build(deps): bump caddy in /kubernetes/system/caddy

Bumps caddy from 2.11.2 to 2.11.3. --- updated-dependencies: - dependency-name: caddy dependency-version: 2.11.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
build(deps): bump gitea/gitea from 1.25.5 to 1.26.2
2026-05-30 12:38:21 +00:00 · 2026-05-28 09:42:59 +00:00 · 2026-05-28 11:40:49 +02:00 · 2026-05-27 00:25:28 +02:00 · 2026-05-27 00:25:07 +02:00 · 2026-05-27 00:01:34 +02:00
54 changed files with 709 additions and 788 deletions
@@ -16,6 +16,7 @@ updates:
      - "/docker/infrastructure/network/traefik"
      - "/docker/infrastructure/squid"
      - "/docker/infrastructure/sshportal"
      - "/docker/personal/fireshare"
      - "/docker/personal/gramps"
      - "/docker/personal/media/films-series/jackett"
      - "/docker/personal/media/films-series/jellyfin"
@@ -33,7 +34,6 @@ updates:
      - "/docker/production/alexscript"
      - "/docker/production/buildpath"
      - "/docker/production/semeryfr"
      - "/docker/production/vhaudiquetfr"
      - "/docker/tools/excalidraw"
      - "/docker/tools/obsidian-livesync"
      - "/docker/tools/stirling-pdf"
@@ -51,7 +51,9 @@ updates:
      - "/kubernetes/personal/notesnook"
      - "/kubernetes/personal/photoprism"
      - "/kubernetes/production/umami"
      - "/kubernetes/production/vhaudiquet-fr"
      - "/kubernetes/system/blocky"
      - "/kubernetes/system/caddy"
      - "/kubernetes/system/coredns"
      - "/kubernetes/system/csi-driver-nfs"
      - "/kubernetes/system/external-dns"
@@ -3,7 +3,7 @@ creation_rules:
    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
    pgp: DC6910268E657FF70BA7EC289974494E76938DDC
  - path_regex: .*.yaml
-    encrypted_regex: ^(data|stringData)$
+    encrypted_regex: ^(data|stringData|.*.key|.*.crt)$
    pgp: DC6910268E657FF70BA7EC289974494E76938DDC
  - path_regex: .*.env$
    input_type: dotenv
@@ -53,6 +53,13 @@ sshportal:
  branch: main
  compose_file: docker/infrastructure/sshportal/docker-compose.yml
 fireshare:
  repo: homeprod
  branch: main
  compose_file: docker/personal/fireshare/docker-compose.yml
  sops_files:
    - docker/personal/fireshare/.env
 gramps:
  repo: homeprod
  branch: main
@@ -146,11 +153,6 @@ semeryfr:
  branch: main
  compose_file: docker/production/semeryfr/docker-compose.yml
 vhaudiquetfr:
  repo: homeprod
  branch: main
  compose_file: docker/production/vhaudiquetfr/docker-compose.yml
 excalidraw:
  repo: homeprod
  branch: main
@@ -80,3 +80,13 @@ This setup allows running multiple applications, either self-hosted applications
 | <img width=32 src="https://avatars.githubusercontent.com/u/26692192"> | Navidrome | Personal music streaming service |
 | <img width=32 src="https://avatars.githubusercontent.com/u/102734415"> | TubeArchivist | YouTube archiver |
 | <img width=24 src="https://radicale.org/assets/logo.svg"> | Radicale | Calendar and contacts server |
 ## Docs (internal, using this repository)
 This repository uses pre-commit hooks to automate tasks like file encryption and configuration generation.
 After cloning, install the pre-commit hooks:
 ```bash
 pre-commit install
 ```
@@ -3,7 +3,7 @@
 : - octodns:
      cloudflare:
        auto-ttl: true
-        proxied: true
+        proxied: false
    ttl: 300
    type: A
    value: 83.113.30.49
@@ -22,7 +22,7 @@ www:
  octodns:
    cloudflare:
      auto-ttl: true
-      proxied: true
+      proxied: false
  ttl: 300
  type: A
  value: 83.113.30.49
@@ -355,6 +355,13 @@ canada:
  ttl: 300
  type: A
  value: 192.99.6.159
 clips:
  octodns:
    cloudflare:
      auto-ttl: true
  ttl: 300
  type: A
  value: 83.113.30.49
 flix:
  octodns:
    cloudflare:
@@ -1,6 +1,6 @@
 services:
  esphome:
-    image: ghcr.io/esphome/esphome:2026.4.3
+    image: ghcr.io/esphome/esphome:2026.4.5
    ports:
      - "6052"
    networks:
@@ -1,6 +1,6 @@
 services:
  n8n:
-    image: docker.n8n.io/n8nio/n8n:2.18.4
+    image: docker.n8n.io/n8nio/n8n:2.21.2
    environment:
      - TZ=Europe/Paris
      - N8N_SECURE_COOKIE=false
@@ -1,6 +1,6 @@
 services:
  stalwart:
-    image: stalwartlabs/stalwart:v0.16.2
+    image: stalwartlabs/stalwart:v0.16.5
    container_name: stalwart
    networks:
      - default
@@ -1,6 +1,6 @@
 services:
  traefik:
-    image: traefik:3.6
+    image: traefik:v3.7
    command: 
      - "--configFile=/etc/traefik/traefik.yml"
    ports:
@@ -8,6 +8,8 @@ entryPoints:
      trustedIPs:
        - "127.0.0.1/32"
        - "10.1.2.11/32" # nginxproxymanager
        - "10.1.2.152/32" # caddy
        - "10.0.0.0/8" # caddy pods
 providers:
  docker:
@@ -0,0 +1,11 @@
 ADMIN_USERNAME=ENC[AES256_GCM,data:8ngfC8VHpaaGCQ==,iv:Ze7ThfWmAWj0ZvV3A7Pd+aqAW/pahkTZhdFC/TnAwZ0=,tag:KCFdGV1dEw3e+q6FBgy2cw==,type:str]
 ADMIN_PASSWORD=ENC[AES256_GCM,data:UhxEMnqYDyfgffqUf3Q=,iv:VvNX867P+w20Y7laG0R0c4BUw1uICeyF5SU3+waosRE=,tag:JL4GC+UZY3TqSmCq14CTpg==,type:str]
 SECRET_KEY=ENC[AES256_GCM,data:uahYXYr4DvavNMTTdcDA0hdp5wj3OLret3fPF1DEc2lis+E7/fe45DWFuhUu8RAK76tuheA=,iv:Lofc+PP7Rtg99l36yOx6bt0i8hg1DJXzwSKQNJCRYPw=,tag:AiUGZOiLyjKItf++Gya+eA==,type:str]
 DOMAIN=ENC[AES256_GCM,data:LyJ7RAgrioTltNQ/BKoPbEN8XQ==,iv:IHrT5TkaXuIhkfN/nHcapz4CNBG0t9lbzrHDjp04JLw=,tag:gjSa/tSVEqk6pXrfhjs7gQ==,type:str]
 sops_lastmodified=2026-05-06T17:05:48Z
 sops_mac=ENC[AES256_GCM,data:wRtDnVQkNsc1MtxSpbuVDuACkCwunYeyYSaQX2Tglm2kwOnx9iCyhuWY6RMYu5nfyJ1CT1kfqeGrGxhJ5uMDee29eLUv844X3hIXwpMT50jHFXEtfKLfRMfqpv9r9mbp2EP9VNDUtPyIwDk5vSjGeaYqEWtHW/q5y9qIrzqqy5g=,iv:UG4XGi3Qo8/nAddY+rzJm1AKIAmJjtR+2bDqSeaVxG4=,tag:SL2rvrxFmMfgyUyMqFIZEQ==,type:str]
 sops_pgp__list_0__map_created_at=2026-05-06T17:05:48Z
 sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ//b6zlRVKrqzzszBJmnOUlfeZd5m2ekYv/zIBr4oxHyn5L\neLLff+N7hjBVSajg9Qg7GBQv7s3DX70vHTpdUP38UEO1aM0l3eU1JCwA4Hdh7Ds5\nnq330vUKhIAd+K8Vv4Ei9YHpj+kgMnt+R780qZUg18D39TAnx36q9b5SKzZCUsks\n3YM+G8pHLRipZhxp6zwhOPHVSnImOFjty4d6JV6Zes9zfslaETgva7p5DIKP0ttf\nI2JRacvL75MMp1USyqGKt7Bpl6Yz4VxY49aea+FxDlbzCVLuBBgZMoEjhPQifQfh\nB6OObmu1cVhECidrMHmqDBNqgKsNLble+g3Le+gJdn/zKxVc+q+cPPuk/JdT8tfv\nZTei6jg66IREZOrZCP3Gt4OB5LbkLdS0NET2CMVAYkGQvGrSC+diwUnFkI+WEh+p\noZhvgp/ytBgaw6ZyNPmvkGkFeFg1/ISpOHkVQ+P6Pnot8h4HvuI/KcBwJRCrtdbg\n+XMpqeQdmCnM04v5Uq1NVqRWHD0yvd7GHDOZCqJPMFHP0M6R+SwHq+8+pgbO3jxt\n+426MvhNKw8xWMtnUIO8sSSkzgOfT6vFXmzQvIawbXvitjGjiElkpmT5Hz3hn1Bm\nnu8CivqLwL4Gs1Uc2m6qHGkvGqxWwcHABWqftAk3VfhmjcFDwAyWROlCuD+A15PS\nXgE1wn9jLesXaiCwzAp4AOstkk0fR2yio4fa9dCeenzuedULNLuCyJfYtSm4QlSU\nvffH4iL8X/R24s6SdPsCIuNnAeKc0P4E55AlOaeZN4HcZzfspVikAZx+bK14JS8=\n=KGp6\n-----END PGP MESSAGE-----
 sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.10.2
@@ -0,0 +1,58 @@
 services:
  fireshare:
    container_name: fireshare
    image: shaneisrael/fireshare:1.6.10-lite
    ports:
      - "80"
    volumes:
      - data:/data
      - processed:/processed
      - video:/videos
      - images:/images
    env_file:
      - .env
    environment:
      # PUID/PGID: the user/group ID the container runs as. Files written to your
      # volumes (data, processed, videos, images) will be owned by this user. Set these to
      # match the owner of your host directories to avoid permission errors.
      # Run `id` on your host to find your UID and GID.
      - PUID=1000
      - PGID=1000
    networks:
      - default
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.fireshare.rule=Host(`clips.vhaudiquet.fr`)"
      - "traefik.http.services.fireshare.loadbalancer.server.port=80"
 volumes:
  data:
    driver: local
    driver_opts:
      type: 'none'
      o: 'bind'
      device: '/app/fireshare/data'
  processed:
    driver: local
    driver_opts:
      type: 'none'
      o: 'bind'
      device: '/app/fireshare/processed'
  video:
    driver: local
    driver_opts:
      type: 'none'
      o: 'bind'
      device: '/app/fireshare/video'
  images:
    driver: local
    driver_opts:
      type: 'none'
      o: 'bind'
      device: '/app/fireshare/images'
 networks:
  proxy:
    external: true
    name: proxy
@@ -1,7 +1,7 @@
 services:
  grampsweb:
    container_name: grampsweb
-    image: ghcr.io/gramps-project/grampsweb:26.4.3
+    image: ghcr.io/gramps-project/grampsweb:26.5.1
    restart: always
    networks:
      - default
@@ -31,7 +31,7 @@ services:
  grampsweb_celery:
    container_name: grampsweb_celery
-    image: ghcr.io/gramps-project/grampsweb:26.4.3
+    image: ghcr.io/gramps-project/grampsweb:26.5.1
    restart: always
    environment:
      - GRAMPSWEB_TREE="Gramps Web"  # will create a new tree if not exists
@@ -52,7 +52,7 @@ services:
    command: celery -A gramps_webapi.celery worker --loglevel=INFO --concurrency=2
  grampsweb_redis:
-    image: docker.io/library/redis:8.6.2-alpine
+    image: docker.io/library/redis:8.6.3-alpine
    container_name: grampsweb_redis
    restart: always
@@ -1,7 +1,7 @@
 services:
  jackett:
    container_name: jackett
-    image: ghcr.io/hotio/jackett:release-v0.24.1789
+    image: ghcr.io/hotio/jackett:release-v0.24.1846
    ports:
      - "9117"
    networks:
@@ -1,6 +1,6 @@
 services:
  jellyfin:
-    image: jellyfin/jellyfin:2026042706
+    image: jellyfin/jellyfin:2026051106
    container_name: jellyfin
    networks:
      - default
@@ -14,7 +14,7 @@ services:
      ND_SESSIONTIMEOUT: 24h
      ND_BASEURL: "http://navidrome.lan"
      ND_PORT: 4533
-      ND_REVERSEPROXYWHITELIST: "172.20.0.0/16,10.1.2.11/32"
+      ND_REVERSEPROXYWHITELIST: "172.20.0.0/16,10.1.2.11/32,10.1.2.152/32"
    volumes:
      - data:/data
      - "music:/music:ro"
@@ -1,6 +1,6 @@
 services:
  radicale:
-    image: tomsquest/docker-radicale:3.7.1.0
+    image: tomsquest/docker-radicale:3.7.2.0
    container_name: radicale
    ports:
      - 5232
@@ -1,6 +1,6 @@
 services:
  syncthing-valentin:
-    image: syncthing/syncthing:2.0
+    image: syncthing/syncthing:2.1
    container_name: syncthing-valentin
    hostname: syncthing-valentin
    environment:
@@ -10,7 +10,7 @@ services:
    env_file: .env
  match_collector:
-    image: git.vhaudiquet.fr/vhaudiquet/lolstats-match_collector:ee32060a7f05bd963bed4337369e146ba6313d64
+    image: git.vhaudiquet.fr/vhaudiquet/lolstats-match_collector:0224b7812c8631bde3e9513adace64341152fc20
    build: ./match_collector
    volumes:
      - bpcdragon_cache:/cdragon
@@ -23,7 +23,7 @@ services:
    env_file: .env
  frontend:
-    image: git.vhaudiquet.fr/vhaudiquet/lolstats-frontend:ee32060a7f05bd963bed4337369e146ba6313d64
+    image: git.vhaudiquet.fr/vhaudiquet/lolstats-frontend:0224b7812c8631bde3e9513adace64341152fc20
    build: ./frontend
    restart: always
    volumes:
@@ -1,36 +0,0 @@
 services:
  vhaudiquetfr:
    container_name: vhaudiquetfr
    image: git.vhaudiquet.fr/vhaudiquet/vhaudiquet.fr:259ad574d15c1b50e0766602b6b0b5ee39afd657
    networks:
      - default
      - proxy
    ports:
      - 80
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.vhaudiquetfr.rule=Host(`vhaudiquet.fr`)"
    environment:
      - NGINX_HOST=vhaudiquet.fr
      - NGINX_PORT=80
    volumes:
      - files:/usr/share/nginx/html/files
      - public:/usr/share/nginx/html/public
 networks:
  proxy:
    external: true
    name: proxy
 volumes:
  files:
    driver: local
    driver_opts:
      type: 'none'
      o: 'bind'
      device: '/app/vhaudiquetfr/files'
  public:
    driver_opts:
      type: 'nfs'
      o: 'addr=truenas.lan'
      device: ':/mnt/main_storage/public'
@@ -52,6 +52,7 @@ find kubernetes -name 'release.yaml' -print0 \
 if ! [ -f .github/dependabot.yml ] || ! cmp -s "$tmpfile" .github/dependabot.yml; then
  mv "$tmpfile" .github/dependabot.yml
  echo "Updated .github/dependabot.yml!"
  git add ".github/dependabot.yml"
 else
  echo "No changes to .github/dependabot.yml."
 fi
@@ -33,6 +33,7 @@ find docker -name 'docker-compose.yml' -print0 \
 if ! [ -f .swarmcd/stacks.yaml ] || ! cmp -s "$tmpfile" .swarmcd/stacks.yaml; then
  mv "$tmpfile" .swarmcd/stacks.yaml
  echo "Updated .swarmcd/stacks.yaml!"
  git add ".swarmcd/stacks.yaml"
 else
  echo "No changes to .swarmcd/stacks.yaml."
 fi
@@ -1,137 +0,0 @@
 /* 
 * Docker machine terraform file
 */
 resource "proxmox_virtual_environment_download_file" "debian-latest-cloudimg" {
  content_type = "iso"
  datastore_id = "local"
  file_name = "debian-12-generic-amd64.qcow2.img"
  node_name = "pve"
  url = "https://cloud.debian.org/images/cloud/bookworm/latest/debian-12-generic-amd64.qcow2"
 }
 resource "proxmox_virtual_environment_file" "docker-machine-cloud-config" {
  content_type = "snippets"
  datastore_id = "local"
  node_name    = "pve"
  source_raw {
    data = <<-EOF
    #cloud-config
    package_update: true
    packages:
      - git
      - ca-certificates
      - wget
      - curl
      - gnupg2
      - qemu-guest-agent
      - nfs-common
    runcmd:
      - systemctl enable --now qemu-guest-agent
      - install -m 0755 -d /etc/apt/keyrings
      - curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
      - chmod a+r /etc/apt/keyrings/docker.asc
      - echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
      - apt-get update
      - apt-get -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
      - docker swarm init
      - git clone https://github.com/vhaudiquet/homeprod /root/homeprod
      - mkdir /app
      - echo "truenas.lan:/mnt/fast_app_data/docker-homeprod      /app     nfs     defaults,_netdev    0 0" >>/etc/fstab
      - mount -t nfs truenas.lan:/mnt/fast_app_data/docker-homeprod /app
      - echo "${var.sops_private_key}" | gpg --import
    EOF
    file_name = "docker-machine-cloud-config.yaml"
  }
 }
 resource "proxmox_virtual_environment_vm" "docker-machine" {
  name = "docker-machine"
  node_name = "pve"
  on_boot = true
  agent {
    enabled = true
  }
  tags = ["debian", "debian-latest", "docker", "terraform"]
  cpu {
    type = "host"
    cores = 4
    sockets = 1
    flags = []
  }
  memory {
    dedicated = 16192
  }
  network_device {
    bridge = "vmbr0"
    model = "virtio"
    vlan_id = 2
  }
  lifecycle {
    ignore_changes = [
      network_interface_names,
      mac_addresses,
      ipv4_addresses,
      ipv6_addresses,
      id,
      disk,
      initialization,
      vga
    ]
  }
  boot_order = ["scsi0"]
  scsi_hardware = "virtio-scsi-single"
  vga {
    type = "serial0"
  }
  disk {
    interface = "scsi0"
    iothread = true
    datastore_id = "local-lvm"
    size = 128
    discard = "ignore"
    file_id = proxmox_virtual_environment_download_file.debian-latest-cloudimg.id
  }
  vm_id = 701
  initialization {
    datastore_id = "local-lvm"
    interface = "ide2"
    ip_config {
      ipv4 {
        address = "10.1.2.175/24"
        gateway = "10.1.2.1"
      }
    }
    user_account {
      keys = [trimspace(var.ssh_public_key)]
      password = var.machine_root_password
      username = "root"
    }
    vendor_data_file_id = proxmox_virtual_environment_file.docker-machine-cloud-config.id
  }
  operating_system {
    type = "l26"
  }
  tpm_state {
    version = "v2.0"
  }
  serial_device {}
 }
@@ -1,39 +0,0 @@
 terraform {
  required_providers {
    docker = {
      source  = "kreuzwerker/docker"
      version = "3.6.2"
    }
  }
 }
 # Docker configuration
 provider "docker" {
  host = "ssh://root@docker-machine.lan"
 }
 resource "docker_image" "swarm-cd" {
  name = "ghcr.io/m-adawi/swarm-cd:latest"
 }
 resource "docker_container" "swarm-cd" {
  name  = "swarm-cd"
  image = docker_image.swarm-cd.image_id
  volumes {
      host_path = "/var/run/docker.sock"
      container_path = "/var/run/docker.sock"
      read_only = true
  }
  volumes {
    host_path = "/root/homeprod/.swarmcd/repos.yaml"
    container_path = "/app/repos.yaml"
    read_only = true
  }
  volumes {
    host_path = "/root/homeprod/.swarmcd/stacks.yaml"
    container_path = "/app/stacks.yaml"
    read_only = true
  }
  depends_on = [ docker_image.swarm-cd ]
 }
@@ -1,381 +0,0 @@
 /* 
 * Kubernetes cluster terraform file
 */
 resource "proxmox_virtual_environment_download_file" "talos-cloudimg" {
  content_type = "iso"
  datastore_id = "local"
  file_name = "talos-v1.11.1-nocloud-amd64.iso"
  node_name = "pve"
  url = "https://factory.talos.dev/image/ce4c980550dd2ab1b17bbf2b08801c7eb59418eafe8f279833297925d67c7515/v1.11.1/nocloud-amd64.iso"
 }
 resource "proxmox_virtual_environment_vm" "kube" {
  name = "kube-talos"
  description = "Kubernetes Talos Linux"
  tags = ["kubernetes", "talos", "terraform"]
  node_name = "pve"
  vm_id = 703
  machine = "q35"
  keyboard_layout = "fr"
  agent {
    enabled = true
  }
  stop_on_destroy = true
  cpu {
    cores = 4
    type = "x86-64-v3"
  }
  memory {
    dedicated = 16192
    floating = 16192
  }
  boot_order = ["scsi0", "ide0"]
  scsi_hardware = "virtio-scsi-single"
  cdrom {
    file_id = proxmox_virtual_environment_download_file.talos-cloudimg.id
    interface = "ide0"
  }
  disk {
    interface = "scsi0"
    iothread = true
    datastore_id = "local-lvm"
    size = 128
    discard = "ignore"
    file_format = "raw"
  }
  vga {
    type = "serial0"
  }
  initialization {
    datastore_id = "local-lvm"
    interface = "ide2"
    ip_config {
      ipv4 {
        address = "10.1.2.187/24"
        gateway = "10.1.2.1"
      }
    }
    user_account {
      keys = [trimspace(var.ssh_public_key)]
      password = var.machine_root_password
      username = "root"
    }
  }
  lifecycle {
    ignore_changes = [ 
      ipv4_addresses, ipv6_addresses, network_interface_names
     ]
  }
  network_device {
    bridge = "vmbr0"
    model = "virtio"
    vlan_id = 2
  }
  operating_system {
    type = "l26"
  }
  tpm_state {
    version = "v2.0"
  }
  serial_device {}
 }
 resource "talos_machine_secrets" "kube" {}
 data "talos_machine_configuration" "kube" {
  cluster_name = "kube"
  machine_type = "controlplane"
  cluster_endpoint = "https://kube-talos.lan:6443"
  machine_secrets = talos_machine_secrets.kube.machine_secrets
  config_patches = [
    yamlencode({
      machine = {
        install = {
          image = "factory.talos.dev/installer/ce4c980550dd2ab1b17bbf2b08801c7eb59418eafe8f279833297925d67c7515:v1.11.1"
        }
        network = {
          nameservers = [
            "10.1.2.3"
          ]
        }
      }
      cluster = {
        allowSchedulingOnControlPlanes = true
        apiServer = {
          certSANs = [
            "kube-talos.lan"
          ]
        }
        network = {
          dnsDomain = "kube-talos.lan"
          cni = {
            name: "none"
          }
        }
        proxy = {
          disabled = true
        }
      }
    })
  ]
 }
 data "talos_client_configuration" "kube" {
  cluster_name = "kube"
  client_configuration = talos_machine_secrets.kube.client_configuration
  nodes = ["kube-talos"]
 }
 resource "talos_machine_configuration_apply" "kube" {
  client_configuration = talos_machine_secrets.kube.client_configuration
  machine_configuration_input = data.talos_machine_configuration.kube.machine_configuration
  node = "10.1.2.187" #proxmox_virtual_environment_vm.kube.ipv4_addresses[7][0] # lo + 6 talos-created interfaces before eth0
  depends_on = [ proxmox_virtual_environment_vm.kube ]
  lifecycle {
    replace_triggered_by = [ proxmox_virtual_environment_vm.kube ]
  }
 }
 resource "talos_machine_bootstrap" "kube" {
  node = "10.1.2.187" #proxmox_virtual_environment_vm.kube.ipv4_addresses[7][0] # lo + 6 talos-created interfaces before eth0
  client_configuration = talos_machine_secrets.kube.client_configuration
  depends_on = [ talos_machine_configuration_apply.kube ]
  lifecycle {
    replace_triggered_by = [ proxmox_virtual_environment_vm.kube ]
  }
 }
 resource "talos_cluster_kubeconfig" "kube" {
  node = proxmox_virtual_environment_vm.kube.ipv4_addresses[7][0] # lo + 6 talos-created interfaces before eth0
  depends_on = [ talos_machine_bootstrap.kube ]
  client_configuration = talos_machine_secrets.kube.client_configuration
 }
 output "kubeconfig" {
  sensitive = true
  value = talos_cluster_kubeconfig.kube.kubeconfig_raw
 }
 resource "local_file" "kubeconfig" {
    content     = "${talos_cluster_kubeconfig.kube.kubeconfig_raw}"
    filename = "${path.module}/kubeconfig"
    depends_on = [ talos_cluster_kubeconfig.kube ]
 }
 data "talos_client_configuration" "talosconfig" {
  cluster_name = "homeprod"
  client_configuration = talos_machine_secrets.kube.client_configuration
  nodes = [proxmox_virtual_environment_vm.kube.ipv4_addresses[7][0]]
 }
 resource "local_file" "talosconfig" {
    content     = "${data.talos_client_configuration.talosconfig.talos_config}"
    filename = "${path.module}/talosconfig"
    depends_on = [ data.talos_client_configuration.talosconfig ]
 }
 # TODO : Wait for talos_cluster_kubeconfig...
 resource "helm_release" "cilium" {
  name = "cilium"
  namespace = "kube-system"
  repository = "https://helm.cilium.io/"
  chart = "cilium"
  wait = false
  depends_on = [ local_file.kubeconfig ]
  set {
    name = "ipam.mode"
    value = "kubernetes"
  }
  set {
    name = "kubeProxyReplacement"
    value = true
  }
  set {
    name = "securityContext.capabilities.ciliumAgent"
    value = "{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}"
  }
  set {
    name = "securityContext.capabilities.cleanCiliumState"
    value = "{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}"
  }
  set {
    name = "cgroup.autoMount.enabled"
    value = false
  }
  set {
    name = "cgroup.hostRoot"
    value = "/sys/fs/cgroup"
  }
  set {
    name = "k8sServiceHost"
    value = "localhost"
  }
  set {
    name = "k8sServicePort"
    value = 7445
  }
  set {
    name = "etcd.clusterDomain"
    value = "kube-talos.lan"
  }
  set {
    name = "hubble.relay.enabled"
    value = true
  }
  # Enable hubble ui
  set {
    name = "hubble.ui.enabled"
    value = true
  }
  # Gateway API support
  set {
    name = "gatewayAPI.enabled"
    value = true
  }
  set {
    name = "gatewayAPI.enableAlpn"
    value = true
  }
  set {
    name = "gatewayAPI.enableAppProtocol"
    value = true
  }
  # Gateway API trusted hops : for reverse proxy
  set {
    name = "gatewayAPI.xffNumTrustedHops"
    value = 1
  }
  # Single-node cluster, so 1 operator only
  set {
    name = "operator.replicas"
    value = 1
  }
  # L2 announcements
  set {
    name = "l2announcements.enabled"
    value = true
  }
  set {
    name = "externalIPs.enabled"
    value = true
  }
  # Disable ingress controller (traefik will be used for now)
  set {
    name = "ingressController.enabled"
    value = false
  }
  set {
    name = "ingressController.loadbalancerMode"
    value = "shared"
  }
  # Ingress controller for external : behind reverse proxy, trust 1 hop
  set {
    name = "envoy.xffNumTrustedHopsL7PolicyIngress"
    value = 1
  }
  # Set cilium as default ingress controller
  set {
    name = "ingressController.default"
    value = true
  }
  set {
    name = "ingressController.service.externalTrafficPolicy"
    value = "Local"
  }
 }
 resource "kubernetes_namespace" "flux-system" {
  metadata {
    name = "flux-system"
  }
  lifecycle {
    ignore_changes = [ metadata[0].annotations, metadata[0].labels ]
  }
  depends_on = [ talos_cluster_kubeconfig.kube, local_file.kubeconfig, helm_release.cilium ]
 }
 resource "kubernetes_secret" "flux-sops" {
  metadata {
    name = "flux-sops"
    namespace = "flux-system"
  }
  type = "generic"
  data = {
    "sops.asc"=var.sops_private_key
  }
  depends_on = [ kubernetes_namespace.flux-system ]
 }
 resource "helm_release" "flux-operator" {
  name = "flux-operator"
  namespace = "flux-system"
  repository = "oci://ghcr.io/controlplaneio-fluxcd/charts"
  chart = "flux-operator"
  wait = true
  depends_on = [ kubernetes_secret.flux-sops ]
 }
 resource "helm_release" "flux-instance" {
  name = "flux"
  namespace = "flux-system"
  repository = "oci://ghcr.io/controlplaneio-fluxcd/charts"
  chart = "flux-instance"
  values = [
    file("values/components.yaml")
  ]
  set {
    name = "instance.distribution.version"
    value = "2.x"
  }
  set {
    name = "instance.distribution.registry"
    value = "ghcr.io/fluxcd"
  }
  set {
    name = "instance.sync.name"
    value = "homeprod"
  }
  set {
    name = "instance.sync.kind"
    value = "GitRepository"
  }
  set {
    name = "instance.sync.url"
    value = "https://github.com/vhaudiquet/homeprod"
  }
  set {
    name = "instance.sync.path"
    value = "kubernetes/"
  }
  set {
    name = "instance.sync.ref"
    value = "refs/heads/main"
  }
  depends_on = [ helm_release.flux-operator ]
 }
@@ -1,46 +0,0 @@
 # Terraform providers configuration
 terraform {
  required_providers {
    proxmox = {
      source = "bpg/proxmox"
      version = "0.83.2"
    }
    talos = {
      source  = "siderolabs/talos"
      version = "0.9.0"
    }
    kubernetes = {
      source = "hashicorp/kubernetes"
      version = "2.38.0"
    }
    helm = {
      source = "hashicorp/helm"
      version = "2.17.0"
    }
  }
 }
 # Proxmox configuration
 provider "proxmox" {
  endpoint = "https://pve.lan:8006/"
  api_token = var.api_token
  insecure = true
  ssh {
    agent    = true
    username = "root"
  }
 }
 # Talos configuration
 provider "talos" {}
 # Kubernetes configuration
 provider "kubernetes" {
  config_path = "${path.module}/kubeconfig"
 }
 # Helm configuration
 provider "helm" {
  kubernetes {
    config_path = "${path.module}/kubeconfig"
  }
 }
@@ -1,19 +0,0 @@
 variable "api_token" {
  description = "Token to connect Proxmox API"
  type = string
 }
 variable "machine_root_password" {
  description = "Root password for VMs and containers"
  type = string
 }
 variable "ssh_public_key" {
  description = "Public SSH key authorized access for VMs and containers"
  type = string
 }
 variable "sops_private_key" {
  description = "Private SOPS GPG key for flux/kubernetes to decrypt secrets"
  type = string
 }
@@ -44,7 +44,10 @@ data "talos_machine_configuration" "kube" {
        }
        network = {
          nameservers = [
-            "10.1.2.3"
+            # We need a set of nameservers that can work independently of kube
            # to bootstrap. 
            "10.1.2.148",
            "1.1.1.1"
          ]
        }
        certSANs = [
@@ -10,7 +10,7 @@ instance:
    type: kubernetes
    multitenant: false
    networkPolicy: true
-    domain: "kube-talos.lan"
+    domain: "cluster.local"
  kustomize:
    patches:
      - target:
@@ -47,7 +47,9 @@ resource "proxmox_virtual_environment_file" "ai-cloud-config" {
 resource "proxmox_virtual_environment_vm" "ai" {
  name = "ai-${var.proxmox_node_name}"
  node_name = var.proxmox_node_name
-  on_boot = true
+  
  on_boot = false
  started = false
  agent {
    enabled = true
@@ -61,7 +61,7 @@ resource "proxmox_virtual_environment_vm" "docker-machine" {
  }
  memory {
-    floating = 16192
+    floating = 32000
    dedicated = 38768
  }
@@ -29,7 +29,7 @@ resource "proxmox_virtual_environment_vm" "kube" {
  memory {
    dedicated = 32768
-    floating = 16192
+    floating = 22222
  }
  boot_order = ["scsi0", "ide0"]
@@ -89,6 +89,12 @@ resource "proxmox_virtual_environment_vm" "kube" {
    vlan_id = 2
  }
  network_device {
    bridge = "vmbr0"
    model = "virtio"
    vlan_id = 2
  }
  operating_system {
    type = "l26"
  }
@@ -1,5 +1,5 @@
 image:
-    tag: 1.25.5
+    tag: 1.26.2
 ingress:
    enabled: true
    hosts:
@@ -17,10 +17,10 @@ postgresql:
    global:
        postgresql:
            auth:
-                postgressPassword: ENC[AES256_GCM,data:MGHcVoXxZmaAaA==,iv:jzp5H+mT1mwbJvuDnlgfQBMsilAZcR9Wpdv1Bem8zvc=,tag:9vPppIbycDJfgRV45jkwFg==,type:str]
+                postgressPassword: neptune343
-                password: ENC[AES256_GCM,data:jm4ffAcu06Rqog==,iv:pBWzn+/Udl99Vv7bLRv37uNZjPY/xMqrvDgUw6o+Am8=,tag:Y8PEv+NoEr9YU86WVebZqQ==,type:str]
+                password: neptune343
                database: gitea
-                username: ENC[AES256_GCM,data:OmrAE7E=,iv:ABU5b4rhwtxz0n8kwI7Nxqn0Cn//B4ScWJdYU3cE5ds=,tag:q/g0741vR06c5nDWGnTvYA==,type:str]
+                username: gitea
    volumePermissions:
        enabled: true
 postgresql-ha:
@@ -41,8 +41,8 @@ gitea:
    oauth:
        - name: Authentik
          provider: openidConnect
-          key: ENC[AES256_GCM,data:BvrQCp1uuKsU+ghFqGDtDSXkx71byFQnOKSCU2iMLQebhsZdocZbJQ==,iv:WY3p4ygfc7CuEjK18Ktr2c/a5bDnCoyNSfKqjXwjZuY=,tag:INMKosSqPzJOCcZ9m3UKKQ==,type:str]
+          key: szVZ3lPAjI0WJMisxTBnBXSRtglgCJGKXWSDAvbF
-          secret: ENC[AES256_GCM,data:7kWuHYZ+2UlLrlRC6bX54xu0EJ264pP3EkfycleNnE647+VNInviZ9OFdz+2E+Ujw5ktuU8Edl49ex/TZ3BLyBv5bgHgCySLIHrB9keEZIxuhnfV53csq7KmIvO+NALDbU2OlZZaiAyNMbJjRCSAxXRT2WtPVzadt6HkW3niiRE=,iv:4uWctDxVpRzqdErKp05WKuz7WYH5frktMe3gly4+VW0=,tag:isaFJX5Q+XaZnY1F2HFdfw==,type:str]
+          secret: pjRjUb1kSvmljl1foJCUWTpxGpwEViowUaTBbeebpS7QoehxS6y9sUoA5pgxgEYQta9HpnSshwGkNRVeYEjCkNv0uEV3K0r70Cp21ClOFeN7g5g8gmbgNRR5MAApg8Ma
          autoDiscoverUrl: https://authentik.vhaudiquet.fr/application/o/gitea/.well-known/openid-configuration
    config:
        APP_NAME: Gitea
@@ -68,29 +68,3 @@ gitea:
        indexer:
            ISSUE_INDEXER_TYPE: bleve
            REPO_INDEXER_ENABLED: true
 sops:
    lastmodified: "2026-04-05T11:32:32Z"
    mac: ENC[AES256_GCM,data:etLsvUBjDtzqpwdP9jontcVmFRvvsy7z70Rcztvm6kNybRsWKss2hRarl+IhxBqI5rQYaWjON9BNpjIBjnmKVPiwV7lYF7cSTEiHrCCBrFyhwYKxgsgwZCWCfSgOLMlhTjI55wISPFyhHaC/O6CsuzcGRAQ52B2PZBaeY0vNgF4=,iv:aag0M1SJn7uVLu99wmGMp3Ms5jlJCTzkyGUsdzcrGAE=,tag:H2+gdObpNEnoDKaW3IT+wQ==,type:str]
    pgp:
        - created_at: "2026-04-05T11:32:28Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA7uy4qQr71wiAQ/+KsQV7ZuIF9YaJQjnLJk88FP661mApTJeQRo7MI/SIGTK
            Xrj2j9EU2QRny/56YD6x/vqENQ8Appnew4ejtLEJY/wWmfSaSuO0JWk40tOa95od
            YxQhYBi0/DuCTtLdLs1lrOH+GEKSQNbE8Srv6gmaWweu1yLHUye44M8DxOd+/dbf
            5q4sRtldgpAm8EFjdZQcollzoFyUDiE/G1bpml4hbkHVJhlSfJHTGN6bq96yuG2l
            et0MnNAMW2EJh3w6vGk1CJfEB6LUfR6KNUM4oPI3qVy9GeGDgTi4xv1cYAiVIcEv
            hXfDrwDGm1pUakLklzKcJ9TpNokPCimax5O2dNDKBdFaGuGVfYzIzcSIY1W3qZV9
            KfpaCtkfIDOtwUdjvxcdhpGbYYckcEz0TFtwTIIPeznQvyhtqNcNV9TDxmDoQiYG
            l1iY2dSoi7Fae7HT0QDrxw8rV9L2d+1qPkiEz9yOq+oJGYzuIy7ygPO7X1x2vkYm
            lXoxVyFrbH3K4Wb4ibukdAkrqQKZYnhqpxtvB/SFTlS90r2wewQSfivBTHT3yh3d
            j0Zjr2Ga8fiFdmy5ELyj7oKO4AWY67eFe1TdfV9dPb0qO7tVph2NbcNyhgp59ejk
            lUjJCJKlDyysu7VAvF8RzzQhfwBrZqar55Mou+HvrypOJpoCCKH9GNiemoudSx3S
            XAH+uZb87/xPqJP5XyXqOvW4WvLNRxCUcHwur9USiluKZYhdtaYicTOy3iif+sD+
            m80ahUph//L/9qTbNQU51AF1Lq0X6Mh0GkBa1b61iJu/PWizjlEEJS+/xpN5
            =FJi9
            -----END PGP MESSAGE-----
          fp: DC6910268E657FF70BA7EC289974494E76938DDC
    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
    version: 3.10.2
@@ -0,0 +1,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: vhaudiquet-fr
 resources:
  - namespace.yaml
  - repository.yaml
  - release.yaml
 secretGenerator:
  - name: vhaudiquet-fr-values
    files:
      - values.yaml=values.yaml
 configurations:
  - kustomizeconfig.yaml
@@ -0,0 +1,6 @@
 nameReference:
 - kind: Secret
  version: v1
  fieldSpecs:
  - path: spec/valuesFrom/name
    kind: HelmRelease
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: vhaudiquet-fr
@@ -0,0 +1,19 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: vhaudiquet-fr
  namespace: vhaudiquet-fr
 spec:
  interval: 1m
  chart:
    spec:
      sourceRef:
        kind: HelmRepository
        name: vhaudiquet-fr
        namespace: vhaudiquet-fr
      chart: vhaudiquet-fr
      version: '>=0.1.0-0'
      interval: 1m
  valuesFrom:
    - kind: Secret
      name: vhaudiquet-fr-values
@@ -0,0 +1,8 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: vhaudiquet-fr
  namespace: vhaudiquet-fr
 spec:
  interval: 1m
  url: https://git.vhaudiquet.fr/api/packages/vhaudiquet/helm
@@ -0,0 +1,67 @@
 # Number of replicas
 replicaCount: 1
 # Container image configuration
 image:
    repository: git.vhaudiquet.fr/vhaudiquet/vhaudiquet.fr
    pullPolicy: IfNotPresent
    # The image tag defaults to the chart appVersion (which is set to git SHA by CI).
    # Override this only if you need a specific version.
    tag: ""
 # Image pull secrets for private registries
 imagePullSecrets: []
 # Ingress configuration
 ingress:
    enabled: true
    className: ""
    annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
    hosts:
        - host: vhaudiquet.fr
          paths:
            - path: /
              pathType: Prefix
    tls: []
 # Environment variables
 env:
    NGINX_HOST: vhaudiquet.fr
    NGINX_PORT: "80"
 # NFS Storage configuration for public files
 nfs:
    enabled: true
    # NFS server IP address
    server: truenas.lan
    # NFS export path
    path: /mnt/main_storage/public
    # Mount path inside the container
    mountPath: /usr/share/nginx/html/public
    # Storage size for PVC
    storageSize: 10Gi
    # Storage class name (leave empty for default)
    storageClassName: ""
 sops:
    lastmodified: "2026-05-14T09:33:46Z"
    mac: ENC[AES256_GCM,data:R5ular4bAyV0cFPGUGYg4NWCGI64rWTax6ObBnCadORwSTh5/VQN3bsDDPFC3dep/7nKzY71d2X4qAcVU3RkWa9eMP+e9dhaGV9/8gvY/qDXZiNEuAXsmpaSATgUo6mUwqrwl5tn4ono4ID8gr7FRVpneTbYX/HpiWDbBa9l1Xk=,iv:wQ552gswkX5aOy/Cht1zY56camnb8EhEwy711osyf4c=,tag:t+U/1wRD7/z39KY9zjNcMQ==,type:str]
    pgp:
        - created_at: "2026-05-14T09:33:46Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA7uy4qQr71wiAQ/+JAzu9u2Dgn+lA58pIhRbM1064juEOvebtBK0FdJCi7AG
            /Up2oooBmLMxybk16q0800kZHgOAcqTWkRcDq3QhC7nK+xcs03plTLLAlqfnh2x0
            XyqQVk4du9caRdgvgN96tG+oWUJcuUJ/uFunXAzRvPnNysS5sGXVKJmbVVKfTjqk
            UPyA5sBbCIxW10kPZJjprR1HaRl2dkgz7jZI/q2RXhFjCOhthMErBFr4f6xD3LnN
            H5XVtixNcVmIinsGUIgvPW+qknjrf17ammgEtOqjtuu4PUevQFt4zkVyjU0Y/ASj
            HAyYgSNIAXanb3u9ulL6CCg/CXJSofTrexw5RPM9eTQQ7S1KqHm/Ns6jjl/jXtEW
            cIQZ5bQJPTJu7W9gxGpgaLmWwGfoDWvmT2rIFYC9tf+61F4EbRvY6KepKET9NYTJ
            EnyDoxRsfVgxwQjyqpIpmNewWpgWwcLbD8INoJUVx/Yr284F9pBCgKqKRmeNH/Sy
            kEt3QD1ElohuwTx7XLkYf6LuDFy8kA5wFUPKUgxmoFsGZhMhmi8ysUkUxtYPPMD8
            YLVOK8UX3sYUDdY7tQjlgz6nhMqGL7ekqxyA5PSCGlhg5siKIhltz1CzadNOrsqF
            jHkiUCrDNu1ToRPllOw4WMwSzII/sf2oP3FJyE+/Rsl49rVjELLfC8eWPhG0yhXS
            XgGHbmvrm1QPl70dF+896QE/XtSydiqLUynCeIAvh61//ipS9lSZXpdDKEP5Q7ZD
            /lTbPRH7Y7EZUgarjBtc2wYg3iaBkELtS5lnQeJawHQ8/M3TxdWmgEeBim/qr+A=
            =K+50
            -----END PGP MESSAGE-----
          fp: DC6910268E657FF70BA7EC289974494E76938DDC
    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
    version: 3.10.2
@@ -4,8 +4,12 @@ image:
    tag: v0.24
    pullPolicy: IfNotPresent
 controller:
-    replicas: 1
+    replicas: 2
    dnsPolicy: ClusterFirst
    strategy: RollingUpdate
    rollingUpdate:
        maxUnavailable: 0
        maxSurge: 1
 env:
    TZ: Europe/Paris
 service:
@@ -21,37 +25,68 @@ service:
            dns:
                port: 53
                protocol: UDP
 probes:
    liveness:
        enabled: true
        custom: true
        spec:
            tcpSocket:
                port: 53
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 3
    readiness:
        enabled: true
        custom: true
        spec:
            tcpSocket:
                port: 53
            initialDelaySeconds: 5
            periodSeconds: 5
            timeoutSeconds: 3
            failureThreshold: 3
    startup:
        enabled: true
        custom: true
        spec:
            tcpSocket:
                port: 53
            initialDelaySeconds: 5
            periodSeconds: 2
            timeoutSeconds: 3
            failureThreshold: 30
 resources:
    limits:
        cpu: 600m
        memory: 768Mi
    requests:
        cpu: 200m
        memory: 256Mi
    requests:
        cpu: 50m
        memory: 64Mi
 # Full list of options https://github.com/0xERR0R/blocky/blob/main/docs/config.yml
 config: "upstreams:\n    groups:\n        default:\n            - 1.1.1.1\n            - 1.0.0.1\n        lan:\n            - 10.101.207.1\n\nconditional:\n    mapping:\n        lan: 10.101.207.1\n        cluster.local: 10.96.0.10\n        in-addr.arpa: 10.96.0.10\n\nblocking:\n    allowlists:\n        ads:\n            - |\n                dealabs.digidip.net\n                s.click.aliexpress.com\n                fonts.googleapis.com\n                fonts.gstatic.com\n                wl.spotify.com\n                www.googleadservices.com\n    \n    denylists:\n        ads:\n            - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts\n            - https://adaway.org/hosts.txt\n    \n    clientGroupsBlock:\n        default:\n            - ads\n    \n    blockType: zeroIp\n    blockTTL: 1m\n    loading:\n        refreshPeriod: 4h\n        downloads:\n            timeout: 60s\n\ncaching:\n    minTime: 5m\n    maxTime: 30m\n    # Disable negative caching (NXDOMAIN responses) for dynamic DNS\n    cacheTimeNegative: 0\n    prefetching: true\n    prefetchExpires: 2h\n    prefetchThreshold: 5\n\nprometheus:\n    enable: true\n    path: /metrics\n\nports:\n    dns: 53\n    http: 4000\n\nbootstrapDns: tcp+udp:1.1.1.1\n\nlog:\n    level: info\n    format: text\n    timestamp: true\n"
 sops:
-    lastmodified: "2026-05-02T14:36:10Z"
+    lastmodified: "2026-05-26T22:01:30Z"
-    mac: ENC[AES256_GCM,data:1SV8u2ozDlB/m8uo7I7AIa/1njmu1bJ5vKilcirfNByz8wp/LRTtRgWwpUOrxzd1+qg+ZC1/mSLQY/kdwWcTU9uP6uBNSLemWJgIRBobFmExDvtfidkJXRhTMUm9zdSNGS/EbQQOz+DV8AAuByTwbP6i5fTiVNVes8kBlYbPvjc=,iv:Ox25bYW8ch63eJgCkOTZxUP/6+w43lKjC2lzYdBzUjw=,tag:LgXken02vzuXDuxg4Iovrw==,type:str]
+    mac: ENC[AES256_GCM,data:PkXQH3Y+r4JUSRXJbNO+nQUhEvlQecvz5Jxwlb0bL3PPTi8Y8dCx9kxQAvMM9cijpcavGI04Fy0jRS07draTxlddzZ6FYqvVeu1FzQNtnVsobW/KNZ9mYIYPr9YEvybgHpdbbuO6lVjbERRrOLIFuECIpLoPX5D8+p8+43zBpAE=,iv:XJi6BsIC7wk7bqwSUFZMOwR3shYKjydvqBKNC55mmck=,tag:4C+QU5EAvUU+maw9txgGPQ==,type:str]
    pgp:
-        - created_at: "2026-05-02T14:36:09Z"
+        - created_at: "2026-05-26T22:01:29Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA7uy4qQr71wiARAAtdzdOgPBhpRSSnw5ZNXHpb6//E5SpCTDDOUbgpvw4FQj
+            hQIMA7uy4qQr71wiAQ//USgWAGbn6zOOTw0agC/U0bVyWv9Ez0QTqi/TD9Yv+p1U
-            ndqJwONMEm7RlZELlxpXq4Gr621j5hcdcc2vUl4ak8wC+1Ml2AAEYf0rrL2SQVVC
+            ksQhSFLs12LiBcH2j/fWs8KdEYJAwDqr7nZJsddz2gEVua223Z94cRiby10SvXfU
-            DAiRdHXilzOKJBx+qA+afZT4SNXnN8kv8LRq354mEpxMZ21ot0nZ+sjJiHrVGbSO
+            bH4jpRsdWXj3dH9AET6N+uqiXocfDASE7G2WZalmVOQtsFi1SSVsrcAm/ODts4As
-            B2l39o3POLoTmzB/0+iTn953txjijVn/Hm7JoQ7yqQXBwnzjK1F7IkOdv0hyvpW1
+            7H224kR4/rxWaCEZ0i6S6r9n9wIZiUZGrBk80W8bK/JWBbl4zfgJ9tkzk4NMpJXh
-            /Sba+yqZQTqdpH/EwRfQxf6OJpxMBIAj6/COzcp143O3tjVQAEHTaqHbY4rbrt07
+            TDpaYJxV0T8/kqk/gPaECfN5Il+WgvVL95hS5FI+AxWyeHwWPd5sUgeil0dPoDOj
-            yxvOZKy2tNP/xY62E35rTzGvMrRqUzFNtaYeycx5F0jHgYNITtlCPh1txf5PBq5H
+            DlNuCyVepSqOo325JH7VoU19YRwYZwh0By//0WHOI8WIjQYUxXTAvHJyg61RLNK9
-            kmR9NFCOHncX5BFTAXbWaGVQiWxa71mn3vy49BZCwwz21D3u5/PI0Vqe5JBccyVu
+            eqwIO6t2QZRol03MjXE7DCeoWraCG0nS+DDF0qHu8bNnhYHcBpiG8d8Lj9xpME51
-            4yqqIdwIrj5i0BdlIFHig1WbYzDjRriR4H1z/Y2Vvv1wtRao99rf8DhCxcWwEgNo
+            UL1iXSyh461jEcX+8yTImAFMn9Pvt9r+Iv2vT0ZJH8k2Fzxxli+RPL6CQY2qKY7E
-            vAOM1wSBHacr9uZrgAOvObkMWZ4m1UekIJXkA5803cb8J+ceneJ+EOWyYiFVPV8h
+            ibPM0S7nVc8Kb7214xkniped4muzZF2vQJ8qmbcLu9sr9LV5d5Y13OF1NUdc3DTX
-            MshaL9M1zuEydZqHwDHfMgR/BgVvSVFwPQSkfXnKYJHNS8QGTfZKFudBiP0Ij7DB
+            aRAiVErL2QJujoM5xxDC9CTu11e6TfLN9XysM31sCgDIXMb4fKjxYbJxKY99Y1+S
-            pjRf5f2b4FhDgCIg5BopWBxES0LscpFmHgrV0QDKiXOXJNMkVUF5+ITz6HwwwlnS
+            nQO2CiCUCb+hDLaWdmdSv/FY+1tKX67vrU9YeJ6XVJQhVhR+Rt30bvGkNwy34C/S
-            XAEwKWrC58GzNBKFCvSMeD83xy7icfdTkXvO30EW9CbEUAMYN4twgsHG+J5NDrUR
+            XAHh0aE8KlrY1eCIf5RAygKgLEa1cehKvaGQMOoHWrPfOQUrA6lCvFVSxnwwduIm
-            yaET3e2kmOWStkQsPmMtYEVRfRHOWr8XKQXMJfrA87ZC0P19UwUM0eRXJVCN
+            pJRbIgcsoLUPFffYcDdDmnvmSOfdCNm84k/CUiCtZxqgUkIX98KrZhAVXzCf
-            =0h7d
+            =mAAM
            -----END PGP MESSAGE-----
          fp: DC6910268E657FF70BA7EC289974494E76938DDC
    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
@@ -0,0 +1,93 @@
 # Caddy Routes - External ConfigMap
 # This file contains all route definitions, imported by the main Caddyfile.
 # Edit this file to add/modify routes.
 #
 # Certificate files are mounted from the caddy-certificates Secret
 # at /etc/caddy/certs/
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: caddy-routes
  namespace: caddy
  labels:
    app.kubernetes.io/name: caddy
    app.kubernetes.io/component: routes
 data:
  Caddyfile: |
    vhaudiquet.fr {
      tls /etc/caddy/certs/vhaudiquet-fr.crt /etc/caddy/certs/vhaudiquet-fr.key
      reverse_proxy 10.1.2.171:80
    }
    *.vhaudiquet.fr {
        tls /etc/caddy/certs/wildcard-vhaudiquet-fr.crt /etc/caddy/certs/wildcard-vhaudiquet-fr.key
        # Kubernetes services (via Traefik)
        @authentik   host authentik.vhaudiquet.fr
        @auth-nook   host auth-nook.vhaudiquet.fr
        @nook-mg     host n.vhaudiquet.fr
        @nook        host nook.vhaudiquet.fr
        @sse-nook    host sse-nook.vhaudiquet.fr
        @gitea       host git.vhaudiquet.fr
        @flux-wh     host flux-webhook.vhaudiquet.fr
        @umami       host umami.vhaudiquet.fr
        handle @authentik {
            reverse_proxy traefik.traefik.svc.cluster.local:80
        }
        handle @auth-nook {
            reverse_proxy traefik.traefik.svc.cluster.local:80
        }
        handle @nook-mg {
            reverse_proxy traefik.traefik.svc.cluster.local:80
        }
        handle @nook {
            reverse_proxy traefik.traefik.svc.cluster.local:80
        }
        handle @sse-nook {
            reverse_proxy traefik.traefik.svc.cluster.local:80
        }
        handle @gitea {
            reverse_proxy traefik.traefik.svc.cluster.local:80
        }
        handle @flux-wh {
            reverse_proxy traefik.traefik.svc.cluster.local:80
        }
        handle @umami {
            reverse_proxy traefik.traefik.svc.cluster.local:80
        }
        # Docker VM services (via Traefik)
        @alexscript     host alexscript.vhaudiquet.fr
        @clips          host clips.vhaudiquet.fr
        @jellyfin       host flix.vhaudiquet.fr
        @mail           host mail.vhaudiquet.fr
        handle @alexscript {
            reverse_proxy 10.1.2.212:80
        }
        handle @clips {
            reverse_proxy 10.1.2.212:80
        }
        handle @jellyfin {
            reverse_proxy 10.1.2.212:80
        }
        handle @mail {
            reverse_proxy 10.1.2.212:80
        }
    }
    semery.fr {
      tls /etc/caddy/certs/semery-fr.crt /etc/caddy/certs/semery-fr.key
      reverse_proxy 10.1.2.212:80
    }
    buildpath.win {
      tls /etc/caddy/certs/buildpath-win.crt /etc/caddy/certs/buildpath-win.key
      reverse_proxy 10.1.2.212:80
    }
@@ -0,0 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: caddy
 resources:
  - namespace.yaml
  - repository.yaml
  - release.yaml
  - certificates-secret.yaml
  - caddyfile.yaml
 secretGenerator:
  - name: caddy-values
    files:
      - values.yaml=values.yaml
 configurations:
  - kustomizeconfig.yaml
@@ -0,0 +1,6 @@
 nameReference:
 - kind: Secret
  version: v1
  fieldSpecs:
  - path: spec/valuesFrom/name
    kind: HelmRelease
@@ -0,0 +1,7 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: caddy
  labels:
    app.kubernetes.io/name: caddy
    app.kubernetes.io/component: edge-proxy
@@ -0,0 +1,30 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: caddy
  namespace: caddy
 spec:
  interval: 1m
  chart:
    spec:
      sourceRef:
        kind: HelmRepository
        name: caddy
        namespace: caddy
      chart: caddy
      interval: 1m
      version: "0.7.1"
  valuesFrom:
    - kind: Secret
      name: caddy-values
  # Patch the Service to add loadBalancerIP since the chart doesn't support it
  postRenderers:
    - kustomize:
        patches:
          - target:
              kind: Service
              name: caddy
            patch: |
              - op: add
                path: /spec/loadBalancerIP
                value: "10.1.2.152"
@@ -0,0 +1,8 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: caddy
  namespace: caddy
 spec:
  interval: 1m
  url: https://charts.alekc.dev/
@@ -0,0 +1,99 @@
 # Caddy Edge Proxy
 replicaCount: 2
 # Listen on standard HTTP port
 listenPort: 80
 # Enable HTTPS
 https:
    enabled: true
    port: 443
 image:
    repository: caddy
    pullPolicy: IfNotPresent
    tagSuffix: ""
    tag: 2.11.3
 service:
    type: LoadBalancer
    externalTrafficPolicy: Local
 # Disable ingress - Caddy IS the edge proxy
 ingress:
    enabled: false
 resources:
    requests:
        cpu: 100m
        memory: 128Mi
    limits:
        cpu: 500m
        memory: 256Mi
 # Caddy needs root to bind to ports 80/443 and write runtime data
 # Using restrictive security context causes "operation not permitted"
 podSecurityContext: {}
 securityContext: {}
 health:
    path: /
    port: 9999
 # Extra volumes: certificates + external routes ConfigMap
 volumes:
    - name: certificates
      secret:
        secretName: ENC[AES256_GCM,data:Er1F+5xhWKUT43+7jU/pwxWP,iv:Ohc3jFIQ4Enmbhd0F44SYWJiHlj1oFOrMdtM4oYKQEU=,tag:Kk8Y8aFSKMyGmY/uRVvyLw==,type:str]
        optional: ENC[AES256_GCM,data:JdlpGQ==,iv:xaoqonC9cGHXizHuAFrjhC4ZEtZ2IICeg2hxvGjyFM4=,tag:JYmlIXgIMON7z4++FrBGKQ==,type:bool]
    - name: routes
      configMap:
        name: caddy-routes
 # Extra volume mounts
 volumeMounts:
    - name: certificates
      mountPath: /etc/caddy/certs
      readOnly: true
    - name: routes
      mountPath: /etc/caddy/routes
      readOnly: true
 # Caddy configuration
 config:
    debug: false
    # Global options (goes inside the global {} block)
    global: |
        auto_https off
    # The main Caddyfile content - imports routes from external ConfigMap
    # This keeps routes in a separate, easily editable file
    caddyFile: |
        :80 {
            redir https://{host}{uri} permanent
        }
        import /etc/caddy/routes/Caddyfile
 affinity:
    podAntiAffinity:
        preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              podAffinityTerm:
                labelSelector:
                    matchLabels:
                        app.kubernetes.io/name: caddy
                topologyKey: kubernetes.io/hostname
 sops:
    lastmodified: "2026-05-08T11:43:14Z"
    mac: ENC[AES256_GCM,data:K0HWw8yTPKy6e3aQV4SdiVwrCjiyCFlFbeycAiyJq4IdlKX9v4wFvjVFLR8VziH8oXJXdUUhr+LOiqNI5HwghXkVn2dOP2ij9jvXZtMic4P0AUN16PfWoedu9ozA+xsGHZ1OTUv+sxvKEUo5Z5Wp+u761w/Xqdn5hHmU2Komatk=,iv:ICwn/LvizIjXVfgiMje50dQ11JAH37wSla29bGAnjuA=,tag:mV7rtahUy4ODZaA7baM12w==,type:str]
    pgp:
        - created_at: "2026-05-08T11:43:13Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA7uy4qQr71wiAQ//aGnCSLLWTkhToTh833OJ1GwgN82F8R+RgsfpKIW+XNvI
            YdTCgaFrYdCGXsaLHijb7vVwCU0VRf/ufZfQp2+GupqRHCbMLSmlkoiyr9ImGlYX
            VWQDajv74H/3CcyCQNjqfFRdUHLE+rfNuYaH/p3+/Ee2bgJi52f3uRdJ4lXSCWIf
            KW9lLbwjlfGnOnsnDkaPwcZW9QL353Mi82yXOu7OihobUaVgr83nESXbAS/k4mx1
            whOXAoEDeLQZfZrITEewOQ0PHjWJwKc0x2YCiQ0If33GSfDjzWPoDuXmQo/xhk98
            Nt3aNTMDvjriGNOIcZyUlEjq1HqCmd3pQSD5h8soR9Do/NsTocyK1da49iz91dha
            jwoEga2iFis9Zd9rr7Caf3pWtmKENUGFJl15tpaelvk13jUebSyDubw0OIYbbILr
            dVZAeiOHrRMD5crxG05zvOeLMASuL/IrK97RLBAonZLEkRrfgAwZHK2U0rq2HXpI
            wlp4yDlF/eILvmMgAruP7lW0q/m5+DfxQtcZdamtm3FWj9m0iUAthvw02fplmFci
            xJ82rkfkPAZSm7/yPJ9yiea+tKgX8yk1uArRtf8rsG6SED2lCRKmux8ElcZc5DYV
            hyLivTN7X5Nr05mvaPIptCVm1iYoWaiQNZcPDax/LBZJhNaJgPUz1ue1Ppf422PS
            XgE4dh3x1ulcUhXm4nK/0FzKmJUOjcygPeGWmia0ZOEHub/ju+z8LgRAkBasqRXP
            4aepPm5xVY0g/Z0xksxIWpYUnLRzs0uUKd+zz1MvmWlZckxUO5wWJUWRcwCBDz4=
            =Ql2K
            -----END PGP MESSAGE-----
          fp: DC6910268E657FF70BA7EC289974494E76938DDC
    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
    version: 3.10.2
@@ -6,3 +6,4 @@ spec:
  blocks:
  - cidr: "10.1.2.171/32"
  - cidr: "10.1.2.148/32"
  - cidr: "10.1.2.152/32"
@@ -12,7 +12,7 @@ spec:
        name: coredns
        namespace: coredns
      chart: coredns
-      version: "1.x.x"
+      version: "1.45.2"
      interval: 1m
  valuesFrom:
    - kind: Secret
@@ -1,8 +1,31 @@
-replicaCount: 1
+replicaCount: 2
 image:
    repository: coredns/coredns
-    tag: 1.12.0
+    tag: 1.14.3
    pullPolicy: IfNotPresent
 deployment:
    dnsPolicy: ClusterFirst
    strategy:
        type: RollingUpdate
        rollingUpdate:
            maxUnavailable: 0
            maxSurge: 1
 livenessProbe:
    httpGet:
        path: /health
        port: 8080
    initialDelaySeconds: 10
    periodSeconds: 10
    timeoutSeconds: 5
    failureThreshold: 3
 readinessProbe:
    httpGet:
        path: /ready
        port: 8181
    initialDelaySeconds: 5
    periodSeconds: 5
    timeoutSeconds: 3
    failureThreshold: 3
 resources:
    limits:
        cpu: 100m
@@ -16,21 +39,35 @@ service:
        io.cilium/lb-ipam-ips: ""
 servers:
    - zones:
-        - zone: lan
+        - zone: cluster.local
      port: 53
      plugins:
        - name: kubernetes
          parameters: cluster.local in-addr.arpa ip6.arpa
          configBlock: |-
            pods insecure
            fallthrough in-addr.arpa ip6.arpa
            ttl 30
    - zones:
        - zone: .
      port: 53
      plugins:
        - name: errors
        - name: health
          configBlock: lameduck 5s
        - name: ready
        - name: debug
        - name: file
          parameters: /etc/coredns/zones/lan.zone lan
          configBlock: |-
            reload 10s
            fallthrough
        - name: etcd
          parameters: lan
          configBlock: |-
            path /skydns
            endpoint http://etcd.coredns.svc.cluster.local:2379
            fallthrough
        - name: file
          parameters: /etc/coredns/zones/lan.zone
          configBlock: reload 10s
        - name: cache
          parameters: 30
        - name: loadbalance
@@ -44,27 +81,27 @@ extraVolumes:
      configMap:
        name: coredns-lan-zone
 sops:
-    lastmodified: "2026-05-02T14:39:47Z"
+    lastmodified: "2026-05-02T16:59:44Z"
-    mac: ENC[AES256_GCM,data:Gu0D9opwQSxNgqtv2KLMd9XGh3SbEDFXUZbPPbxuLT1jT+TwWEYSEu60PKUnU8nOdukYIoiSE3hj29Wsg3IqqjUc0oEUHn1IRPGpn/UhsvURcKgrbyEv3mGjSDicKNMyDgbTTqiPJz/K++SvmRbjJbpDtiQhRrPvw/oaVf0Cj28=,iv:DD4sk2jp6zIkRQaMTXmhfvRwz/Nnt1ecN0HjqlG9zFU=,tag:nGYLN1djfe/GzBofLPuT8g==,type:str]
+    mac: ENC[AES256_GCM,data:H4uRid1Fqx4JzsF43TSGa7QcGjpXLAHiM0N3Kf4z7ab4eMlTy1+RXMV7xVT9BinjZzH6P+ENxo0yVOsdt0Yu467KJhGznNWlb2MC2TElPxZ9/yItJ+hdVGHGWbVGFWUL5NOUQ9fY2NPGw0CGr8qyftLr5Qkx0LO/VUgKWkq6RWM=,iv:9+V/sCBhfWAsIvr4DsWQgkeqQZQyT4Ti3Y+qCEZqU5c=,tag:JCRONb54BpXQzYhhPs7VGA==,type:str]
    pgp:
-        - created_at: "2026-05-02T14:39:46Z"
+        - created_at: "2026-05-02T16:59:43Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA7uy4qQr71wiARAAic/5FcANctn1HG4gfBM8p6ElQG3oo056iQDK1dbHzkNs
+            hQIMA7uy4qQr71wiAQ/9HzeTVqelbvPtluYa5xGvoYNeEEXg43CwrwZ1/z5yFWvx
-            HJ3KIZjP0BPwBag2jO6TJ51Y7Wtq62lvrggIifAEHt2FiV4oxDL+oRGwPq5l6l73
+            DoOCeyro5wFsNC6td7n2HVhtK0ULkfrMHH8OC+7L3bXbnlEnQzITmDggAUvfegCv
-            46xiTygo4X1zDcDLIX2wNv1UeiGdKA2mw2D33lHAxLQSkxuQE3/Pukb8YvXVgYNi
+            b/7ohPkOdLvi6qXbr8bgqCZYFnPq+gUs3UOPh5Tl6wgzRSFXw2Hsb4YmQkvZJUNb
-            2hpRFed4TpjccXkvTNL2d/yEvdqnDdHlxqboqvygIGw0u7KIhCIh+IRkjEFx0nvU
+            PhPpLIUe/ECE4hmEjO5v9o3X0o7qZ3bahf9mZZlnJnvXT7R/DM8eeWTis/q0WSHE
-            eKEq04jTWjE8SRCbFJu1jXMNQ0jkPkwU9XkM0FtuSus48lwe+jKdo4+uYXZBDQdC
+            XnclhOX4GlMwXxa65sRrShuPcsV3qqX3VWOSWJFBhGx/FDtZTkhlHGQ9YhF2TzbB
-            mUkZwQy0dzOMJGSa+1kJ9V3xt/pEEEsQKNfepz1QHjgoTYsU84JOwbPRBEBBNFB0
+            xxCrn87mH2W13NH6jQOQYPh1JTTJbgZZMZXgyPNmPDSYZE1kxTdrz4l4mcmCDND0
-            kvbuOYUGu9chuo9gt5ByGxetJBsH2ckKE5mNHxJ4KQOSBRM5dmaxjv8XVmVb60jo
+            hY3T8iR8ap2b3HhSNCqC1C0QN/bK217hTs8cJHWRRfa6jfh12imwk2XhJkB3zZxV
-            GXaq4Q7dVGtPiSBz0SUOdTna5+RKs1VHNbn54hRB54YNZoltJlbsjvS7weTkuDKF
+            O1oSb6eiP0ba0CgXu31shmfXuTAeVbTm6E50heYorjQKR5djjnOVwQUdmis1Awae
-            QHm0DgK9maebHSa/s434xYzyc7X3vsZ76xdUHX3ZwSLR7h4jVoWy6RP1cybWYWOg
+            AQTiWtBBbOgfX5WA5b6wInFr0WEsshG+YuqfB7FhJpo2SHyeFhgk47ssHWSeBpPv
-            CFX/L/7JVYZsBu414q2+75buzi55Ja8GUTjq3T2oyxtVtnC6zr8oLZM9TFwEe+QF
+            wa4OAGaMkdGoePQhApZFrBCZHslEhPE+XQlDdyOtXCmxBOcLwe59ikWLV75j0DzS
-            C6pXdbLOx2ToGpqbk2Ps4vTqIo0pTBbzDohycFQCiGIyOS/ZDjmJ8pMmCxPxZRjS
+            NRUNOBYQ8Q1Y6Su/sJWW7TykQkmDirU+oIYxAngZyIyJSWvARPd6fJJvkqqg013S
-            XgEwhkNmirBPhGn+6DjeWJDB3p3vVy2BY7ftfGB8R+fxk4EqhhcnrZNhPvylTNqD
+            XgH1+LQJWNEJzIaLKCWbkZXnMstsOYrs4ynV4f/QZKU+Md5CgVbjy9KIC/trfNhj
-            A/UavumwRWNHFi0lCt9/OHON1bnrjTAUbcajaGq6D7vtSzyZcW2xL9nlJ04mOO4=
+            1t9kkyVVOEO7UmRhMyl8pK2gQDiOBrkhUJ5tSNFEfxM1llZ4GZRV+SUuMC3UzVA=
-            =pcZc
+            =l7Wo
            -----END PGP MESSAGE-----
          fp: DC6910268E657FF70BA7EC289974494E76938DDC
    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
@@ -65,3 +65,4 @@ data:
    webmail         IN  A   10.1.2.212
    wizarr          IN  A   10.1.2.212
    zigbee2mqtt     IN  A   10.1.2.212
    nodered         IN  A   10.1.2.212
@@ -8,35 +8,32 @@ ports:
                - 127.0.0.1/32
                # nginx-proxy
                - 10.1.2.11/32
                # caddy
                - 10.1.2.152/32
                - 10.0.0.0/8
 sops:
-    kms: []
+    lastmodified: "2026-05-26T11:18:08Z"
-    gcp_kms: []
+    mac: ENC[AES256_GCM,data:mA5hLNB0rwSiGhnyi24AhZIPJsLpZ6PpbXDyoxZ0q6YjitrClxBEnn2dHtEl2MD6dSLmNMVxnnGyGtl7j4ahfqhuct+oPSepeWT1QX8Xj/mJ2Yrt8UZfGQ1R0Ye+rKGFybluMguCRufioGQpU3TLs2TxB6RxUAiGMI1GyT3JBDY=,iv:Pf617ZQBgYbGEsF7AOtyZBCPUycQ7U/D+Sdl+MCF4y0=,tag:tleTblRukBO0V+zfL05fQw==,type:str]
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2025-03-22T13:26:30Z"
    mac: ENC[AES256_GCM,data:PMUHyPCnIhmUo5N1mdoMhDLXaFN6Cl0IGuq8EG3MGtY5X1g1QboL5nI5o25evFbuXdZn9KB2AqgzPZBxykhVpz8W+mj987g4VeDJ7sU/OnJibHSo+ibqoo0NvQaAMukWevqI7fAQZoyI3PZi07mMGYw23h2cmaJmsuAuDnQ0CvA=,iv:RRV/BF7OXFmBJX5lXZjrG4+4jjbjzMrR8BByMo5hfwA=,tag:+lVLSfdjHeJjA3dKMiRIGA==,type:str]
    pgp:
-        - created_at: "2025-03-22T13:26:30Z"
+        - created_at: "2026-05-26T11:18:08Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA7uy4qQr71wiAQ/8DGnKyC/pNGEAuuxcZjoLQhK8TJ3NgNQ3HBVLGpbVBb3S
+            hQIMA7uy4qQr71wiAQ/+PJv3xyn1nqVN4ENsKv1GgMaCrmD+F1bpyCEM6quoOe1V
-            P/n94oPwwEbWXpdq1/MapFgaiAP3kXyv308c0CeIICQvg9xFeXK7/o/X3ucJu/YV
+            Q3jnfTrHNKQySQFS+56KdWkpvf54jUtl2N+v+mAT+02FkdH+fkFQc0rSfqfpwE7H
-            TiMsBUCAIWKrN4lmNr3wgnMDQiRs9myzgmzJv3KOpbQr5cYnrT51spWCD2Nnt6Xm
+            8peu9wY5+nVRp3sUEacJjCgu44dzzIu0MzO9aHZw/JMr1Z+OF3mMeZ1vVEp43i6E
-            HfLyZrxGscW0lrRi6jeg/7lts3HYEs75i8xUS95pj5/a+7i83sfpaAFdkGcxV6Vq
+            ZwCd3HYBQVJ8DaSdkrT/a3r69dJZKYq3mL9XLYzc/6C4JFAF3oOO5Xzkx4BAQKrM
-            285Ys7S86Hrp2T0QkADHMJMXmbeTV18Psfy2v9SXgqeRMq1XHQDn+nPPkYY0kmhs
+            CDyVCJ6RihOyysiexRFGu72wIbiE1gSVqLAYzl8XDJyCcVOX8ZRuMh2ImGyuCXtI
-            7xVEwGHYLkKuyNmTm+ygsQAVGd/kCeqO+hsdKRtmJ5f4vh0w1ePftScqbfEwNuDl
+            8dANf39gf57Z3qM9ljNHgtUkFqcpeE66SdNCSeLK7pDl/02k6dPJr98+e0VtZPfv
-            ygEVUIoVhDYdUKnjwqjgiOxsx3Y6+RS4g3vg6gNWk1HunM24bzkFRP4w1lVYB07n
+            xt/sFUnAppi5dI4I4AZ1upqFWH3zpud+3G+5CYnfn0yqSgysuJyqzSYv7rjJVStY
-            hDcQeP0bqo7hopJjvM0VtXbSJq81duBup9DyyPaXOf30p0c+l9it4XdoeR7JaZ/y
+            oMdKprkLGcdLc9FJm3yaPluCnTGpPCaBpvx1bUlQSCIHcrbNj98kHjnuSDcUjgBc
-            nJ22POfQYCoJyKpgdB/eReLd/2MqLhdnsCUTd+CNTS1+nCz1M4JziagXU9CspnqP
+            xpcWmknbsZ0SFnU8fhe/p80Ud7h2Ya5Hp+GY+FPV2YDeQf03YKLGXujsVhm0scpo
-            sCYylw6aC9XfzScZldpysdqes1/1ZC9F2QeL6ZO66IRV3xBk/5eSsyZ275DRZYAj
+            KtAALuJo8uP3vniAaY6E1eQVZ09psqR3lFHgaRIyLVbOGkvOoE/sMVcS/odcKhgw
-            P4jf1UhA4U0LQoVPAjh9cA8SLm29MgfEwoFSLGx6wsJ//ibxMIlxku9gkiRRTkPU
+            Gr6bb2iQ9b0seITxk09HV84uRirzgR+R2A2bxD38ASRzbYwDyA0UnJMSJK+ZttfS
-            aAEJAhCQKhc7EsDKh7GgrlPh0763p+CuZR7yMp2W1kY9nU/w/802SgYEyLdPW1aY
+            XgERXIWVWlTL77IVifpdu+7EU+ElyCzlTLHIb0uqywVS2o/LzE+OgR+1tSj0SVl0
-            gG3zMpt1roTOQI7D0jM7NjcYOLeOHWR0ac00wqv3S7I9+4tXOxuHyTX6Og19Z3GV
+            +NvGYouZlrecytaBj8MG9thv9kK/vNShrl0QeAWNch3Qza7Xb8eLOhumqZVFI9U=
-            OUgA2wzhUFtj
+            =JbZl
            =2DEs
            -----END PGP MESSAGE-----
          fp: DC6910268E657FF70BA7EC289974494E76938DDC
-    encrypted_regex: ^(password|ssh-key|api-key|user|username|privateKey|apiKey|extraArgs.*|extraEnvVars|.*secret.*|key|.*Password|.*\.ya?ml)$
+    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
-    version: 3.9.4
+    version: 3.10.2
Author	SHA1	Message	Date
dependabot[bot]	dd2c79e18c	build(deps): bump caddy in /kubernetes/system/caddy Bumps caddy from 2.11.2 to 2.11.3. --- updated-dependencies: - dependency-name: caddy dependency-version: 2.11.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-28 09:42:59 +00:00
vhaudiquet	b5e015f527	build(deps): bump gitea/gitea from 1.25.5 to 1.26.2	2026-05-28 11:40:49 +02:00
vhaudiquet	d623cbb60c	infra/r740/kube: values/components	2026-05-27 00:25:28 +02:00
vhaudiquet	a2ba97109b	infra/pve: remove pve, bye! p330 server fully empty and gone, only r740 remains :)	2026-05-27 00:25:07 +02:00
vhaudiquet	4f1e69cd05	blocky: update limits to give more memory/cpu	2026-05-27 00:01:34 +02:00
vhaudiquet	2df007dec1	infra/r740/kube: use kube dns as main dns resolver, fallback to 1.1.1.1	2026-05-26 23:42:03 +02:00
vhaudiquet	543fc8a47e	traefik: trust cluster network	2026-05-26 13:18:08 +02:00
vhaudiquet	f78296d55f	traefik: trust caddy reverse proxy	2026-05-26 13:11:44 +02:00
vhaudiquet	ead4450fc4	caddy: revert `66212c922a`	2026-05-26 13:10:56 +02:00
vhaudiquet	66212c922a	caddy: enable websockets for authentik	2026-05-26 12:06:27 +02:00
vhaudiquet	a480212804	trust caddy reverse proxy	2026-05-26 12:06:12 +02:00
vhaudiquet	348455fb59	dns: disable buildpath.win cloudflare proxy	2026-05-25 18:50:23 +02:00
dependabot[bot]	fe811cf521	build(deps): bump n8nio/n8n from 2.19.5 to 2.21.2 in /docker/home/n8n Bumps [n8nio/n8n](https://github.com/n8n-io/n8n) from 2.19.5 to 2.21.2. - [Release notes](https://github.com/n8n-io/n8n/releases) - [Commits](https://github.com/n8n-io/n8n/compare/n8n@2.19.5...n8n@2.21.2) --- updated-dependencies: - dependency-name: n8nio/n8n dependency-version: 2.21.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-17 12:00:05 +02:00
vhaudiquet	cd56789d53	dns: update local network entries for nodered	2026-05-16 01:09:53 +02:00
vhaudiquet	11b59bd812	vhaudiquet.fr: remove from docker	2026-05-14 19:03:30 +02:00
vhaudiquet	a58fe56404	vhaudiquet-fr: fix version constraint on kube	2026-05-14 12:13:34 +02:00
vhaudiquet	5768898f37	generate-*: make sure to git add automatically on modification	2026-05-14 11:35:13 +02:00
vhaudiquet	274e476a7f	vhaudiquet.fr: deploy vhaudiquet.fr to kube	2026-05-14 11:34:50 +02:00
vhaudiquet	aa05aba4a7	build(deps): bump buildpath	2026-05-14 00:22:26 +02:00
dependabot[bot]	bd2a2e8ab1	build(deps): bump stalwartlabs/stalwart Bumps stalwartlabs/stalwart from v0.16.4 to v0.16.5. --- updated-dependencies: - dependency-name: stalwartlabs/stalwart dependency-version: v0.16.5 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-13 17:27:04 +02:00
dependabot[bot]	1d8ec4ae3e	build(deps): bump gramps-project/grampsweb in /docker/personal/gramps Bumps [gramps-project/grampsweb](https://github.com/gramps-project/gramps-web) from 26.5.0 to 26.5.1. - [Release notes](https://github.com/gramps-project/gramps-web/releases) - [Commits](https://github.com/gramps-project/gramps-web/compare/v26.5.0...v26.5.1) --- updated-dependencies: - dependency-name: gramps-project/grampsweb dependency-version: 26.5.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-13 17:26:48 +02:00
dependabot[bot]	69c32f6620	build(deps): bump hotio/jackett Bumps [hotio/jackett](https://github.com/hotio/jackett) from release-v0.24.1822 to release-v0.24.1846. - [Commits](https://github.com/hotio/jackett/commits) --- updated-dependencies: - dependency-name: hotio/jackett dependency-version: release-v0.24.1846 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-13 17:26:12 +02:00
dependabot[bot]	c903a1ccf3	build(deps): bump jellyfin/jellyfin Bumps jellyfin/jellyfin from 2026050514 to 2026051106. --- updated-dependencies: - dependency-name: jellyfin/jellyfin dependency-version: '2026051106' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-13 17:25:52 +02:00
dependabot[bot]	ab9231841e	build(deps): bump syncthing/syncthing in /docker/personal/syncthing Bumps syncthing/syncthing from 2.0 to 2.1. --- updated-dependencies: - dependency-name: syncthing/syncthing dependency-version: '2.1' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-13 17:25:35 +02:00
vhaudiquet	9dd6cb2b85	build(deps): bump buildpath	2026-05-11 22:56:01 +02:00
vhaudiquet	3a6a621193	Merge branch 'main' of https://github.com/vhaudiquet/homeprod * 'main' of https://github.com/vhaudiquet/homeprod: build(deps): bump tomsquest/docker-radicale in /docker/personal/radicale	2026-05-08 18:15:38 +02:00
vhaudiquet	17ab87e276	infra: update VMs - kube: add NIC, bump up memory - ai: set to off by default - docker: bump up memory to absorb buildpath importer consumption	2026-05-08 18:15:16 +02:00
dependabot[bot]	56f67dd447	build(deps): bump tomsquest/docker-radicale in /docker/personal/radicale Bumps tomsquest/docker-radicale from 3.7.1.0 to 3.7.2.0. --- updated-dependencies: - dependency-name: tomsquest/docker-radicale dependency-version: 3.7.2.0 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-08 15:44:22 +01:00
dependabot[bot]	33bdb8f3b0	build(deps): bump hotio/jackett Bumps [hotio/jackett](https://github.com/hotio/jackett) from release-v0.24.1815 to release-v0.24.1822. - [Commits](https://github.com/hotio/jackett/commits) --- updated-dependencies: - dependency-name: hotio/jackett dependency-version: release-v0.24.1822 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-08 12:44:23 +01:00
dependabot[bot]	1b4e2dafbc	build(deps): bump n8nio/n8n from 2.19.2 to 2.19.5 in /docker/home/n8n Bumps [n8nio/n8n](https://github.com/n8n-io/n8n) from 2.19.2 to 2.19.5. - [Release notes](https://github.com/n8n-io/n8n/releases) - [Commits](https://github.com/n8n-io/n8n/compare/n8n@2.19.2...n8n@2.19.5) --- updated-dependencies: - dependency-name: n8nio/n8n dependency-version: 2.19.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-08 12:44:12 +01:00
dependabot[bot]	9f59f7cea0	build(deps): bump esphome/esphome in /docker/home/esphome Bumps [esphome/esphome](https://github.com/esphome/esphome) from 2026.4.4 to 2026.4.5. - [Release notes](https://github.com/esphome/esphome/releases) - [Commits](https://github.com/esphome/esphome/compare/2026.4.4...2026.4.5) --- updated-dependencies: - dependency-name: esphome/esphome dependency-version: 2026.4.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-08 12:44:04 +01:00
vhaudiquet	524d0d7d3c	caddy: listen on port 80	2026-05-08 13:43:42 +02:00
vhaudiquet	51b22d769e	caddy: fix external ip annotation	2026-05-08 10:49:26 +02:00
vhaudiquet	4bd0274714	caddy: fix caddyfile syntax	2026-05-08 10:28:56 +02:00
vhaudiquet	69e3a793c8	caddy: change security context to fix permission error	2026-05-08 10:21:43 +02:00
vhaudiquet	d5831fd1e3	caddy: deploy caddy as edge reverse proxy (on kube)	2026-05-08 00:48:55 +02:00
vhaudiquet	cbf7842e8b	dns: fix dns file	2026-05-06 19:14:04 +02:00
vhaudiquet	0d5d688c18	fireshare: deploy fireshare, hello!	2026-05-06 19:08:33 +02:00
dependabot[bot]	de093a27bf	build(deps): bump esphome/esphome in /docker/home/esphome Bumps [esphome/esphome](https://github.com/esphome/esphome) from 2026.4.3 to 2026.4.4. - [Release notes](https://github.com/esphome/esphome/releases) - [Commits](https://github.com/esphome/esphome/compare/2026.4.3...2026.4.4) --- updated-dependencies: - dependency-name: esphome/esphome dependency-version: 2026.4.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-06 09:43:14 +01:00
dependabot[bot]	2f615136c2	build(deps): bump n8nio/n8n from 2.18.4 to 2.19.2 in /docker/home/n8n Bumps [n8nio/n8n](https://github.com/n8n-io/n8n) from 2.18.4 to 2.19.2. - [Release notes](https://github.com/n8n-io/n8n/releases) - [Commits](https://github.com/n8n-io/n8n/compare/n8n@2.18.4...n8n@2.19.2) --- updated-dependencies: - dependency-name: n8nio/n8n dependency-version: 2.19.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-06 09:43:08 +01:00
dependabot[bot]	98359d5181	build(deps): bump stalwartlabs/stalwart Bumps stalwartlabs/stalwart from v0.16.3 to v0.16.4. --- updated-dependencies: - dependency-name: stalwartlabs/stalwart dependency-version: v0.16.4 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-06 09:42:59 +01:00
dependabot[bot]	0d57085ba6	build(deps): bump traefik in /docker/infrastructure/network/traefik Bumps traefik from 3.6 to v3.7. --- updated-dependencies: - dependency-name: traefik dependency-version: v3.7 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-06 09:42:52 +01:00
dependabot[bot]	9f6fa770cf	build(deps): bump library/redis in /docker/personal/gramps Bumps library/redis from 8.6.2-alpine to 8.6.3-alpine. --- updated-dependencies: - dependency-name: library/redis dependency-version: 8.6.3-alpine dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-06 09:42:45 +01:00
dependabot[bot]	6c43d08174	build(deps): bump gramps-project/grampsweb in /docker/personal/gramps Bumps [gramps-project/grampsweb](https://github.com/gramps-project/gramps-web) from 26.4.3 to 26.5.0. - [Release notes](https://github.com/gramps-project/gramps-web/releases) - [Commits](https://github.com/gramps-project/gramps-web/compare/v26.4.3...v26.5.0) --- updated-dependencies: - dependency-name: gramps-project/grampsweb dependency-version: 26.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-06 09:42:36 +01:00
dependabot[bot]	fdf77dbd88	build(deps): bump hotio/jackett Bumps [hotio/jackett](https://github.com/hotio/jackett) from release-v0.24.1813 to release-v0.24.1815. - [Commits](https://github.com/hotio/jackett/commits) --- updated-dependencies: - dependency-name: hotio/jackett dependency-version: release-v0.24.1815 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-06 09:42:24 +01:00
dependabot[bot]	8cd97a2413	build(deps): bump jellyfin/jellyfin Bumps jellyfin/jellyfin from 2026042706 to 2026050514. --- updated-dependencies: - dependency-name: jellyfin/jellyfin dependency-version: '2026050514' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-06 09:42:17 +01:00
vhaudiquet	46c897e865	build(deps): bump buildpath	2026-05-04 18:34:04 +02:00
vhaudiquet	10d97e09bd	readme: update readme to add pre-commit hooks installation instruction	2026-05-04 00:22:07 +02:00
dependabot[bot]	f9affb5269	build(deps): bump hotio/jackett Bumps [hotio/jackett](https://github.com/hotio/jackett) from release-v0.24.1789 to release-v0.24.1813. - [Commits](https://github.com/hotio/jackett/commits) --- updated-dependencies: - dependency-name: hotio/jackett dependency-version: release-v0.24.1813 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-03 18:34:04 +01:00
dependabot[bot]	487a8d48ee	build(deps): bump stalwartlabs/stalwart Bumps stalwartlabs/stalwart from v0.16.2 to v0.16.3. --- updated-dependencies: - dependency-name: stalwartlabs/stalwart dependency-version: v0.16.3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-03 18:33:57 +01:00
vhaudiquet	dcbef2cd0a	blocky: use the right health probe	2026-05-02 19:51:38 +02:00
vhaudiquet	7465ecedf8	infra: update docker VM RAM to 22222 (16 GiB is actually what it uses at regular load, so it crashes without more)	2026-05-02 19:18:23 +02:00
vhaudiquet	256c337db4	blocky, coredns: set replicaCount to 2, and enable blue/green 'RollingUpdate'	2026-05-02 18:59:49 +02:00
vhaudiquet	0ddeb75508	coredns: re-add file plugin with fallthrough	2026-05-02 18:45:19 +02:00
vhaudiquet	896002da8c	coredns: remove file plugin alltogether, change version	2026-05-02 18:43:31 +02:00
vhaudiquet	ef892b38a7	coredns: retry fix values.yaml	2026-05-02 18:36:22 +02:00
vhaudiquet	20d8e07a24	coredns: invert fallthrough in config	2026-05-02 18:32:06 +02:00
vhaudiquet	d9a1063630	coredns: try reversing order	2026-05-02 18:29:41 +02:00
vhaudiquet	3860f5849c	coredns: retry fallthrough in file plugin	2026-05-02 18:28:36 +02:00
vhaudiquet	f732f7247f	coredns: fix chart version	2026-05-02 18:27:38 +02:00
vhaudiquet	883330996a	coredns: fix values.yaml	2026-05-02 18:24:24 +02:00
vhaudiquet	c90caed623	coredns: set dnspolicy to clusterfirst	2026-05-02 18:20:53 +02:00
vhaudiquet	cfd521f502	coredns: try adding a different zone for kube resolution	2026-05-02 18:12:54 +02:00
vhaudiquet	f71faa0ae8	coredns: set zone to .	2026-05-02 18:04:52 +02:00
vhaudiquet	ce30776eeb	coredns: add kubernetes plugin	2026-05-02 17:28:07 +02:00
vhaudiquet	be092af161	coredns: add zone parameter for file plugin	2026-05-02 17:23:15 +02:00
vhaudiquet	0b75f66f30	coredns: add fallthrough to file plugin	2026-05-02 17:19:12 +02:00
vhaudiquet	e595bb2c45	coredns: add debug plugin	2026-05-02 17:14:06 +02:00
vhaudiquet	d82ce7a80f	coredns: tryfix etcd config with zone parameter	2026-05-02 16:52:21 +02:00