkhRs1QCVvqH31WDwCEt0cE4r6Qn2aGy+v8ygJkum2sYPH7g
+            WZfC548mZrMrI9UNo10UfPCqGew/XpEla1/bgVByMHMdM9n961KRzCPtR349xXI4
+            1APX4WClQjbL/cXR2zMs19Y+GDjL7XF6rdSRDpEgTzQXb4f1ctswutcYxftvKI3c
+            EdfCGiRpVJx/wIuh82mL3SWqdi05Lekvt1zdLcG8Tx2+nF+52dWoyxNy1YMVyk0m
+            RXZFMZLHKumyDooairf1P11DOXcsa8FjZrqjvn6QI2LfmEGm3PQQQUXT8Wp/10e2
+            78Hr1rTGqQEzvSJu0FfDuundPws97ftPiuGcUD5hUj3rS6iGxdEp4trAPi0DCCd3
+            g7m6fNX41O8n39EU0Kp2G9kfICMghGEVL5czzRA4EsLH35K8XqP0ig6ay5kVXWrS
+            XgFic5jk5GdxzUL7TFjtr9AFFaWhIZkyyXwvEod3Ur3gB64Pi/ktet6OZSWU/7Wn
+            eRKn9yEm+W5Xzn9eiN6TYDsCWQBY5nP80YVuj53AMSu3KbR7UGy+AbJF3T+V6lo=
+            =GscV
+            -----END PGP MESSAGE-----
+          fp: DC6910268E657FF70BA7EC289974494E76938DDC
+    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
+    version: 3.10.2

kubernetes/system/cilium/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - pool.yaml

kubernetes/system/coredns/zone-configmap.yaml

@@ -25,7 +25,7 @@ data:
 
     ; R740 and virtual machines
     r740            IN  A   10.1.1.223
-    bw-r740         IN  A   10.1.2.233
+    bw-r740         IN  A   10.1.2.117
     kube-r740       IN  A   10.1.2.171
     docker-r740     IN  A   10.1.2.212
     truenas         IN  A   10.1.2.139

kubernetes/system/flux/cert-manager-issuer.yaml

@@ -0,0 +1,20 @@
+# Flux Kustomization for cert-manager ClusterIssuer
+# Depends on cert-manager being fully operational (CRDs installed)
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cert-manager-issuer
+  namespace: flux-system
+spec:
+  interval: 10m
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: homeprod
+  path: ./kubernetes/system/cert-manager-issuer
+  dependsOn:
+    - name: cert-manager
+  decryption:
+    provider: sops
+    secretRef:
+      name: flux-sops

kubernetes/system/flux/cert-manager.yaml

@@ -0,0 +1,32 @@
+# Flux Kustomization for cert-manager
+# Separate from main homeprod because cert-manager CRDs must be installed
+# before ClusterIssuer resources can be applied
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cert-manager
+  namespace: flux-system
+spec:
+  interval: 10m
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: homeprod
+  path: ./kubernetes/system/cert-manager
+  decryption:
+    provider: sops
+    secretRef:
+      name: flux-sops
+  healthChecks:
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: cert-manager
+      namespace: cert-manager
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: cert-manager-webhook
+      namespace: cert-manager
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: cert-manager-cainjector
+      namespace: cert-manager

kubernetes/system/flux/kustomization.yaml

@@ -0,0 +1,8 @@
+# Flux system resources
+# Contains Flux Kustomization resources for additional dependencies
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - webhook.yaml
+  - cert-manager.yaml
+  - cert-manager-issuer.yaml