caddy: fix external ip annotation

.github/dependabot.yml

@@ -53,6 +53,7 @@ updates:
       - "/kubernetes/personal/photoprism"
       - "/kubernetes/production/umami"
       - "/kubernetes/system/blocky"
+      - "/kubernetes/system/caddy"
       - "/kubernetes/system/coredns"
       - "/kubernetes/system/csi-driver-nfs"
       - "/kubernetes/system/external-dns"

.sops.yaml

@@ -3,7 +3,7 @@ creation_rules:
     encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
     pgp: DC6910268E657FF70BA7EC289974494E76938DDC
   - path_regex: .*.yaml
-    encrypted_regex: ^(data|stringData)$
+    encrypted_regex: ^(data|stringData|.*.key|.*.crt)$
     pgp: DC6910268E657FF70BA7EC289974494E76938DDC
   - path_regex: .*.env$
     input_type: dotenv

kubernetes/system/caddy/caddyfile.yaml

@@ -0,0 +1,93 @@
+# Caddy Routes - External ConfigMap
+# This file contains all route definitions, imported by the main Caddyfile.
+# Edit this file to add/modify routes.
+#
+# Certificate files are mounted from the caddy-certificates Secret
+# at /etc/caddy/certs/
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: caddy-routes
+  namespace: caddy
+  labels:
+    app.kubernetes.io/name: caddy
+    app.kubernetes.io/component: routes
+data:
+  Caddyfile: |
+    vhaudiquet.fr {
+      tls /etc/caddy/certs/vhaudiquet-fr.crt /etc/caddy/certs/vhaudiquet-fr.key
+      reverse_proxy 10.1.2.212:80
+    }
+
+    *.vhaudiquet.fr {
+        tls /etc/caddy/certs/wildcard-vhaudiquet-fr.crt /etc/caddy/certs/wildcard-vhaudiquet-fr.key
+
+        # Kubernetes services (via Traefik)
+        @authentik   host authentik.vhaudiquet.fr
+
+        @auth-nook   host auth-nook.vhaudiquet.fr
+        @nook-mg     host n.vhaudiquet.fr
+        @nook        host nook.vhaudiquet.fr
+        @sse-nook    host sse-nook.vhaudiquet.fr
+
+        @gitea       host git.vhaudiquet.fr
+
+        @flux-wh     host flux-webhook.vhaudiquet.fr
+
+        @umami       host umami.vhaudiquet.fr
+
+        handle @authentik {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @auth-nook {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @nook-mg {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @nook {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @sse-nook {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @gitea {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @flux-wh {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @umami {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+
+        # Docker VM services (via Traefik)
+        @alexscript     host alexscript.vhaudiquet.fr
+        @clips          host clips.vhaudiquet.fr
+        @jellyfin       host flix.vhaudiquet.fr
+        @mail           host mail.vhaudiquet.fr
+
+        handle @alexscript {
+            reverse_proxy 10.1.2.212:80
+        }
+        handle @clips {
+            reverse_proxy 10.1.2.212:80
+        }
+        handle @jellyfin {
+            reverse_proxy 10.1.2.212:80
+        }
+        handle @mail {
+            reverse_proxy 10.1.2.212:80
+        }
+    }
+
+    semery.fr {
+      tls /etc/caddy/certs/semery-fr.crt /etc/caddy/certs/semery-fr.key
+      reverse_proxy 10.1.2.212:80
+    }
+
+    buildpath.win {
+      tls /etc/caddy/certs/buildpath-win.crt /etc/caddy/certs/buildpath-win.key
+      reverse_proxy 10.1.2.212:80
+    }

kubernetes/system/caddy/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: caddy
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml
+  - certificates-secret.yaml
+  - caddyfile.yaml
+secretGenerator:
+  - name: caddy-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml

kubernetes/system/caddy/kustomizeconfig.yaml

@@ -0,0 +1,6 @@
+nameReference:
+- kind: Secret
+  version: v1
+  fieldSpecs:
+  - path: spec/valuesFrom/name
+    kind: HelmRelease

kubernetes/system/caddy/namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: caddy
+  labels:
+    app.kubernetes.io/name: caddy
+    app.kubernetes.io/component: edge-proxy

kubernetes/system/caddy/release.yaml

@@ -0,0 +1,30 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: caddy
+  namespace: caddy
+spec:
+  interval: 1m
+  chart:
+    spec:
+      sourceRef:
+        kind: HelmRepository
+        name: caddy
+        namespace: caddy
+      chart: caddy
+      interval: 1m
+      version: "0.7.1"
+  valuesFrom:
+    - kind: Secret
+      name: caddy-values
+  # Patch the Service to add loadBalancerIP since the chart doesn't support it
+  postRenderers:
+    - kustomize:
+        patches:
+          - target:
+              kind: Service
+              name: caddy
+            patch: |
+              - op: add
+                path: /spec/loadBalancerIP
+                value: "10.1.2.152"

kubernetes/system/caddy/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: caddy
+  namespace: caddy
+spec:
+  interval: 1m
+  url: https://charts.alekc.dev/

kubernetes/system/caddy/values.yaml

@@ -0,0 +1,95 @@
+# Caddy Edge Proxy
+replicaCount: 2
+# Listen on standard HTTP port
+listenPort: 80
+# Enable HTTPS
+https:
+    enabled: true
+    port: 443
+image:
+    repository: caddy
+    pullPolicy: IfNotPresent
+    tagSuffix: ""
+    tag: 2.11.2
+service:
+    type: LoadBalancer
+    externalTrafficPolicy: Local
+# Disable ingress - Caddy IS the edge proxy
+ingress:
+    enabled: false
+resources:
+    requests:
+        cpu: 100m
+        memory: 128Mi
+    limits:
+        cpu: 500m
+        memory: 256Mi
+# Caddy needs root to bind to ports 80/443 and write runtime data
+# Using restrictive security context causes "operation not permitted"
+podSecurityContext: {}
+securityContext: {}
+health:
+    path: /
+    port: 9999
+# Extra volumes: certificates + external routes ConfigMap
+volumes:
+    - name: certificates
+      secret:
+        secretName: ENC[AES256_GCM,data:1HAy4ntUhnklTlxZgF92RLdT,iv:Vz/nfWy8yie5qre7+yzVzDpO1IW3x4SUJBQIzggGMJY=,tag:+HXDFjKHCJLjE5uW3HsEGQ==,type:str]
+        optional: ENC[AES256_GCM,data:6WPvqQ==,iv:CAxOsnyPZhLLQ4/xfDNFu8mgKVz5keDG0gfopL69v70=,tag:Nta3ov4Zmgu1uwI/1JRsWg==,type:bool]
+    - name: routes
+      configMap:
+        name: caddy-routes
+# Extra volume mounts
+volumeMounts:
+    - name: certificates
+      mountPath: /etc/caddy/certs
+      readOnly: true
+    - name: routes
+      mountPath: /etc/caddy/routes
+      readOnly: true
+# Caddy configuration
+config:
+    debug: false
+    # Global options (goes inside the global {} block)
+    global: |
+        auto_https off
+    # The main Caddyfile content - imports routes from external ConfigMap
+    # This keeps routes in a separate, easily editable file
+    caddyFile: |
+        import /etc/caddy/routes/Caddyfile
+affinity:
+    podAntiAffinity:
+        preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              podAffinityTerm:
+                labelSelector:
+                    matchLabels:
+                        app.kubernetes.io/name: caddy
+                topologyKey: kubernetes.io/hostname
+sops:
+    lastmodified: "2026-05-08T08:49:14Z"
+    mac: ENC[AES256_GCM,data:pcStIiaO4zwMLYlpA3FZlwtesiXmhOcclk6GdQ5QRziGv/Te2bUuWGVA6EaeGJML6Mo0JG3jfyua6qQbPdVp6MBt34clcqoU51BG1Nxa6li0K2oqnJlo4evuhJqW1QDzPZZWs8XZaga6rEKNtLwp1R2CIKJU4V5wZAInnqGrnh8=,iv:bhGiargUSIvJ7vePYLBiyG/ZmXDjWyG0x55NG7kxSH8=,tag:H2dIz/JrPGg53BLOvz6ikg==,type:str]
+    pgp:
+        - created_at: "2026-05-08T08:49:14Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7uy4qQr71wiAQ//VaH0Exxuw7YlBSLJc2UuNPVzDxkd6udLgpfLerMePX1s
+            9HeJslI2vcUG2lN8Pg9ZxTwqOJHsJDhetKNYIhTJ8ig899FWAz0DMG49Pv6QSQiM
+            eS8Mji6FavAhT9AkIgK635HbNqPQewBsYEyMTL3rScz5a2XEsgsNx+rta4HsFp0F
+            yqlXv/AIbxkr22edHbbfnTU+fcdEcprtaaqIg0hi1gUVqOLp+lZgakr+nfbY9KkB
+            5Y6KZFv2fYJ7xLgugT97sTXbk9YkQ+qjUvFVICkRDneTGmLfNocr+9KWe48KMXAN
+            QJ7Kb5rFkZLUko92i6KOnJlk4rbtmD2/pECmDeR1PX1ACZDRmcJMCSO0tdbuLS3C
+            8zEBsyebl5je4b91bncWNMjkXklhaF4FC8U5m2FP0BwQoGYq+9R3rGTv4Nx5ycPk
+            D4KfKY8p8kn7/AnhpBrFRg1E7YGERipMX6BvcXvgBHHUntp3VXdRG5HzHW3Fs1wq
+            w1HRQcm5VZpKfgJ4WoQ/aQB4clXrHBA+JNrrOhJ2LgRAIvayl0IKA/3ZZMahacbc
+            R1B96qr+2v160vDFp1ocZcDo72cWdCZ03t1eNPaaM7NKVsszD5WjYOomRh7ndLh1
+            l+MK3pvuqF6bekfFNmDVDgt9cpSl0UJ7wo2ZreSn5XhOXY88b7neu2BzUQOlU3LS
+            XAGnHhe99cHTE9NnH7egRZUMDhKI5gn1OkCgKCqBIcYp1gDKiPYdAHK7yjv0aJR/
+            j/VDwJzcB97ooiHmTRYrg5GpUEELkeZ6TIrjvZqOySXG9wIU74o8JUIyGtvt
+            =z8ER
+            -----END PGP MESSAGE-----
+          fp: DC6910268E657FF70BA7EC289974494E76938DDC
+    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
+    version: 3.10.2

kubernetes/system/cilium/pool.yaml

@@ -6,3 +6,4 @@ spec:
   blocks:
   - cidr: "10.1.2.171/32"
   - cidr: "10.1.2.148/32"
+  - cidr: "10.1.2.152/32"