vhaudiquet/homeprod
1
0
Fork 0
mirror of https://github.com/vhaudiquet/homeprod.git synced 2026-05-08 17:47:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: vhaudiquet:cbf7842e8bfc0be464dd99da6e84380782a52c86
Branches Tags
vhaudiquet:main vhaudiquet:dependabot/docker_compose/docker/home/zigbee2mqtt/koenkk/zigbee2mqtt-2.10.1 vhaudiquet:dependabot/helm/kubernetes/system/blocky/ghcr.io/0xerr0r/blocky-0.29.0 vhaudiquet:dependabot/helm/kubernetes/personal/linkwarden/ghcr.io/linkwarden/linkwarden-2.14.1 vhaudiquet:dependabot/docker_compose/docker/production/buildpath/mongo-8.2.7 vhaudiquet:dependabot/helm/kubernetes/personal/photoprism/photoprism/photoprism-260305 vhaudiquet:dependabot/helm/kubernetes/infrastructure/authentik/bitnamilegacy/postgresql-17.5.0 vhaudiquet:renovate/configure
..
compare: vhaudiquet:dependabot/helm/kubernetes/infrastructure/authentik/bitnamilegacy/postgresql-17.5.0
Branches Tags
vhaudiquet:main vhaudiquet:dependabot/docker_compose/docker/home/zigbee2mqtt/koenkk/zigbee2mqtt-2.10.1 vhaudiquet:dependabot/helm/kubernetes/system/blocky/ghcr.io/0xerr0r/blocky-0.29.0 vhaudiquet:dependabot/helm/kubernetes/personal/linkwarden/ghcr.io/linkwarden/linkwarden-2.14.1 vhaudiquet:dependabot/docker_compose/docker/production/buildpath/mongo-8.2.7 vhaudiquet:dependabot/helm/kubernetes/personal/photoprism/photoprism/photoprism-260305 vhaudiquet:dependabot/helm/kubernetes/infrastructure/authentik/bitnamilegacy/postgresql-17.5.0 vhaudiquet:renovate/configure

1 Commits
cbf7842e8b ... dependabot

Author SHA1 Message Date
dependabot[bot]
b602510256 build(deps): bump bitnamilegacy/postgresql 
Bumps bitnamilegacy/postgresql from 15.9.0 to 17.5.0.

---
updated-dependencies:
- dependency-name: bitnamilegacy/postgresql
  dependency-version: 17.5.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-12-08 00:20:26 +00:00
83 changed files with 412 additions and 2005 deletions
Expand all files Collapse all files

9
.github/dependabot.yml vendored
View File

@@ -5,6 +5,7 @@ updates:
schedule:
interval: weekly
directories:
- "/docker/gitea-actions"
- "/docker/home/esphome"
- "/docker/home/matter-server"
- "/docker/home/mosquitto-mqtt"
@@ -16,7 +17,6 @@ updates:
- "/docker/infrastructure/network/traefik"
- "/docker/infrastructure/squid"
- "/docker/infrastructure/sshportal"
- "/docker/personal/fireshare"
- "/docker/personal/gramps"
- "/docker/personal/media/films-series/jackett"
- "/docker/personal/media/films-series/jellyfin"
@@ -36,6 +36,7 @@ updates:
- "/docker/production/semeryfr"
- "/docker/production/vhaudiquetfr"
- "/docker/tools/excalidraw"
- "/docker/tools/notesnook"
- "/docker/tools/obsidian-livesync"
- "/docker/tools/stirling-pdf"
- package-ecosystem: "helm"
@@ -46,16 +47,10 @@ updates:
- "/kubernetes/code/gitea"
- "/kubernetes/code/harbor"
- "/kubernetes/home/home-assisant"
- "/kubernetes/home/zigbee2mqtt"
- "/kubernetes/infrastructure/authentik"
- "/kubernetes/personal/linkwarden"
- "/kubernetes/personal/notesnook"
- "/kubernetes/personal/photoprism"
- "/kubernetes/production/umami"
- "/kubernetes/system/blocky"
- "/kubernetes/system/coredns"
- "/kubernetes/system/csi-driver-nfs"
- "/kubernetes/system/external-dns"
- "/kubernetes/system/traefik"
- "/kubernetes/tools/dashy"
- "/kubernetes/tools/glance"

21
.github/workflows/dns.yaml vendored
View File

@@ -1,21 +0,0 @@
name: DNS
on:
push:
branches: [main]
defaults:
run:
working-directory: ./dns
jobs:
update-records:
name: octodns
runs-on: ubuntu-latest
container: octodns/cloudflare:latest
steps:
- uses: actions/checkout@v4
- name: octodns-sync - production
run: octodns-sync --config-file ./config/production.yaml --doit
env:
CLOUDFLARE_TOKEN: ${{ secrets.CLOUDFLARE_TOKEN }}

21
.swarmcd/stacks.yaml
View File

@@ -1,3 +1,10 @@
gitea-actions:
repo: homeprod
branch: main
compose_file: docker/gitea-actions/docker-compose.yml
sops_files:
- docker/gitea-actions/.env
esphome:
repo: homeprod
branch: main
@@ -53,13 +60,6 @@ sshportal:
branch: main
compose_file: docker/infrastructure/sshportal/docker-compose.yml
fireshare:
repo: homeprod
branch: main
compose_file: docker/personal/fireshare/docker-compose.yml
sops_files:
- docker/personal/fireshare/.env
gramps:
repo: homeprod
branch: main
@@ -163,6 +163,13 @@ excalidraw:
branch: main
compose_file: docker/tools/excalidraw/docker-compose.yml
notesnook:
repo: homeprod
branch: main
compose_file: docker/tools/notesnook/docker-compose.yml
sops_files:
- docker/tools/notesnook/.env
obsidian-livesync:
repo: homeprod
branch: main

10
README.md
View File

@@ -80,13 +80,3 @@ This setup allows running multiple applications, either self-hosted applications
| <img width=32 src="https://avatars.githubusercontent.com/u/26692192"> | Navidrome | Personal music streaming service |
| <img width=32 src="https://avatars.githubusercontent.com/u/102734415"> | TubeArchivist | YouTube archiver |
| <img width=24 src="https://radicale.org/assets/logo.svg"> | Radicale | Calendar and contacts server |
## Docs (internal, using this repository)
This repository uses pre-commit hooks to automate tasks like file encryption and configuration generation.
After cloning, install the pre-commit hooks:
```bash
pre-commit install
```

16
dns/config/production.yaml
View File

@@ -1,16 +0,0 @@
providers:
config:
class: octodns.provider.yaml.YamlProvider
directory: ./production
default_ttl: 3600
enforce_order: True
cloudflare:
class: octodns_cloudflare.CloudflareProvider
token: env/CLOUDFLARE_TOKEN
zones:
'*':
sources:
- config
targets:
- cloudflare

28
dns/production/buildpath.win.yaml
View File

@@ -1,28 +0,0 @@
---
? ''
: - octodns:
cloudflare:
auto-ttl: true
proxied: true
ttl: 300
type: A
value: 83.113.30.49
- type: TXT
value: google-site-verification=BvFkK7orKeezgxGcdPiGa67PUm9RPI6ZjyyykhSJ24A
_acme-challenge:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: TXT
values:
- 15ks77ymwx2rPrwai5lV0KbySgDrN6AwDqt8e3LNc3Y
- ypJ7zk6-P0TPrdp4Ag2BTJ0NIaY9XNdndqlGOLaFACc
www:
octodns:
cloudflare:
auto-ttl: true
proxied: true
ttl: 300
type: A
value: 83.113.30.49

498
dns/production/vhaudiquet.fr.yaml
View File

@@ -1,498 +0,0 @@
---
? ''
: - octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 83.113.30.49
- octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: MX
values:
- exchange: mail.vhaudiquet.fr.
preference: 10
- exchange: vhaudiquet.fr.
preference: 10
- octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: TXT
values:
- v=spf1 a ra=postmaster -all
- v=spf1 mx ra=postmaster -all
202412e._domainkey:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: TXT
values:
- v=DKIM1\; k=ed25519\; h=sha256\; p=jln+6mPae83WbgR5FHA1yw0exmcGVmkEwNx1ZpISv7k=
- v=DKIM1\; k=ed25519\; h=sha256\; p=zue5tDdPhC91KvjPj28r1F3RoQNiQamYahX371tPmd8=
202412r._domainkey:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: TXT
values:
- v=DKIM1\; k=rsa\; h=sha256\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3Pzzsp4MALfuXDoYsmXotp5mCidcKsDeWycjCMyhGvBDjfaX8l0ZCPemPOjD+uMPhbZV7e1RkzIt6A0qmutDixT1Dup3uhYhnyblp4Gkx1e85vaIncE1V2paJ85EOsDH/4rcGtdcPQfANbPw9LlqcdU3S+X9KpYaMf2DqPPfYa7emhJxBklUMymY06lssqb7+3ltLujGH8J+qNIYJmPa0s1tf2Pu1/opBKkk1qeUyF/wLmW0UTwNB3UyRCSMwR4DzburfHfE9cSNcm/STzrWcPmDnro2E3S69pTmzECU0g2xRqBBq3eYfQO8KxtGGQy63KUqAAhN5D8n9BZ4+TbD5QIDAQAB
- v=DKIM1\; k=rsa\; h=sha256\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs7vM7V1LhJJ6NRazIFyZ5bGseKOABnwBwzNspD+hdeVa7bbE38L+xfbhKKopXwQCCV8lJ+BgDpLJQvTYgRR+6UjuYm7/b/BX8qewPZUGphamkNRExBalsMAxAf9zeMqPUfpjDEKggten90RdrklQCnn5ebyUcTFk+uKfImqn3S2L34vSHfuCtsaZExu8mCych2Q3ZBdx3gsAtmMsmqrAJqBOlF/d/1xVloNMMWBIUNY9NYdC+ZspTvoakIrTOIzHCfoiG3lzpWLM8Du7GWd2umpXOsM4RpJL1vTRDOWjnd25N63L3GlCnAfr8Yu2K77A2PvloOIwZXYrLFOB5S7jxwIDAQAB
202508e._domainkey:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: TXT
value: v=DKIM1\; k=ed25519\; h=sha256\; p=B25PCl1mN4ajiGlVW/CZnWlZzfUxKaB8EhIal4bAHEo=
202508r._domainkey:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: TXT
value: v=DKIM1\; k=rsa\; h=sha256\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1PMbJghh91KpUfghVLVuDiwyo3ChtYiphsR6Z/YJcCGcoNIInH4SJCfL43M5WDboWLzOw8ddGCZLERgY6AOt7LjpzXJpH8ReeZjBNvo57ZJLV9PYdr7Ejrj+ZB/9GAHk4WChWBWIPtbOvFrKyRUNABI2c5fVNPp2c57im+G10rgpCOrp1Y34PaNYpqKu2YyLpkWyAZc4kMUsuxKd9iSIDUCBPKibmQaKt1xJk8Wo1fqsXgVqRJ1iAvTFRyEjGkcA1g1m11mO7aXNuJmr7J41i6MqSwG2vQEPpadqJdqA9TkK2HcMeVV9Tn+4XLxpAHN31e96kXET+9CZlUW1lrSyfQIDAQAB
202510e._domainkey:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: TXT
value: v=DKIM1\; k=ed25519\; h=sha256\; p=ieEhnbQlDTWNsK8s38f392ef/Fvfrj511kHz9OoN06c=
202510r._domainkey:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: TXT
value: v=DKIM1\; k=rsa\; h=sha256\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvlO5KyPBJAYmGnIoaerGzNlWiiWCOiKaluIauTmRKArSDfDafDiy+k30mwtGRn4i4Q8EAWgplG4Xd3fRYCZsjsEna7QV0GDHsX5fY3eFPOnzdU0M5bbXne9UIztej+qUuPTq5BIZhCCNboAIKCKXbRdAJ+hVGnPkPUq+JjfD1EB2E4aoZ/ukoA+QYfq8A86X2TU1WQKNARRsQvGob1No1xyjtztu+1mt8FC15q/YGYfrNt9GxgPnWlsp2PuHgLblX8COiJMejWJ8DgRTmLc0ncEI3qVVpNICDzl0I8+cvkEgJxF6QA4EKB/SjzlfRooHbf7zwfxmcc5ndTsxix9NawIDAQAB
_25._tcp:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: TLSA
values:
- certificate_association_data: 5dfdb3cf31b26f23d87c09f3a0cef642f64069a9fb7cfe29270bb5dc0f1e16bb
certificate_usage: 2
matching_type: 1
selector: 0
- certificate_association_data: 76e9e288aafc0e37f4390cbf946aad997d5c1c901b3ce513d3d8fadbabe2ab85
certificate_usage: 2
matching_type: 1
selector: 0
- certificate_association_data: 4e32b7ee52c9bd2a15b2df3cae5e3b060d737d71faaaac25336c5f193cbdb52ed2fdf38b29aea9fb97f59c8f86e75b5c364309a232623a99e638116ed66063fd
certificate_usage: 2
matching_type: 2
selector: 0
- certificate_association_data: afab698cbbbf892ebb555e09175056c1d4630fe7c350f44dcc6e71843d3b290df00d30ab4e356b630c69169d7633788338922fb637cf5b9f7be20a413eeaa518
certificate_usage: 2
matching_type: 2
selector: 0
- certificate_association_data: 3586d4ecf070578cbd27aedce20b964e48bc149faeb9dad72f46b857869172b8
certificate_usage: 2
matching_type: 1
selector: 1
- certificate_association_data: d016e1fe311948aca64f2de44ce86c9a51ca041df6103bb52a88eb3f761f57d7
certificate_usage: 2
matching_type: 1
selector: 1
- certificate_association_data: a1ef14fea3ca15a552d42665d2fe685672cfdd903de4b370b0d7d87c6d31b5df07142483f36e0e15e16b58f9ba1cbdeeebd4bcb8d74ab7ea32a087db2105f402
certificate_usage: 2
matching_type: 2
selector: 1
- certificate_association_data: f8a2b4e23e82a4494e9998fcc4242bef1277656a118beede55ddfadcb82e20c5dc036dcb3b6c48d2ce04e362a9f477c82ad5a557b06b6f33b45ca6662b37c1c9
certificate_usage: 2
matching_type: 2
selector: 1
- certificate_association_data: a69ec216999308f0ee575cdef98d6edabed8a6b4d2328e050ac9c7fa06404ad9
certificate_usage: 3
matching_type: 1
selector: 0
- certificate_association_data: ccae2719a01f7a6d17d939d8ec13324b7bdb0921ea55d5bfc2f226e54b8c15dd
certificate_usage: 3
matching_type: 1
selector: 0
- certificate_association_data: 7cd33aa6bafc850cc89d008fbd0a5cea942c6a573d605984f174fbe7360abbf71fc157ffe0324e380a8dfea62047b9aa140d5899188402ac677c29f96cc1118e
certificate_usage: 3
matching_type: 2
selector: 0
- certificate_association_data: 8149784990ba7e448295f9c4eb22abcaa4ecefa1b44f1a71ea13d6827d7068c6469cf5fb08a8ae772c1ef59cddbcfd84d744713c48e985136a234b494511fd03
certificate_usage: 3
matching_type: 2
selector: 0
- certificate_association_data: 08f3ffd1b6027093c136f6bb5bc1645a8db31cf2a4392b779c2a2045e152b8b8
certificate_usage: 3
matching_type: 1
selector: 1
- certificate_association_data: 12b3946513281ab20ebee4d38d2e139cac1688420015db90ee8e932fe153bc89
certificate_usage: 3
matching_type: 1
selector: 1
- certificate_association_data: 7b60aee1a230de2c32c0252540c606897ad66cbabc7331c2d40b7dd0e3249e0cc53e145605e610d8dc2f41dd16e12f51dca4641d13e748553bd0f596455dae77
certificate_usage: 3
matching_type: 2
selector: 1
- certificate_association_data: 8cee22274c3f828eda9d18c9954ed0a3ad5172e71b7852c780384bf3828ff1bb26fca899395e99e4d191c2d1e0a55404f97e76bb7d4ad8dff71c6c271d34de49
certificate_usage: 3
matching_type: 2
selector: 1
_caldavs._tcp:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: SRV
value:
port: 443
priority: 0
target: vhaudiquet.fr.
weight: 1
_carddavs._tcp:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: SRV
value:
port: 443
priority: 0
target: vhaudiquet.fr.
weight: 1
_dmarc:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: TXT
value: v=DMARC1\; p=reject\; rua=mailto:postmaster@vhaudiquet.fr\; ruf=mailto:postmaster@vhaudiquet.fr
_dmarc.ligory:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: TXT
value: v=DMARC1\; p=reject\; rua=mailto:postmaster@ligory.vhaudiquet.fr\; ruf=mailto:postmaster@ligory.vhaudiquet.fr
_imap._tcp:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: SRV
values:
- port: 143
priority: 0
target: mail.vhaudiquet.fr.
weight: 1
- port: 143
priority: 0
target: vhaudiquet.fr.
weight: 1
_imaps._tcp:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: SRV
values:
- port: 993
priority: 0
target: mail.vhaudiquet.fr.
weight: 1
- port: 993
priority: 0
target: vhaudiquet.fr.
weight: 1
_jmap._tcp:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: SRV
values:
- port: 443
priority: 0
target: mail.vhaudiquet.fr.
weight: 1
- port: 443
priority: 0
target: vhaudiquet.fr.
weight: 1
_mta-sts:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: TXT
values:
- v=STSv1\; id=12286879188751086068
- v=STSv1\; id=15827089775314309854
_pop3._tcp:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: SRV
values:
- port: 110
priority: 0
target: mail.vhaudiquet.fr.
weight: 1
- port: 110
priority: 0
target: vhaudiquet.fr.
weight: 1
_pop3s._tcp:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: SRV
values:
- port: 995
priority: 0
target: mail.vhaudiquet.fr.
weight: 1
- port: 995
priority: 0
target: vhaudiquet.fr.
weight: 1
_smtp._tls:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: TXT
value: v=TLSRPTv1\; rua=mailto:postmaster@vhaudiquet.fr
_smtp._tls.ligory:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: TXT
value: v=TLSRPTv1\; rua=mailto:postmaster@ligory.vhaudiquet.fr
_submission._tcp:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: SRV
values:
- port: 587
priority: 0
target: ligory.vhaudiquet.fr.
weight: 1
- port: 587
priority: 0
target: mail.vhaudiquet.fr.
weight: 1
- port: 587
priority: 0
target: vhaudiquet.fr.
weight: 1
_submissions._tcp:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: SRV
values:
- port: 465
priority: 0
target: ligory.vhaudiquet.fr.
weight: 1
- port: 465
priority: 0
target: mail.vhaudiquet.fr.
weight: 1
- port: 465
priority: 0
target: vhaudiquet.fr.
weight: 1
alexscript:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 83.113.30.49
auth-nook:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 83.113.30.49
authentik:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 83.113.30.49
autoconfig:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: CNAME
value: mail.vhaudiquet.fr.
autodiscover:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: CNAME
value: mail.vhaudiquet.fr.
canada:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 192.99.6.159
clips:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 83.113.30.49
flix:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 83.113.30.49
flux-webhook:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 83.113.30.49
git:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 83.113.30.49
jupyter:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 83.113.30.49
kasm:
octodns:
cloudflare:
auto-ttl: true
proxied: true
ttl: 300
type: A
value: 83.113.30.49
ligory:
- octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 82.64.154.58
- octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: MX
value:
exchange: ligory.vhaudiquet.fr.
preference: 20
lol:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 83.113.30.49
mail:
- octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 83.113.30.49
- octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: TXT
value: v=spf1 a ra=postmaster -all
md:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 83.113.30.49
mta-sts:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: CNAME
value: ligory.vhaudiquet.fr.
n:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 83.113.30.49
nook:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 83.113.30.49
notesnook:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 83.113.30.49
overleaf:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 83.113.30.49
sse-nook:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 83.113.30.49
umami:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 83.113.30.49
www:
octodns:
cloudflare:
auto-ttl: true
ttl: 300
type: A
value: 83.113.30.49

11
docker/gitea-actions/.env Normal file
View File

@@ -0,0 +1,11 @@
GITEA_INSTANCE_URL=ENC[AES256_GCM,data:PYjmpgDEvPEC1S7MrN6d91IUBnGbFA9Xag==,iv:m7YQOMnuEoT5wDyy47aaTqjJG+dhqTJKf5i3hQs6GwY=,tag:2ldKTNRqdJEXTxr3uAyLLQ==,type:str]
GITEA_RUNNER_REGISTRATION_TOKEN=ENC[AES256_GCM,data:RDnENtxQw80C7SwmMZV2DTlEx4+uvzVMy95leGb/1RR6egc6S4xWnQ==,iv:wThZ2+qukJqC+ApvXC9GBdneXJ00jkkTyq+2VXSDG+w=,tag:KygPnxauOpaI1goZ4+uf3g==,type:str]
GITEA_RUNNER_NAME=ENC[AES256_GCM,data:HvNmmQyKxk16WQV8dRfPOfCO39w=,iv:z1YuNWvglBYaXQwZXjMzXD4ZN2d7c3eD9GdSaG1maNY=,tag:FtX6wG47uTGjTQ8UNvGfcg==,type:str]
GITEA_RUNNER_LABELS=
sops_lastmodified=2025-09-16T19:22:00Z
sops_mac=ENC[AES256_GCM,data:JIp7wyaIsy2Jg9p3ybHAljkDn8vpDRHtf7Zm2/M4exe6CbWCRn1jGMle+SnKBv2DKVciquQ9B9cKtKnVCpEAQOceZ1WakwS/mCmjYTIHqcvm8/vst1BYiL1Ovbw2dDstzWo8g+UTKAmVC7E0TJ01vAbsOab+fVacKLHF97pBqW8=,iv:5tcuJntPXrWCeNTGQbXzLaGZnCc8rr+gKG+UTRBNUaY=,tag:g7EYMAaOmwjKFYfz1ID5xQ==,type:str]
sops_pgp__list_0__map_created_at=2025-09-16T19:22:00Z
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ//c0J+b0XwnMbLlQku3tAEutXuEkQPMMrdOpPYwrua9nNu\nSVPBSiamnTeoaP2kM5lcaQ7HUaRLiS1qjXNVPsnAdkGPPID3SxUJzUo7Ca/JOq7e\n39ihqetWAcn9dNDofTxVKyvKXhXKGaDFy2LhaKugj4tkx6qdMA/XAldvRD6ik1jK\nAZjl2xGYTvZ+XgTGtFs6u3Z9ugD6Q3yPjKRSfeIO8NPT5OFFzY70wqlZflxcpupD\npnsvXQkAK1Rnz6F9+dh6jJYYijTdEe9Q0i+0Uy3q+wMsf8KRWs4ARD05DpgIOnUA\nG0s2kdOOlvqoJ/m2fSV7vkIcCvCwhEirn5kfrdUGi3ENazh0g3vpppAfE0ynZdSo\nDiXI7dzCwMxYi8edieOhK3RrOn8bx7B8F1WE+mHL6StQmD2G+xfvgtKlsEJGY2Ed\n1CpMZSQ0TwFx58fYiK+HsZrwAw/3YVzPWryaYvJ6P8QnY3oJOJihSYGRMmyH5WRo\nle1Rxd+Lrt1UnWyZQ7rpqMsYiIzihsNgNix/2wS1R9R1wRFXPdNDfzjrv1BGm/aJ\nOOqUFo6Hd3jEwYcSsG7mbe+hCAAXoJjZSU43dVzeZ0k5ls/lpOjqjQrZZLgz33uF\nNVNRAKTYD2y+/mQ4vpDUsHhu5rtjxh8u1CJf0++q1W/w+Z4ooq5hcNm3ud3DHYjS\nXgF1JA9ThTS+Hs1fV5SFzGMyFMFGeiTVJeww26R+1Vws7fFwbyAYugOqAgkiNkIf\nS2dsxlH1TRjBq1XD4GYk6P3VDUU5UyxG/5XiOexGEVSxBL/wg6TwpyL1hjvgc9k=\n=fmOe\n-----END PGP MESSAGE-----
sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
sops_unencrypted_suffix=_unencrypted
sops_version=3.10.2

6
docker/gitea-actions/docker-compose.yml Normal file
View File

@@ -0,0 +1,6 @@
services:
runner:
image: docker.io/gitea/act_runner:nightly
env_file: .env
volumes:
- /var/run/docker.sock:/var/run/docker.sock

2
docker/home/esphome/docker-compose.yml
View File

@@ -1,6 +1,6 @@
services:
esphome:
image: ghcr.io/esphome/esphome:2026.4.4
image: ghcr.io/esphome/esphome:2025.11.3
ports:
- "6052"
networks:

2
docker/home/matter-server/docker-compose.yml
View File

@@ -1,6 +1,6 @@
services:
matter-server:
image: ghcr.io/matter-js/python-matter-server:8.1.2
image: ghcr.io/home-assistant-libs/python-matter-server:8.1.0
container_name: matter-server
restart: unless-stopped
network_mode: host

3
docker/home/n8n/docker-compose.yml
View File

@@ -1,10 +1,9 @@
services:
n8n:
image: docker.n8n.io/n8nio/n8n:2.19.2
image: docker.n8n.io/n8nio/n8n:1.122.5
environment:
- TZ=Europe/Paris
- N8N_SECURE_COOKIE=false
- NODES_EXCLUDE="[]"
ports:
- "5678"
networks:

2
docker/home/zigbee2mqtt/docker-compose.yml
View File

@@ -2,7 +2,7 @@ services:
zigbee2mqtt:
container_name: zigbee2mqtt
restart: unless-stopped
image: koenkk/zigbee2mqtt:2.9.2
image: koenkk/zigbee2mqtt:2.7.0
networks:
- default
- proxy

2
docker/infrastructure/mail/roundcube/docker-compose.yml
View File

@@ -1,6 +1,6 @@
services:
roundcube:
image: roundcube/roundcubemail:1.6.15-apache
image: roundcube/roundcubemail:1.6.11-apache
container_name: roundcube
networks:
- default

2
docker/infrastructure/mail/stalwart/docker-compose.yml
View File

@@ -1,6 +1,6 @@
services:
stalwart:
image: stalwartlabs/stalwart:v0.16.4
image: stalwartlabs/stalwart:v0.14.1
container_name: stalwart
networks:
- default

2
docker/infrastructure/network/traefik/docker-compose.yml
View File

@@ -1,6 +1,6 @@
services:
traefik:
image: traefik:v3.7
image: traefik:3.6
command:
- "--configFile=/etc/traefik/traefik.yml"
ports:

11
docker/personal/fireshare/.env
View File

@@ -1,11 +0,0 @@
ADMIN_USERNAME=ENC[AES256_GCM,data:8ngfC8VHpaaGCQ==,iv:Ze7ThfWmAWj0ZvV3A7Pd+aqAW/pahkTZhdFC/TnAwZ0=,tag:KCFdGV1dEw3e+q6FBgy2cw==,type:str]
ADMIN_PASSWORD=ENC[AES256_GCM,data:UhxEMnqYDyfgffqUf3Q=,iv:VvNX867P+w20Y7laG0R0c4BUw1uICeyF5SU3+waosRE=,tag:JL4GC+UZY3TqSmCq14CTpg==,type:str]
SECRET_KEY=ENC[AES256_GCM,data:uahYXYr4DvavNMTTdcDA0hdp5wj3OLret3fPF1DEc2lis+E7/fe45DWFuhUu8RAK76tuheA=,iv:Lofc+PP7Rtg99l36yOx6bt0i8hg1DJXzwSKQNJCRYPw=,tag:AiUGZOiLyjKItf++Gya+eA==,type:str]
DOMAIN=ENC[AES256_GCM,data:LyJ7RAgrioTltNQ/BKoPbEN8XQ==,iv:IHrT5TkaXuIhkfN/nHcapz4CNBG0t9lbzrHDjp04JLw=,tag:gjSa/tSVEqk6pXrfhjs7gQ==,type:str]
sops_lastmodified=2026-05-06T17:05:48Z
sops_mac=ENC[AES256_GCM,data:wRtDnVQkNsc1MtxSpbuVDuACkCwunYeyYSaQX2Tglm2kwOnx9iCyhuWY6RMYu5nfyJ1CT1kfqeGrGxhJ5uMDee29eLUv844X3hIXwpMT50jHFXEtfKLfRMfqpv9r9mbp2EP9VNDUtPyIwDk5vSjGeaYqEWtHW/q5y9qIrzqqy5g=,iv:UG4XGi3Qo8/nAddY+rzJm1AKIAmJjtR+2bDqSeaVxG4=,tag:SL2rvrxFmMfgyUyMqFIZEQ==,type:str]
sops_pgp__list_0__map_created_at=2026-05-06T17:05:48Z
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ//b6zlRVKrqzzszBJmnOUlfeZd5m2ekYv/zIBr4oxHyn5L\neLLff+N7hjBVSajg9Qg7GBQv7s3DX70vHTpdUP38UEO1aM0l3eU1JCwA4Hdh7Ds5\nnq330vUKhIAd+K8Vv4Ei9YHpj+kgMnt+R780qZUg18D39TAnx36q9b5SKzZCUsks\n3YM+G8pHLRipZhxp6zwhOPHVSnImOFjty4d6JV6Zes9zfslaETgva7p5DIKP0ttf\nI2JRacvL75MMp1USyqGKt7Bpl6Yz4VxY49aea+FxDlbzCVLuBBgZMoEjhPQifQfh\nB6OObmu1cVhECidrMHmqDBNqgKsNLble+g3Le+gJdn/zKxVc+q+cPPuk/JdT8tfv\nZTei6jg66IREZOrZCP3Gt4OB5LbkLdS0NET2CMVAYkGQvGrSC+diwUnFkI+WEh+p\noZhvgp/ytBgaw6ZyNPmvkGkFeFg1/ISpOHkVQ+P6Pnot8h4HvuI/KcBwJRCrtdbg\n+XMpqeQdmCnM04v5Uq1NVqRWHD0yvd7GHDOZCqJPMFHP0M6R+SwHq+8+pgbO3jxt\n+426MvhNKw8xWMtnUIO8sSSkzgOfT6vFXmzQvIawbXvitjGjiElkpmT5Hz3hn1Bm\nnu8CivqLwL4Gs1Uc2m6qHGkvGqxWwcHABWqftAk3VfhmjcFDwAyWROlCuD+A15PS\nXgE1wn9jLesXaiCwzAp4AOstkk0fR2yio4fa9dCeenzuedULNLuCyJfYtSm4QlSU\nvffH4iL8X/R24s6SdPsCIuNnAeKc0P4E55AlOaeZN4HcZzfspVikAZx+bK14JS8=\n=KGp6\n-----END PGP MESSAGE-----
sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
sops_unencrypted_suffix=_unencrypted
sops_version=3.10.2

58
docker/personal/fireshare/docker-compose.yml
View File

@@ -1,58 +0,0 @@
services:
fireshare:
container_name: fireshare
image: shaneisrael/fireshare:1.6.10-lite
ports:
- "80"
volumes:
- data:/data
- processed:/processed
- video:/videos
- images:/images
env_file:
- .env
environment:
# PUID/PGID: the user/group ID the container runs as. Files written to your
# volumes (data, processed, videos, images) will be owned by this user. Set these to
# match the owner of your host directories to avoid permission errors.
# Run `id` on your host to find your UID and GID.
- PUID=1000
- PGID=1000
networks:
- default
- proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.fireshare.rule=Host(`clips.vhaudiquet.fr`)"
- "traefik.http.services.fireshare.loadbalancer.server.port=80"
volumes:
data:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: '/app/fireshare/data'
processed:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: '/app/fireshare/processed'
video:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: '/app/fireshare/video'
images:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: '/app/fireshare/images'
networks:
proxy:
external: true
name: proxy

10
docker/personal/gramps/docker-compose.yml
View File

@@ -1,7 +1,7 @@
services:
grampsweb:
container_name: grampsweb
image: ghcr.io/gramps-project/grampsweb:26.5.0
image: ghcr.io/gramps-project/grampsweb:25.11.2
restart: always
networks:
- default
@@ -28,10 +28,14 @@ services:
labels:
- "traefik.enable=true"
- "traefik.http.routers.grampsweb.rule=Host(`gramps.lan`)"
healthcheck:
test: curl -f http://127.0.0.1:5000 || exit 1
interval: 30s
retries: 6
grampsweb_celery:
container_name: grampsweb_celery
image: ghcr.io/gramps-project/grampsweb:26.5.0
image: ghcr.io/gramps-project/grampsweb:25.11.2
restart: always
environment:
- GRAMPSWEB_TREE="Gramps Web" # will create a new tree if not exists
@@ -52,7 +56,7 @@ services:
command: celery -A gramps_webapi.celery worker --loglevel=INFO --concurrency=2
grampsweb_redis:
image: docker.io/library/redis:8.6.3-alpine
image: docker.io/library/redis:8.4.0-alpine
container_name: grampsweb_redis
restart: always

2
docker/personal/media/films-series/jackett/docker-compose.yml
View File

@@ -1,7 +1,7 @@
services:
jackett:
container_name: jackett
image: ghcr.io/hotio/jackett:release-v0.24.1815
image: ghcr.io/hotio/jackett:release-0.24.402
ports:
- "9117"
networks:

2
docker/personal/media/films-series/jellyfin/docker-compose.yml
View File

@@ -1,6 +1,6 @@
services:
jellyfin:
image: jellyfin/jellyfin:2026050514
image: jellyfin/jellyfin:2025120105
container_name: jellyfin
networks:
- default

2
docker/personal/media/films-series/radarr/docker-compose.yml
View File

@@ -1,7 +1,7 @@
services:
radarr:
container_name: radarr
image: ghcr.io/hotio/radarr:release-6.1.1.10360
image: ghcr.io/hotio/radarr:release-6.0.4.10291
ports:
- "7878"
networks:

2
docker/personal/media/films-series/sonarr/docker-compose.yml
View File

@@ -1,7 +1,7 @@
services:
sonarr:
container_name: sonarr
image: ghcr.io/hotio/sonarr:release-4.0.17.2952
image: ghcr.io/hotio/sonarr:release-4.0.16.2944
ports:
- "8989"
networks:

2
docker/personal/media/films-series/wizarr/docker-compose.yml
View File

@@ -1,7 +1,7 @@
services:
wizarr:
container_name: wizarr
image: ghcr.io/wizarrrr/wizarr:v2026.4.0
image: ghcr.io/wizarrrr/wizarr:v2025.11.3
networks:
- default
- proxy

2
docker/personal/media/music/navidrome/docker-compose.yml
View File

@@ -1,6 +1,6 @@
services:
navidrome:
image: deluan/navidrome:0.61.2
image: deluan/navidrome:0.58.5
user: 1000:1000 # should be owner of volumes
ports:
- "4533"

4
docker/personal/media/youtube/tubearchivist/docker-compose.yml
View File

@@ -2,7 +2,7 @@ services:
tubearchivist:
container_name: tubearchivist
restart: unless-stopped
image: bbilly1/tubearchivist:v0.5.10
image: bbilly1/tubearchivist:v0.5.8
ports:
- "8000"
networks:
@@ -49,7 +49,7 @@ services:
- archivist-es
archivist-es:
image: bbilly1/tubearchivist-es:8.19.0 # only for amd64, or use official es 8.16.0
image: bbilly1/tubearchivist-es:8.18.2 # only for amd64, or use official es 8.16.0
container_name: archivist-es
restart: unless-stopped
env_file:

2
docker/personal/paperless/docker-compose.yml
View File

@@ -16,7 +16,7 @@ services:
POSTGRES_DB: paperless
paperless-webserver:
image: ghcr.io/paperless-ngx/paperless-ngx:2.20.15
image: ghcr.io/paperless-ngx/paperless-ngx:2.20.1
restart: unless-stopped
networks:
- default

2
docker/personal/radicale/docker-compose.yml
View File

@@ -1,6 +1,6 @@
services:
radicale:
image: tomsquest/docker-radicale:3.7.1.0
image: tomsquest/docker-radicale:3.5.8.2
container_name: radicale
ports:
- 5232

2
docker/personal/tandoor/docker-compose.yml
View File

@@ -9,7 +9,7 @@ services:
web_recipes:
restart: always
image: vabene1111/recipes:2.6.9
image: vabene1111/recipes:2.3.6
networks:
- default
- proxy

27
docker/production/buildpath/.env
View File

@@ -1,18 +1,15 @@
ME_CONFIG_MONGODB_ADMINUSERNAME=ENC[AES256_GCM,data:AHXIMA==,iv:trofFagJGNq5OyWDaN57vPpKwwG3SouiV5xLl5sJIBA=,tag:c1NUlmBouEb0Milri85QNw==,type:str]
ME_CONFIG_MONGODB_ADMINPASSWORD=ENC[AES256_GCM,data:8X6+SphUNus=,iv:zwofVw03pToXHR6weckniT/fymFYeHZw6lVmrGUsnLc=,tag:lEWtnnqpwamNsCnkStsRfQ==,type:str]
ME_CONFIG_MONGODB_URL=ENC[AES256_GCM,data:3xLFWhRYU/EfhRw+rOs9pOb+nzsbV9IvQydB4VGZGw/WLkQd,iv:T9T6ewB+05qzFDL7z2WESs6fIc9lTFdjVxy/71YzhXo=,tag:S3YsOokO4jzhJVWep/QTsQ==,type:str]
ME_CONFIG_BASICAUTH=ENC[AES256_GCM,data:FnUichsnpQ==,iv:Ayw1Vqg5rj6P79vtERX2hRCttnol/4aNUG5Y0OhFVTo=,tag:JkTxro0kyYJLr9gdkY8A1Q==,type:str]
MONGO_USER=ENC[AES256_GCM,data:2KFDcg==,iv:wdDxrQd07+hC5GEq1DS0DLVASiL9L4ds1V3TG1NA9EQ=,tag:gieiOLmOfLtUQjfjwZg6qQ==,type:str]
MONGO_PASS=ENC[AES256_GCM,data:W80YLzp8G50=,iv:eFts3fhrB9PGEfC69d8btt4ko3gcOGrFZUy95hx2rCE=,tag:+1JFEiclNnjei8+2I42j6w==,type:str]
MONGO_HOST=ENC[AES256_GCM,data:0RknYUM=,iv:8QyL4KHrSr9pv1kX+FD09N2ltVSZkEKqtFCS30ik1v0=,tag:bTXBMHqp5JU9VTD3soXEyQ==,type:str]
MONGO_INITDB_ROOT_USERNAME=ENC[AES256_GCM,data:G6wekw==,iv:AH5qqxXOeEBVI2mXXPPrC1X8X/Vq5MHZBWdfNRNeK1c=,tag:nMkWql/aVHi2FGnJ5NGFBQ==,type:str]
MONGO_INITDB_ROOT_PASSWORD=ENC[AES256_GCM,data:jzVSUjGSjOY=,iv:S/Ar0oYN2vSE7pK+/tfp9RyCThtDbk0gOUYDyzNYjVE=,tag:whWyBFHuXBcmF+WixjafOw==,type:str]
RIOT_API_KEY=ENC[AES256_GCM,data:EzqWk1Y73htAXaUJhzByV6Aru/hxUNjHGK90ac1NGaz92Cwk9YEdmrb9,iv:KorIppEflVX2aDC8K3ndRzK1q6scNjdQfl38p/8fLGM=,tag:Ei2zLoiGOlOX8ocrO2wNMw==,type:str]
CDRAGON_CACHE_DIR=ENC[AES256_GCM,data:uMogP1/K/pc=,iv:/0A8fs9HEuksSiKV1SZDoslHHGlJe+vFw0BQ5zQ9BBA=,tag:grwWPwMQarpmSAUIgKDZ5Q==,type:str]
sops_lastmodified=2026-04-30T18:20:37Z
sops_mac=ENC[AES256_GCM,data:7teYIGLLHBH8TJ/gr3lcbtfo4CVl0Gj2RWPSLgx4AyTvM+pZaSvUDaVUhWuprSCVqZcDWI2tNHUOHE4aYlJzyt9JfQrooKLPkKUq3WX3bucg3Rv5GpiP1tNHiPDE7UZCBp5bkHhYvwn+dPjhObEUdMUuwMBDA9JSpPlr3YQCg/E=,iv:6knBO6QNe33E2bJw5WZMzcDzeTW9mwgjQtftv0FZq8s=,tag:xuIKZl7szrUyX8/D9xxAmA==,type:str]
sops_pgp__list_0__map_created_at=2026-04-30T18:20:33Z
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiARAAufkTVdCq2ARwMFuec9+0N1BzTo7WgGQhzKIJehe+uQ5I\nuPS5bafo5vrvxlCuxVmhup45CS3gm3X46hgHh/d3htaYzDnbyh/awbVGIhU9sa9T\n74i4jZAabzWjWAU8lAvxS6dJ6hf5U3MHOc1zYoCUfCJjgw+QRzR5PxZKFhpVklQU\nQJycdfRAl5oAqF7N6B7oCNTs7w1hbx2CJXBVGM8YoJySkThpXEY3dECxZ5nTSPmp\nXo3hmidO09uYsjWzcqynJHnh9RkMd1VAe6ULzhVIOv5KLXQLQV/paNAPdsxA5UmY\nE1imIFrqS25BVU9xbsGaPj6AHX6+Ux8bpO8TOVbpULe56Aq2c5GOjIZXb3p20K7N\nEk5rJ/K+8FxvytK3jDkhJI49wiDs9UDim02DSZmsWirIy/c02Ojy2d/Cxors1Lw/\nBCc4S6/ESH9u/LGlWs8WDqcDQqhHgeCvGOLAvOXs9eOCXNW2ROtNdfW808APbu1A\nzgYJwPtdfBhUv4KhZcEVMldWgX1OiYhcWMWYgJUXcfOwaRbzntZ/MczPNJ/a+57T\nPvH9GuTiwCXn0fOgcETTp9RPvXflL+4LPgh9drCOo4zwMvlqZs2+0Os2m8GDdDcL\nD45VMTsnNUXWuO7YUdtYX47bON2W6Z7NwzvkSr5odogzq1xw38SgRN7g3Jbl6+fS\nXAH/Rw8jWjpYztZ5HgDXisTxLEXqn5UNYKZBjzsLV5tE9GQp8ppck21igBiDCqoT\nsziZwFyRy/nKq076lZlRgSFr0pm4168u7Vn5x1TLQBHl+i0eKficgUQpwCFx\n=XUsx\n-----END PGP MESSAGE-----
ME_CONFIG_MONGODB_ADMINUSERNAME=ENC[AES256_GCM,data:GjWjDw==,iv:kBzyj+UsDd/el38BJFmn8CiDH0ojagZo91qyOAF7M8k=,tag:M7oaKZltblyTUp0ekD927w==,type:str]
ME_CONFIG_MONGODB_ADMINPASSWORD=ENC[AES256_GCM,data:diSSmsCxW5A=,iv:6kEac9UIlp/ksuqbLrB75eoJA3ReGoJNs/Pnr3C26yA=,tag:xY+J92/KtEsoN2ziqGNZ6Q==,type:str]
ME_CONFIG_MONGODB_URL=ENC[AES256_GCM,data:bUO+B5Bm7m/DUtCFpguFHQSyA7vkRbXcuPhYSNlpfnATVcgf,iv:WDSHNQyM5cnh1dxKAl0QXfXBmNfeoDjtZvKOeunvJAI=,tag:E0zwMGNECKYWvL/hFdanVg==,type:str]
ME_CONFIG_BASICAUTH=ENC[AES256_GCM,data:nj4ofzIdqw==,iv:PkWzZ7mRaftatgX7Whk43S5W2r/M/QGgmLoJ2MIC3Dc=,tag:/J6R5bRgsUFiOectNaKnIw==,type:str]
MONGO_USER=ENC[AES256_GCM,data:XopGfw==,iv:r2uoRr5k/nWSGiSOnseVze8UxeMxTnA174E2mWcxcO4=,tag:VWp076qsVpugr96cAwgiHQ==,type:str]
MONGO_PASS=ENC[AES256_GCM,data:QY4VoeaySJU=,iv:STKUpM03rSmfSzkK1mmOP6IDmC4gOnyBUpYzTYylguo=,tag:AFx59JJavyf/qW4eEdn5Ug==,type:str]
MONGO_HOST=ENC[AES256_GCM,data:iIPq+z4=,iv:Xrs9Z01H1/SnTGBTBHuFTCjU0CuCmHs0GABB6AL191E=,tag:LvgyigEAvac1tP6hF0O3+Q==,type:str]
RIOT_API_KEY=ENC[AES256_GCM,data:Zi8LX8LuFcAtvX0gLUOOH2KjqOLWUeFWy//MQ1PBdUy/YXqbUJEOsszQ,iv:am8ZA80GQ/pxavda0AR5S3ps6WUXfnpVHb36hZvxroo=,tag:LFvcViq8GZhWD+f4d0904Q==,type:str]
sops_lastmodified=2025-11-24T00:00:31Z
sops_mac=ENC[AES256_GCM,data:z/Va9k5vTCwmoVntX693PcV95D+fKrlmfe75ldyfkowCrgG/vl7s8uglKjn+wUixMdjz+bDYqR/RXovq9KmXhJO4TYOJd0JZdTXWqn+Ekk8OxooPLOgUdPvrL6rc3Iz53AhplSvAcoLzstZf8Z2WRGNIGve3jONJLFdFI+rL1HQ=,iv:SKTJDTBB6OGqBSfKLjj+xHG7c3ierdCo7mmQ9/+Z/gg=,tag:J92wwQtIyofqqnbm/sYtpA==,type:str]
sops_pgp__list_0__map_created_at=2025-11-24T00:00:31Z
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ/+Ny6UKLVYWP+9bmkZcKBvQXuCti45eWD2NsEKWMtO2LoF\nw5qqzLS1DLWLMBFQz+sn35a6N/RBHfN2LeZehM0c3MKXeTQvkozoxY0Qsj/B4pds\n5XTYpF73wjBCqm48A3Bh3Y9JNl7IiEbbQmGfeunloAr2WWrKsX2ugb3Emay8UrQL\nNvaK8yLV8WfvOWopgeJfGTjV7IPEgW6CBKif8meSq1+D6YLNRbmqpup5eMnZPOWn\ngrH821Q3O8XrKKuALM9N7b+pyBWCqA/R2ohxkLsxHCHNVdDKMQiwGha7y+pu4Fz6\nfEymEw+BPFvwPhcpxMCeT3h1kEX1dbyrvuayrqilCuiSuWNybRNUr/Awpigc9swR\nslW4Tf8ojvnWurBrVbIHxT7uP6xpO9ByzrYCtHauPLuyerlt50GC4Rc6bcJ40Mml\ne0vhrCvoJfUNX+Hfy280rP8NP+K7tPXIhwAK8JRTIwebF1Z1V4qSbvblZlgjglPt\nq/kSy2QTkPfhAohCNEGQK2xkaCAgWhMHPZoYV2We4GCaPT81g6DH/JH/wwGg3uTD\nY15vhHitcgoe9Z9B4V+rW3LQcx59vfvsMkjdPpkzfjCPcOLicR+ZzmmACuZal6aa\n09N4nqd6ESLUc11u4ojcExfbRNbS8IrVRnJxUKe8neI8ANTBAQn/oIidi1OjixvS\nXgHF3afYw7it86b51pEhgwTQ3TxMC5rIix2UUk9EUHOMUxG86Dtf4Cs4S6x/a5q+\nfJ9q+931YCyRQDN3C9H+MSIYWa8d+xAf76ShVS0hW3+//X0Hel2HMb/VNX53jOY=\n=OcbU\n-----END PGP MESSAGE-----
sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
sops_unencrypted_suffix=_unencrypted
sops_version=3.10.2

37
docker/production/buildpath/docker-compose.yml
View File

@@ -1,19 +1,29 @@
services:
mongo:
hostname: mongo
image: mongo:8.2.3
image: mongo:8.0.1
restart: always
user: root:root
user: 2000:2000
volumes:
- bpmongo_data:/data/db:Z
- bpmongo_config:/data/configdb:Z
- mongo_data:/data/db:Z
- mongo_data:/data/configdb:Z
env_file: .env
patch_detector:
image: git.vhaudiquet.fr/vhaudiquet/lolstats-patch_detector:5ecd5f8a954031909425346d40c18ec89d97406c
build: ./patch_detector
restart: "no"
deploy:
restart_policy:
condition: any
delay: '0'
window: 10s
env_file: .env
match_collector:
image: git.vhaudiquet.fr/vhaudiquet/lolstats-match_collector:b2178fec85027348157a5442a81d00479154e581
image: git.vhaudiquet.fr/vhaudiquet/lolstats-match_collector:5ecd5f8a954031909425346d40c18ec89d97406c
build: ./match_collector
volumes:
- bpcdragon_cache:/cdragon
restart: "no"
deploy:
restart_policy:
@@ -23,11 +33,9 @@ services:
env_file: .env
frontend:
image: git.vhaudiquet.fr/vhaudiquet/lolstats-frontend:b2178fec85027348157a5442a81d00479154e581
image: git.vhaudiquet.fr/vhaudiquet/lolstats-frontend:5ecd5f8a954031909425346d40c18ec89d97406c
build: ./frontend
restart: always
volumes:
- bpcdragon_cache:/cdragon
networks:
- default
- proxy
@@ -40,9 +48,12 @@ services:
env_file: .env
volumes:
bpmongo_data:
bpmongo_config:
bpcdragon_cache:
mongo_data:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: '/app/buildpath/data/_data'
networks:
proxy:

2
docker/production/vhaudiquetfr/docker-compose.yml
View File

@@ -1,7 +1,7 @@
services:
vhaudiquetfr:
container_name: vhaudiquetfr
image: git.vhaudiquet.fr/vhaudiquet/vhaudiquet.fr:259ad574d15c1b50e0766602b6b0b5ee39afd657
image: git.vhaudiquet.fr/vhaudiquet/vhaudiquet.fr:bd5a8ff9fae266a2905e8421689caef2197e00cf
networks:
- default
- proxy

22
docker/tools/notesnook/.env Normal file
View File

@@ -0,0 +1,22 @@
WEBRISK_API_URI=
INSTANCE_NAME=ENC[AES256_GCM,data:qEEZGdAX83nTP2isYB1sVSUlfLiv6Xw=,iv:vdLcvAbaCd2bEpHfQVv2CQEHO3cFdvLfgEGIMS/lA2w=,tag:uPUhfd/nuuxegH2RXkADSA==,type:str]
NOTESNOOK_API_SECRET=ENC[AES256_GCM,data:o9/2+nDeoBAXFE8R,iv:8Lzz6Flltia+pr6CmdaGaba8x/+KnIjhKdwJOkgX3ys=,tag:hHI3VZj/uOrmSMmhh+T4yA==,type:str]
DISABLE_SIGNUPS=ENC[AES256_GCM,data:w1MjyQ==,iv:NKjhnLyPeOakGSMwVmOft7WtK6ggDYx0OucmUZId4Dc=,tag:wk5GpTs5xOMQ2S6w1MLjQA==,type:str]
SMTP_USERNAME=ENC[AES256_GCM,data:N6/huGyOvYbkb580YyZ+5u3chhA=,iv:pyglhbFMwyRxI1k9bmMS0sr/x+5RXn/I+fKavdNUSCc=,tag:/XgQDqYugazoFb0NQJGjSg==,type:str]
SMTP_PASSWORD=ENC[AES256_GCM,data:L2FG6mz9BlhuFfLNDa0=,iv:1P6ABsBleUYAn+Yz6qC3MbD2bR85HTrxM0aH8eRLVNY=,tag:IAggPwIHY5hobYobIGm8Qw==,type:str]
SMTP_HOST=ENC[AES256_GCM,data:3NSiYgn8jooDDZLTuTgj8Jah,iv:k0sz5H35fv9xzgfyV/NyE9CUVJySFvgbIoKuq7s+VF4=,tag:W7Ce8BUIz5bULaPOwIcv/Q==,type:str]
SMTP_PORT=ENC[AES256_GCM,data:AxM/,iv:tsQ8RA8f6YhxACcgUaHE3RgADcXB0hAd3dIkEtch0Bc=,tag:fxInjB435fi9XzLqdoOJwg==,type:str]
NOTESNOOK_APP_PUBLIC_URL=ENC[AES256_GCM,data:DCTjjJBUapunw5wZpQEWZscUtOZiAoWJFw==,iv:e192t2+LDSh6YokJso2I2hD3Z2yRJ4g0QwUyRSnACBo=,tag:ULInUTM5qbGJlCrVpkDxIg==,type:str]
AUTH_SERVER_PUBLIC_URL=ENC[AES256_GCM,data:9Nt/sTzOZwQZoaErm7epTw+buoWXQXQ8jZtlVZzLoiGDh7mjx9x9jQ==,iv:d0MvX6CWvEyx7YwIgGo3SIXV3hmZA3KqU5255gRhVAo=,tag:doKLa1njr4bK0lTy2i53DA==,type:str]
NOTESNOOK_APP_PUBLIC_URL=ENC[AES256_GCM,data:tzfOXeT0jBubJnvcx+EHmHQJhXXyJjkgMw==,iv:HM5ykxZ9E5BwLOU1+6pY9777Tz7CmPS+JyrBLbIj7BA=,tag:/1NhvVLkq4w+yWWWs338bA==,type:str]
MONOGRAPH_PUBLIC_URL=ENC[AES256_GCM,data:nTvb9xckE3Dwb8e3ngQimwbbEqu37kUgEQVJ9dKDAIAPkU7HumXMn3Y=,iv:QDjvaxuLWR80VL05C/lL17EVUpMsb8TF/9WRLw6fAPk=,tag:rdrAZlpJ5kY1O9QgmErBDQ==,type:str]
ATTACHMENTS_SERVER_PUBLIC_URL=ENC[AES256_GCM,data:SxJr4/nJRij39l6EACQz83dg8IPiSe9PjD7i6l9xAkpyvA==,iv:rrj951k7KQ8+FbU8cenkBv3ESBB7B6dpcX8aLeVjtNk=,tag:nVQyawlBhd69f+3MIk/Ftg==,type:str]
NOTESNOOK_CORS_ORIGINS=ENC[AES256_GCM,data:DOUsLeX882mGUKz1NcMhBRPydhoBYlxoyoSTSe6NEIiF9YM1TZwOBaJqw9zbdjy45zxzuvXxZmAFt+CL91/8oVHUMX2kBi1cT88W2nZU5g==,iv:sPUEYWPfTTR5o8Dm4rtFyD1rjkTkV9GgGlbZJPMPZGM=,tag:qNxvouzH/lgRZXWQtAGxsA==,type:str]
NOTESNOOK_CORS=ENC[AES256_GCM,data:H4pMn0DbumkeWxLjbKqvd//hTKav7Yucz9QT/Nnvu0sLLOiDMg3exKQy33VEWFuGs3F4CuqzcT2tKmi3viXbGQ9CnNsZp6EhBv1eWBQ21g==,iv:RI8hq0B/HJ98HTKg5y9TAZGzTulokqeqghXej/J6UHA=,tag:cvm+i+oNND7/340fV/VdsQ==,type:str]
sops_lastmodified=2025-10-15T14:21:43Z
sops_mac=ENC[AES256_GCM,data:+1PYCITFsGvfXDUAFAaDW6gBqfi/cE8Hrp9yw/wuS6E2Q1iw1GGEiFzeK/IL57MUvAZSdQkmv2bNrnboeDBYhHhADdqJdqht1SNui50aEYdLaHHUFADx54b157Op6HLYSccG1J6Hm7riBeurCDUxpC0hJ1whLva2V/T73LnzAf0=,iv:fsmU91jFjSDNjDfaki1c00cS2cya4jcVwd3pbSl/VBs=,tag:SOitwcXraXgrJVmfuLkDKg==,type:str]
sops_pgp__list_0__map_created_at=2025-10-15T14:21:43Z
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ//Rp9OH/H6e414f5jzczN4JgAUcJ7iWvP7CfvPN6gMZiFf\nAHlzejEGhfSxyx8/HNrdWK2BQn1wEqKCTAfB4LtHFNXEvUlMUdxjbzVaqGk8YUQF\nrRduMHpHNamsalk+4Kz7oHWpjw994qxpypHvsFxczAH2NLzYD+brEovaRDi+XTUy\n+e64wNnLhDJS1Xtm2urF1dvs/XQmCYxIpANqGvMezS+vHT8fDQze9Ka1KJh+E/rp\nCFCu3rSbs74E4QjttDoHF1FgMqB1HnbyRStBnq62BjsUMGuV560m/9R76Q++QUBa\nG78pg87ixBtJib24eApeLRMqiIGCdSNxIPn2+b069k5Chp+KCuFl9OAxFUYWIuLs\nmzrizfMKY2iWxBbkn14p24dgHDTkIEnwTOIHSzXHy02AZFcY/Z15R/Yj/nsvnMzO\nUwY931MMoWjME5R/lWrLzBz9FniYxxPwosDzYPdJH9+tJIs4C9EQmmDbKR48inLF\nkNP/ZzNmmhosOHzAEVNlmOo955YTSeGwGLxTsqtpJzNesGnA5q+ENq5Li2v26RTm\nijZJG+U2MyM55jWdETm3bkPwZooUOxpKmJy1gaXNl8/b1Pp0t3fQRWKGGwhsFWsI\nZ8j2++lW+1Gu5EcpjvFH6jdEfDh1R4UMlRO/pyBpWDdBrCwxrPlOv/j2/ogCdEfS\nXgFQwcLcFtZleLH537SZLgf8IJhrKQr6MM8jQf1tv1sLZC0LF3Ojhw9zs8YrX821\nwg3kw0Vd0gsKxxcQHaoLHqwTV/dY0kSHjkbCzG53XT2+p97PFNjhAEKBvNovov8=\n=qFED\n-----END PGP MESSAGE-----
sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
sops_unencrypted_suffix=_unencrypted
sops_version=3.10.2

224
docker/tools/notesnook/docker-compose.yml Normal file
View File

@@ -0,0 +1,224 @@
services:
notesnook-db:
image: mongo:8.0.15
hostname: notesnookdb
user: mongodb:mongodb
volumes:
- dbdata:/data/db
- dbdata:/data/configdb
networks:
- notesnook
command: --replSet rs0 --bind_ip_all
healthcheck:
test: echo 'db.runCommand("ping").ok' | mongosh mongodb://localhost:27017 --quiet
interval: 40s
timeout: 30s
retries: 3
start_period: 60s
notesnook-s3:
image: minio/minio:RELEASE.2024-07-29T22-14-52Z
# ports:
# - 9000:9000
networks:
- notesnook
- proxy
volumes:
- s3data:/data/s3
environment:
MINIO_BROWSER: "on"
env_file: .env
command: server /data/s3 --console-address :9090
healthcheck:
test: timeout 5s bash -c ':> /dev/tcp/127.0.0.1/9000' || exit 1
interval: 40s
timeout: 30s
retries: 3
start_period: 60s
labels:
- "traefik.enable=true"
- "traefik.http.routers.notesnook-s3.rule=Host(`notesnook.vhaudiquet.fr`) && PathPrefix(`/s3`)"
- "traefik.http.routers.notesnook-s3.middlewares=notesnook-s3"
- "traefik.http.middlewares.notesnook-s3.stripprefix.prefixes=/s3"
- "traefik.docker.network=proxy"
- "traefik.http.routers.notesnook-s3.entrypoints=http"
identity-server:
image: streetwriters/identity:v1.0-beta.5
ports:
- 8264
networks:
- notesnook
- proxy
env_file: .env
depends_on:
- notesnook-db
healthcheck:
test: wget --tries=1 -nv -q http://localhost:8264/health -O- || exit 1
interval: 40s
timeout: 30s
retries: 3
start_period: 60s
environment:
NOTESNOOK_SERVER_PORT: 5264
NOTESNOOK_SERVER_HOST: notesnook-server
IDENTITY_SERVER_PORT: 8264
IDENTITY_SERVER_HOST: identity-server
SSE_SERVER_PORT: 7264
SSE_SERVER_HOST: sse-server
SELF_HOSTED: 1
IDENTITY_SERVER_URL: https://notesnook.vhaudiquet.fr/identity
NOTESNOOK_APP_HOST: https://app.notesnook.com
MONGODB_CONNECTION_STRING: mongodb://notesnookdb:27017/identity?replSet=rs0
MONGODB_DATABASE_NAME: identity
labels:
- "traefik.enable=true"
- "traefik.http.routers.identity-server.rule=Host(`notesnook.vhaudiquet.fr`) && PathPrefix(`/identity`)"
- "traefik.http.routers.identity-server.middlewares=identity-server,notesnook-server-cors"
- "traefik.http.middlewares.identity-server.stripprefix.prefixes=/identity"
- "traefik.docker.network=proxy"
- "traefik.http.routers.identity-server.entrypoints=http"
- "traefik.http.services.identity-server.loadbalancer.server.port=8264"
notesnook-server:
image: streetwriters/notesnook-sync:v1.0-beta.5
ports:
- 5264
networks:
- notesnook
- proxy
env_file: .env
depends_on:
- notesnook-s3
- identity-server
healthcheck:
test: wget --tries=1 -nv -q http://localhost:5264/health -O- || exit 1
interval: 40s
timeout: 30s
retries: 3
start_period: 60s
environment:
NOTESNOOK_SERVER_PORT: 5264
NOTESNOOK_SERVER_HOST: notesnook-server
IDENTITY_SERVER_PORT: 8264
IDENTITY_SERVER_HOST: identity-server
SSE_SERVER_PORT: 7264
SSE_SERVER_HOST: sse-server
SELF_HOSTED: 1
IDENTITY_SERVER_URL: https://notesnook.vhaudiquet.fr/identity
NOTESNOOK_APP_HOST: https://app.notesnook.com
MONGODB_CONNECTION_STRING: mongodb://notesnookdb:27017/?replSet=rs0
MONGODB_DATABASE_NAME: notesnook
S3_INTERNAL_SERVICE_URL: "http://notesnook-s3:9000"
S3_INTERNAL_BUCKET_NAME: "attachments"
S3_ACCESS_KEY_ID: "${MINIO_ROOT_USER:-minioadmin}"
S3_ACCESS_KEY: "${MINIO_ROOT_PASSWORD:-minioadmin}"
S3_SERVICE_URL: "${ATTACHMENTS_SERVER_PUBLIC_URL}"
S3_REGION: "us-east-1"
S3_BUCKET_NAME: "attachments"
labels:
- "traefik.enable=true"
- "traefik.http.routers.notesnook-server.rule=Host(`notesnook.vhaudiquet.fr`)"
- "traefik.http.services.notesnook-server.loadbalancer.server.port=5264"
- "traefik.docker.network=proxy"
- "traefik.http.routers.notesnook-server.entrypoints=http"
- "traefik.http.routers.notesnook-server.middlewares=notesnook-server-cors"
- "traefik.http.middlewares.notesnook-server-cors.headers.accesscontrolalloworiginlist=*"
- "traefik.http.middlewares.notesnook-server-cors.headers.accesscontrolallowmethods=*"
- "traefik.http.middlewares.notesnook-server-cors.headers.accesscontrolallowheaders=*"
- "traefik.http.middlewares.notesnook-server-cors.headers.accesscontrolallowcredentials=true"
sse-server:
image: streetwriters/sse:v1.0-beta.5
ports:
- 7264
env_file: .env
depends_on:
- identity-server
- notesnook-server
networks:
- notesnook
- proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.sse-server.rule=Host(`notesnook.vhaudiquet.fr`) && PathPrefix(`/sse`)"
- "traefik.http.services.sse-server.loadbalancer.server.port=7264"
- "traefik.http.routers.sse-server.middlewares=sse-server,notesnook-server-cors"
- "traefik.http.middlewares.sse-server.stripprefix.prefixes=/sse"
- "traefik.docker.network=proxy"
- "traefik.http.routers.sse-server.entrypoints=http"
healthcheck:
test: wget --tries=1 -nv -q http://localhost:7264/health -O- || exit 1
interval: 40s
timeout: 30s
retries: 3
start_period: 60s
environment:
NOTESNOOK_SERVER_PORT: 5264
NOTESNOOK_SERVER_HOST: notesnook-server
IDENTITY_SERVER_PORT: 8264
IDENTITY_SERVER_HOST: identity-server
SSE_SERVER_PORT: 7264
SSE_SERVER_HOST: sse-server
SELF_HOSTED: 1
IDENTITY_SERVER_URL: https://notesnook.vhaudiquet.fr/identity
NOTESNOOK_APP_HOST: https://app.notesnook.com
monograph-server:
image: streetwriters/monograph:1.2.4
# ports:
# - 6264:3000
env_file: .env
depends_on:
- notesnook-server
networks:
- notesnook
- proxy
healthcheck:
test: wget --tries=1 -nv -q http://localhost:3000/api/health -O- || exit 1
interval: 40s
timeout: 30s
retries: 3
start_period: 60s
environment:
NOTESNOOK_SERVER_PORT: 5264
NOTESNOOK_SERVER_HOST: notesnook-server
IDENTITY_SERVER_PORT: 8264
IDENTITY_SERVER_HOST: identity-server
SSE_SERVER_PORT: 7264
SSE_SERVER_HOST: sse-server
SELF_HOSTED: 1
IDENTITY_SERVER_URL: https://notesnook.vhaudiquet.fr/identity
NOTESNOOK_APP_HOST: https://app.notesnook.com
API_HOST: http://notesnook-server:5264
MONOGRAPH_PUBLIC_URL: https://notesnook.vhaudiquet.fr/monograph
PUBLIC_URL: https://notesnook.vhaudiquet.fr/monograph
labels:
- "traefik.enable=true"
- "traefik.http.routers.monograph-server.rule=Host(`notesnook.vhaudiquet.fr`) && PathPrefix(`/monograph`)"
- "traefik.http.routers.monograph-server.middlewares=monograph-server,notesnook-server-cors"
- "traefik.http.middlewares.monograph-server.stripprefix.prefixes=/monograph"
- "traefik.docker.network=proxy"
- "traefik.http.routers.monograph-server.entrypoints=http"
- "traefik.http.services.monograph-server.loadbalancer.server.port=3000"
networks:
notesnook:
proxy:
name: proxy
external: true
volumes:
dbdata:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: '/app/notesnook/dbdata/_data'
s3data:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: '/app/notesnook/s3data/_data'

49
infra/r740/docker/main.tf
View File

@@ -1,49 +0,0 @@
terraform {
required_providers {
docker = {
source = "kreuzwerker/docker"
version = "3.6.2"
}
}
}
# Docker configuration
provider "docker" {
host = "ssh://root@${var.docker_host}"
}
resource "docker_image" "swarm-cd" {
name = "swarm-cd:latest"
# For now, custom-built image based on custom development branch
# Once this reaches upstream, back to upstream tag, like:
# ghcr.io/m-adawi/swarm-cd:1.9.0
}
resource "docker_container" "swarm-cd" {
name = "swarm-cd"
image = docker_image.swarm-cd.image_id
volumes {
host_path = "/var/run/docker.sock"
container_path = "/var/run/docker.sock"
read_only = true
}
volumes {
host_path = "/root/homeprod/.swarmcd/repos.yaml"
container_path = "/app/repos.yaml"
read_only = true
}
volumes {
host_path = "/root/homeprod/.swarmcd/stacks.yaml"
container_path = "/app/stacks.yaml"
read_only = true
}
volumes {
host_path = "/app/swarm-cd/data"
container_path = "/data"
}
env = [
"SOPS_GPG_PRIVATE_KEY=${var.sops_private_key}"
]
depends_on = [ docker_image.swarm-cd ]
}

8
infra/r740/docker/variables.tf
View File

@@ -1,8 +0,0 @@
variable "sops_private_key" {
description = "Private SOPS GPG key for SwarmCD to decrypt secrets"
type = string
}
variable "docker_host" {
description = "Docker machine hostname"
type = string
}

311
infra/r740/kube/main.tf
View File

@@ -1,311 +0,0 @@
terraform {
required_providers {
talos = {
source = "siderolabs/talos"
version = "0.9.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "2.36.0"
}
helm = {
source = "hashicorp/helm"
version = "2.17.0"
}
}
}
# Talos configuration
provider "talos" {}
# Kubernetes configuration
provider "kubernetes" {
config_path = "${path.module}/kubeconfig"
}
# Helm configuration
provider "helm" {
kubernetes {
config_path = "${path.module}/kubeconfig"
}
}
resource "talos_machine_secrets" "kube" {}
data "talos_machine_configuration" "kube" {
cluster_name = "kube-${var.physical_hostname}"
machine_type = "controlplane"
cluster_endpoint = "https://${var.kube_host}:6443"
machine_secrets = talos_machine_secrets.kube.machine_secrets
config_patches = [
yamlencode({
machine = {
install = {
image = "factory.talos.dev/installer/ce4c980550dd2ab1b17bbf2b08801c7eb59418eafe8f279833297925d67c7515:v1.11.5"
}
network = {
nameservers = [
"10.1.2.3"
]
}
certSANs = [
"${var.kube_host}", "${var.kube_hostname}"
]
}
cluster = {
clusterName = "kube-${var.physical_hostname}"
allowSchedulingOnControlPlanes = true
apiServer = {
certSANs = [
"${var.kube_host}", "${var.kube_hostname}"
]
}
network = {
dnsDomain = "cluster.local"
cni = {
name: "none"
}
}
proxy = {
disabled = true
}
}
})
]
}
data "talos_client_configuration" "kube" {
cluster_name = "kube-${var.physical_hostname}"
client_configuration = talos_machine_secrets.kube.client_configuration
nodes = ["${var.kube_host}"]
}
resource "talos_machine_configuration_apply" "kube" {
client_configuration = talos_machine_secrets.kube.client_configuration
machine_configuration_input = data.talos_machine_configuration.kube.machine_configuration
node = var.kube_host
depends_on = [ talos_machine_secrets.kube ]
}
resource "talos_machine_bootstrap" "kube" {
node = var.kube_host
client_configuration = talos_machine_secrets.kube.client_configuration
depends_on = [ talos_machine_configuration_apply.kube, talos_machine_secrets.kube ]
}
resource "talos_cluster_kubeconfig" "kube" {
node = var.kube_host
depends_on = [ talos_machine_bootstrap.kube ]
client_configuration = talos_machine_secrets.kube.client_configuration
}
output "kubeconfig" {
sensitive = true
value = talos_cluster_kubeconfig.kube.kubeconfig_raw
}
resource "local_file" "kubeconfig" {
content = "${talos_cluster_kubeconfig.kube.kubeconfig_raw}"
filename = "${path.module}/kubeconfig"
depends_on = [ talos_cluster_kubeconfig.kube ]
}
data "talos_client_configuration" "talosconfig" {
cluster_name = "kube-${var.physical_hostname}"
client_configuration = talos_machine_secrets.kube.client_configuration
nodes = [var.kube_host]
}
resource "local_file" "talosconfig" {
content = "${data.talos_client_configuration.talosconfig.talos_config}"
filename = "${path.module}/talosconfig"
depends_on = [ data.talos_client_configuration.talosconfig ]
}
# TODO : Wait for talos_cluster_kubeconfig...
resource "helm_release" "cilium" {
name = "cilium"
namespace = "kube-system"
repository = "https://helm.cilium.io/"
chart = "cilium"
wait = false
depends_on = [ local_file.kubeconfig, talos_cluster_kubeconfig.kube ]
set {
name = "ipam.mode"
value = "kubernetes"
}
set {
name = "kubeProxyReplacement"
value = true
}
set {
name = "securityContext.capabilities.ciliumAgent"
value = "{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}"
}
set {
name = "securityContext.capabilities.cleanCiliumState"
value = "{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}"
}
set {
name = "cgroup.autoMount.enabled"
value = false
}
set {
name = "cgroup.hostRoot"
value = "/sys/fs/cgroup"
}
set {
name = "k8sServiceHost"
value = "localhost"
}
set {
name = "k8sServicePort"
value = 7445
}
set {
name = "etcd.clusterDomain"
value = "cluster.local"
}
set {
name = "hubble.relay.enabled"
value = true
}
# Enable hubble ui
set {
name = "hubble.ui.enabled"
value = true
}
# Gateway API support
set {
name = "gatewayAPI.enabled"
value = true
}
set {
name = "gatewayAPI.enableAlpn"
value = true
}
set {
name = "gatewayAPI.enableAppProtocol"
value = true
}
# Gateway API trusted hops : for reverse proxy
set {
name = "gatewayAPI.xffNumTrustedHops"
value = 1
}
# Single-node cluster, so 1 operator only
set {
name = "operator.replicas"
value = 1
}
# L2 announcements
set {
name = "l2announcements.enabled"
value = true
}
set {
name = "externalIPs.enabled"
value = true
}
# Disable ingress controller (traefik will be used for now)
set {
name = "ingressController.enabled"
value = false
}
set {
name = "ingressController.loadbalancerMode"
value = "shared"
}
# Ingress controller for external : behind reverse proxy, trust 1 hop
set {
name = "envoy.xffNumTrustedHopsL7PolicyIngress"
value = 1
}
# Set cilium as default ingress controller
set {
name = "ingressController.default"
value = true
}
set {
name = "ingressController.service.externalTrafficPolicy"
value = "Local"
}
}
resource "kubernetes_namespace" "flux-system" {
metadata {
name = "flux-system"
}
lifecycle {
ignore_changes = [ metadata[0].annotations, metadata[0].labels ]
}
depends_on = [ talos_cluster_kubeconfig.kube, local_file.kubeconfig, helm_release.cilium ]
}
resource "kubernetes_secret" "flux-sops" {
metadata {
name = "flux-sops"
namespace = "flux-system"
}
type = "generic"
data = {
"sops.asc"=var.sops_private_key
}
depends_on = [ kubernetes_namespace.flux-system ]
}
resource "helm_release" "flux-operator" {
name = "flux-operator"
namespace = "flux-system"
repository = "oci://ghcr.io/controlplaneio-fluxcd/charts"
chart = "flux-operator"
wait = true
depends_on = [ kubernetes_secret.flux-sops ]
}
resource "helm_release" "flux-instance" {
name = "flux"
namespace = "flux-system"
repository = "oci://ghcr.io/controlplaneio-fluxcd/charts"
chart = "flux-instance"
values = [
file("values/components.yaml")
]
set {
name = "instance.distribution.version"
value = "2.x"
}
set {
name = "instance.distribution.registry"
value = "ghcr.io/fluxcd"
}
set {
name = "instance.sync.name"
value = "homeprod"
}
set {
name = "instance.sync.kind"
value = "GitRepository"
}
set {
name = "instance.sync.url"
value = "https://github.com/vhaudiquet/homeprod"
}
set {
name = "instance.sync.path"
value = "kubernetes/"
}
set {
name = "instance.sync.ref"
value = "refs/heads/main"
}
depends_on = [ helm_release.flux-operator ]
}

16
infra/r740/kube/variables.tf
View File

@@ -1,16 +0,0 @@
variable "sops_private_key" {
description = "Private SOPS GPG key for flux/kubernetes to decrypt secrets"
type = string
}
variable "kube_hostname" {
description = "Kubernetes cluster hostname"
type = string
}
variable "kube_host" {
description = "Kubernetes cluster host"
type = string
}
variable "physical_hostname" {
description = "Host name of the physical host for the kubernetes VM"
type = string
}

3
infra/r740/proxmox/docker.tf
View File

@@ -24,7 +24,6 @@ resource "proxmox_virtual_environment_file" "docker-machine-cloud-config" {
- qemu-guest-agent
- nfs-common
runcmd:
- systemctl mask tmp.mount
- systemctl enable --now qemu-guest-agent
- install -m 0755 -d /etc/apt/keyrings
- curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
@@ -61,7 +60,7 @@ resource "proxmox_virtual_environment_vm" "docker-machine" {
}
memory {
floating = 22222
floating = 16192
dedicated = 38768
}

6
infra/r740/proxmox/kube.tf
View File

@@ -83,12 +83,6 @@ resource "proxmox_virtual_environment_vm" "kube" {
vlan_id = 2
}
network_device {
bridge = "vmbr0"
model = "virtio"
vlan_id = 2
}
operating_system {
type = "l26"
}

46
kubernetes/code/gitea/values.yaml
View File

@@ -1,5 +1,5 @@
image:
tag: 1.25.5
tag: 1.24.3
ingress:
enabled: true
hosts:
@@ -17,10 +17,10 @@ postgresql:
global:
postgresql:
auth:
postgressPassword: ENC[AES256_GCM,data:MGHcVoXxZmaAaA==,iv:jzp5H+mT1mwbJvuDnlgfQBMsilAZcR9Wpdv1Bem8zvc=,tag:9vPppIbycDJfgRV45jkwFg==,type:str]
password: ENC[AES256_GCM,data:jm4ffAcu06Rqog==,iv:pBWzn+/Udl99Vv7bLRv37uNZjPY/xMqrvDgUw6o+Am8=,tag:Y8PEv+NoEr9YU86WVebZqQ==,type:str]
postgressPassword: ENC[AES256_GCM,data:Lqe5Sx1rYyHK6g==,iv:nORpoyPzjAMghIeufPNrUnG7pi0YszOYwaWUdl2IyEc=,tag:cOzImE2HlZhItR7OGoJmgQ==,type:str]
password: ENC[AES256_GCM,data:AkUd6d32sjBZig==,iv:IaMaIvyCKQy2lq82HxsEeiLf7j+6+p3rV8jCMRysgTo=,tag:tLK1tim6i1EeK4bJyFptfg==,type:str]
database: gitea
username: ENC[AES256_GCM,data:OmrAE7E=,iv:ABU5b4rhwtxz0n8kwI7Nxqn0Cn//B4ScWJdYU3cE5ds=,tag:q/g0741vR06c5nDWGnTvYA==,type:str]
username: ENC[AES256_GCM,data:jVMd2yM=,iv:bKIg47uWcsHZIB9o3LFrppWY/HvNAGRra1gHtt9zOf8=,tag:6872w7HOGAoVy6RhayqwbQ==,type:str]
volumePermissions:
enabled: true
postgresql-ha:
@@ -41,8 +41,8 @@ gitea:
oauth:
- name: Authentik
provider: openidConnect
key: ENC[AES256_GCM,data:BvrQCp1uuKsU+ghFqGDtDSXkx71byFQnOKSCU2iMLQebhsZdocZbJQ==,iv:WY3p4ygfc7CuEjK18Ktr2c/a5bDnCoyNSfKqjXwjZuY=,tag:INMKosSqPzJOCcZ9m3UKKQ==,type:str]
secret: ENC[AES256_GCM,data:7kWuHYZ+2UlLrlRC6bX54xu0EJ264pP3EkfycleNnE647+VNInviZ9OFdz+2E+Ujw5ktuU8Edl49ex/TZ3BLyBv5bgHgCySLIHrB9keEZIxuhnfV53csq7KmIvO+NALDbU2OlZZaiAyNMbJjRCSAxXRT2WtPVzadt6HkW3niiRE=,iv:4uWctDxVpRzqdErKp05WKuz7WYH5frktMe3gly4+VW0=,tag:isaFJX5Q+XaZnY1F2HFdfw==,type:str]
key: ENC[AES256_GCM,data:taMkaU5kqwgKbSjPOT345KIE5SICdnjQRzVs6YKGcMGomkUKJRq7Cw==,iv:9UhNZ4jj1Hl4gS5xcBLTTGtlELqvNfGjxB08nRk9Gig=,tag:fRMTXQRyEgs2euN4bj7H+w==,type:str]
secret: ENC[AES256_GCM,data:D/14Oe3iE02HgiQ/dC5pfXHEC8HFoFm8Xp7LAC4kMlj0F2hx/ep516IJrC9J8s2KuutqT9WLRO4Fh6eaLh4M4zOr3rlxiLEq/fnIc5hvDsTxZAyWK7QUHv7d5/zCa8XCib0xxeX180lIR/DUNTv4OrtQBYg/uSUO/8x/Kze83Z0=,iv:X+XWtvYn8w+LUsXk4j1mFdEoRdpEIVMzw6TNGFY5YzQ=,tag:WcQ6MT3mdsxQOsTqA5PZbQ==,type:str]
autoDiscoverUrl: https://authentik.vhaudiquet.fr/application/o/gitea/.well-known/openid-configuration
config:
APP_NAME: Gitea
@@ -69,27 +69,27 @@ gitea:
ISSUE_INDEXER_TYPE: bleve
REPO_INDEXER_ENABLED: true
sops:
lastmodified: "2026-04-05T11:32:32Z"
mac: ENC[AES256_GCM,data:etLsvUBjDtzqpwdP9jontcVmFRvvsy7z70Rcztvm6kNybRsWKss2hRarl+IhxBqI5rQYaWjON9BNpjIBjnmKVPiwV7lYF7cSTEiHrCCBrFyhwYKxgsgwZCWCfSgOLMlhTjI55wISPFyhHaC/O6CsuzcGRAQ52B2PZBaeY0vNgF4=,iv:aag0M1SJn7uVLu99wmGMp3Ms5jlJCTzkyGUsdzcrGAE=,tag:H2+gdObpNEnoDKaW3IT+wQ==,type:str]
lastmodified: "2025-12-05T19:41:30Z"
mac: ENC[AES256_GCM,data:vnq6D9k/4JOdkMr4YOJRRZhWjJBakzmtuk50vmTzO5cpkK97sjCZRm4CtCnolmUZxvUgLtENjUKxt3Mr8IWbd+xWQDx+sa/ZEoncK2zxOOJnMsdRtbVY0zeuK2wWgncEFxbudGo2tewBd4qLiwBeIaMgMrhIHluB+iahKgoTqw0=,iv:ENoRWvGBtvfaBbLytmd1gAyeg7L6iyewfTkUYmee8Cg=,tag:IF7Df8OOxH2HAhJeOhW3zA==,type:str]
pgp:
- created_at: "2026-04-05T11:32:28Z"
- created_at: "2025-12-05T19:41:30Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7uy4qQr71wiAQ/+KsQV7ZuIF9YaJQjnLJk88FP661mApTJeQRo7MI/SIGTK
Xrj2j9EU2QRny/56YD6x/vqENQ8Appnew4ejtLEJY/wWmfSaSuO0JWk40tOa95od
YxQhYBi0/DuCTtLdLs1lrOH+GEKSQNbE8Srv6gmaWweu1yLHUye44M8DxOd+/dbf
5q4sRtldgpAm8EFjdZQcollzoFyUDiE/G1bpml4hbkHVJhlSfJHTGN6bq96yuG2l
et0MnNAMW2EJh3w6vGk1CJfEB6LUfR6KNUM4oPI3qVy9GeGDgTi4xv1cYAiVIcEv
hXfDrwDGm1pUakLklzKcJ9TpNokPCimax5O2dNDKBdFaGuGVfYzIzcSIY1W3qZV9
KfpaCtkfIDOtwUdjvxcdhpGbYYckcEz0TFtwTIIPeznQvyhtqNcNV9TDxmDoQiYG
l1iY2dSoi7Fae7HT0QDrxw8rV9L2d+1qPkiEz9yOq+oJGYzuIy7ygPO7X1x2vkYm
lXoxVyFrbH3K4Wb4ibukdAkrqQKZYnhqpxtvB/SFTlS90r2wewQSfivBTHT3yh3d
j0Zjr2Ga8fiFdmy5ELyj7oKO4AWY67eFe1TdfV9dPb0qO7tVph2NbcNyhgp59ejk
lUjJCJKlDyysu7VAvF8RzzQhfwBrZqar55Mou+HvrypOJpoCCKH9GNiemoudSx3S
XAH+uZb87/xPqJP5XyXqOvW4WvLNRxCUcHwur9USiluKZYhdtaYicTOy3iif+sD+
m80ahUph//L/9qTbNQU51AF1Lq0X6Mh0GkBa1b61iJu/PWizjlEEJS+/xpN5
=FJi9
hQIMA7uy4qQr71wiAQ//S/uYUC8ZESfaeLPGbat+vWkqyqimnfA5XEeJN/6KPtC6
sAyQAkzdecJCKqVHo/4MC31ICpzQG1KEUAxnfuPWHaGNY8DDaFAo1H5Ici+Wji6S
KP9Ti7NqRhiJ+IeImAPObeqBxi+vnAepCuzac/SWoulyIYT/l90bdYmT71x362pw
QrDGbeiwulHAWAHA7O9/Baob01vlKH6+oGHl2gT5biabMxUVXYZ4s1KZt6W3znq6
2I1L8nKGZCR2R64diOG06i8Yom57c41cdlOio7m4hoZ13Phuwna7mQrqrGyLtGwj
2N5NvaijoxNtetCOLkZ9eh2IwvO4f4CvN55RWZVg+Kc5kyhtUlr9dCx+wj/DY4rn
SYBfAWJUhFC7RfTLhv3qUn5OQmPxt0xrrW7ijJTBX+bb5FZyiH/SztA9o0OJDnwV
icMlKEiPD4Ip5UxSR8ZRj0lvJkbTf/KJ52dzhklIpiweb1nLG8YUAP2MEu73USS7
jgaC4PpBTwNsEclQ8E8/Y7sS2uDeyfwntpYsKSQsvLS6HWjpn3ymWX6sVr7N303q
CrWH5NfTe9aETbOdGU/DT3g8Ie51YpIId6fYXPp9SNXW1omAFVS1jrxSWCwyrz+w
frQ6ZYWEU26C+9eY9uqLTNveJ6YSTnbDvL8pS5qf4o04014WSgYJfr+0MkXO/SbS
XgGZk59IZXXZ8gzqD93ZFrDAD40DYUqb6nRN8Dupn4zdYAlMxk/V98vKyJ3W9y9r
28qlvoWagN/To2EP40jc6qTYdKVVS73asEadcG6IZV2A9J7htqiGRvTvQN51oQs=
=CQiX
-----END PGP MESSAGE-----
fp: DC6910268E657FF70BA7EC289974494E76938DDC
encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$

13
kubernetes/home/zigbee2mqtt/kustomization.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: zigbee2mqtt
resources:
- namespace.yaml
- repository.yaml
- release.yaml
secretGenerator:
- name: zigbee2mqtt-values
files:
- values.yaml=values.yaml
configurations:
- kustomizeconfig.yaml

6
kubernetes/home/zigbee2mqtt/kustomizeconfig.yaml
View File

@@ -1,6 +0,0 @@
nameReference:
- kind: Secret
version: v1
fieldSpecs:
- path: spec/valuesFrom/name
kind: HelmRelease

4
kubernetes/home/zigbee2mqtt/namespace.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: zigbee2mqtt

18
kubernetes/home/zigbee2mqtt/release.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: zigbee2mqtt
namespace: zigbee2mqtt
spec:
interval: 1m
chart:
spec:
sourceRef:
kind: HelmRepository
name: zigbee2mqtt
namespace: zigbee2mqtt
chart: zigbee2mqtt
interval: 1m
valuesFrom:
- kind: Secret
name: zigbee2mqtt-values

8
kubernetes/home/zigbee2mqtt/repository.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: zigbee2mqtt
namespace: zigbee2mqtt
spec:
interval: 1m
url: https://charts.zigbee2mqtt.io/

71
kubernetes/home/zigbee2mqtt/values.yaml
View File

@@ -1,71 +0,0 @@
ingress:
enabled: true
ingressClassName: traefik
hosts:
- host: z2m.lan
paths:
- path: /
pathType: Prefix
service:
type: ClusterIP
statefulset:
securityContext:
privileged: false
capabilities:
add: []
zigbee2mqtt:
homeassistant:
enabled: true
discovery_topic: homeassistant
status_topic: hass/status
legacy_entity_attributes: true
legacy_triggers: false
permit_join: false
blocklist: []
availability:
active:
# -- Time after which an active device will be marked as offline in
# minutes (default = 10 minutes)
timeout: 10
passive:
# -- Time after which a passive device will be marked as offline in
# minutes (default = 1500 minutes aka 25 hours)
timeout: 1500
timezone: Europe/Paris
external_converters: []
mqtt:
server: mqtt://mqtt.lan:1883
user: ENC[AES256_GCM,data:8chGUA==,iv:SOAuBYShpWbza3idtyqFoVIFstZFM34OPDN4uhAer0Y=,tag:WPoH80VcUGLy5Uq/z8EtaQ==,type:str]
password: ENC[AES256_GCM,data:XVcTzQ3pDvPKbw==,iv:TK5qHq2yMTWgzcOPvj0GO7tOOD4PHvKMWfd3p4T8LuM=,tag:GJpKQWpVhwrewX4+9NITfQ==,type:str]
base_topic: z2m
serial:
port: tcp://10.1.1.159:6638
baudrate: 115200
rtscts: false
adapter: ember
sops:
lastmodified: "2026-05-02T10:26:20Z"
mac: ENC[AES256_GCM,data:32zZ0bYrgn+zTz8DEOU1N8MgDrihzWyMsV9q2m5RhFHRvXFuq3Z2GTORlUTeuK5qZIUrZt22VskigGAQiKC2CdzsJTcO3cGPshu5E6gWGBRNob02bXXsMu3TfCKxic/Ek7jE2p9R++a5AKczFZY8SxL7Sv1BZDxozkginDdYR4Q=,iv:VcDKwoPgYxZc8KXYv9oEH2GBqDRAJJxphj6MFLLI8ok=,tag:vPWqcEHoBVvfCoKoN5UiLA==,type:str]
pgp:
- created_at: "2026-05-02T10:26:20Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7uy4qQr71wiAQ//fl1m3T6TnQvQ+yG0plOZaRXIGRI/YHiyP9KsK6I6l4c9
Y7lUjVcgADbjZYAMv08LFOEyN0/dtTFx2kV1vC5sF4CjxXKfddazKrQFjZQygc56
Yn3wiYX2ZMTsc3AnOoUF/evXyDHYMu0l8FwZEupi0cjmgKjVZZsLYScMjLi6h9oO
agDUxqZX8d3ikj3LPF1dk/XGP75fHBg7Jfim1RMMrOcpAbRi0H3XU82cr2s9fTS8
UtylTk1x3F253YTC0JdvU0UskvzCvVl0Sf8TlkVb2tTJgwf/XnXMTmMeCvbhIj5u
bgqIs0y6F0xm8NjhPGV2CtsQuQtLMLb5SxVFj7P4ad/Ekf9TizAJlcPt2u1/25zu
x9v/kFnI5XMDIr3eWBJlFUwtImQJ+bO3GTauqwpULIHSa+y3Ux2XMNarKfN1jH3Y
RG86rLQSioSA+HdZuZdEvo2ACc5DotC835cnMGMeIuO1Ad/RjvUaptN/p5hvTFMf
5t6SoE8gLXH7FZF7IomY0Xs/feztPOvPK76zpKV1Tqqgb7i0GaTFcKKBUxMPklZw
XwqOQl36HWz1BSvtYtYYX6/HyuknH4T6tk//J6MrNttnTQ/ZqjrBvl4FEVxTgf1h
pFc8fTzNak+VB4MSdALg6Eo5xR57eGHhKgdUMgDAv1JMEP9ikk4/p8/1WHKhpTvS
XAG3QSahHWoc9L5A73xFmD66TRUhm8CVKRCAQebB7rXjsxaqgEOl70taQpucrckD
624SYxJwG9Uuk4odCQJ6g7T2KCKxsS/NKy6jOqgprkerR6pCfuXg8LDxBkHP
=cZ3t
-----END PGP MESSAGE-----
fp: DC6910268E657FF70BA7EC289974494E76938DDC
encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
version: 3.10.2

4
kubernetes/infrastructure/authentik/values.yaml
View File

@@ -20,7 +20,7 @@ postgresql:
password: ENC[AES256_GCM,data:NWk6kvOp1RRs4A==,iv:q0GoRFQ15LBXDxDnOiKWHX6/K8DwX+k2Myxk7iaBo2U=,tag:6qfY+5TF2oy4cRfeJKr7IA==,type:str]
image:
repository: bitnamilegacy/postgresql
tag: 15.9.0
tag: 17.5.0
primary:
args: []
redis:
@@ -55,4 +55,4 @@ sops:
-----END PGP MESSAGE-----
fp: DC6910268E657FF70BA7EC289974494E76938DDC
encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
version: 3.10.2
version: 3.10.2

13
kubernetes/personal/notesnook/kustomization.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: notesnook
resources:
- namespace.yaml
- repository.yaml
- release.yaml
secretGenerator:
- name: notesnook-values
files:
- values.yaml=values.yaml
configurations:
- kustomizeconfig.yaml

6
kubernetes/personal/notesnook/kustomizeconfig.yaml
View File

@@ -1,6 +0,0 @@
nameReference:
- kind: Secret
version: v1
fieldSpecs:
- path: spec/valuesFrom/name
kind: HelmRelease

4
kubernetes/personal/notesnook/namespace.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: notesnook

19
kubernetes/personal/notesnook/release.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: notesnook
namespace: notesnook
spec:
interval: 1m
chart:
spec:
sourceRef:
kind: HelmRepository
name: notesnook
namespace: notesnook
chart: notesnook
version: '1.0.5'
interval: 1m
valuesFrom:
- kind: Secret
name: notesnook-values

8
kubernetes/personal/notesnook/repository.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: notesnook
namespace: notesnook
spec:
interval: 1m
url: https://gitlab.ibaraki.app/api/v4/projects/130/packages/helm/stable

65
kubernetes/personal/notesnook/values.yaml
View File

@@ -1,65 +0,0 @@
instance:
name: vhaudiquet-notesnook
api:
secret: ENC[AES256_GCM,data:C3mpoEG6y6IShpX1+o9eNn8NACaKy8s1xw5tY1/ncBzqaKrK3YiE7K0rl4d6Bq6q,iv:rGWxSmV98ef8Qx1jkVbQEKPkFmGEaCOXXFFZ4I1US7s=,tag:VBDOhPRTRRhFu5cU024Sqg==,type:str]
knownProxies: 10.0.0.0/8
disableSignups: true
publicUrls:
app: https://app.notesnook.com
auth: https://auth-nook.vhaudiquet.fr
monograph: https://n.vhaudiquet.fr
attachments: http://localhost:9000
smtp:
username: ENC[AES256_GCM,data:C4dTnVaJCwxqTdevLJ+a9eJOWPk=,iv:9iHoQzZjHjmOuaoOWdedPHuv06MqtXZXJhWGiTdzhwE=,tag:xDL+WInm/Ms/LuZi53JuHA==,type:str]
password: ENC[AES256_GCM,data:tIkKqwVBy94oqFJH0V8=,iv:cOKiwDhngz6mnZlD+XSfWFg1KZa+UCkhXKBgjK7IdnE=,tag:91d/aUlfeHbJqtRWPmTskQ==,type:str]
host: mail.vhaudiquet.fr
port: 465
ingress:
enabled: true
hosts:
identity:
- host: auth-nook.vhaudiquet.fr
paths:
- path: /
pathType: ImplementationSpecific
notesnook:
- host: nook.vhaudiquet.fr
paths:
- path: /
pathType: ImplementationSpecific
sse:
- host: sse-nook.vhaudiquet.fr
paths:
- path: /
pathType: ImplementationSpecific
monograph:
- host: n.vhaudiquet.fr
paths:
- path: /
pathType: ImplementationSpecific
sops:
lastmodified: "2025-12-26T18:18:01Z"
mac: ENC[AES256_GCM,data:Xy9P+Ifuz18apN7GoYdehc2bzTjUKMJAT7f8HZNTnvV/wkZEt4EUGJL2WGex12nYQyj6Ut+I9pwFwwX5m0oLO82s1zS2DK3BiaxFa6LFJ2VDUthKt8h9ZTNeT+2P5S5cOvEMvS6tljX8y8/HCUwVMCXGMNCIl8RtWo1Q9CgLjrw=,iv:6MdJwJh3xVrXX6sKCQMAEIpdOD8E0V6+305xcaQnnMI=,tag:5JE9M09u6ukPoQBzT9g0sA==,type:str]
pgp:
- created_at: "2025-12-26T18:18:01Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7uy4qQr71wiAQ/+KZ6WDFaDTZVt6n+pu1hwxhNC9ShCSSLkiHlZjtX9DW8O
eizwH6GAG8LQeKYr61aXXVwxsqDdM9gx/i0ynDO4fflqEQniEjlFzBeVhsqOf3CX
rL5WImv0LSe9KjFNAZvfBhtUVENfN/Tu6RGagNb98ChOoH10MvmrzQ5t754AKPVM
hB2f5kmOn0evFQQftYyXkQqzLvhlqdGGfBnCutXDoLz67RQwB37npzXx/c+GtlOX
Msmp4wiYqlX9v97vjLHUX/ZeBtzm38DzUw+OTcnDPbsdZpeUMqYnpkIl8GIgSd2D
2jZUJU4wYyOCYCnfw0+zXu3O5/1bzZ9fdc5FH6A+OlJUFbMLPXx7n9uhVOztxQ1g
5ajZKkszSWk58IvaTueDL2QjxhJLop1y4JITgzOhiSPserXrizGn765bVEAtY8kR
zgULAG5f41zeoJzzdMyuCFUlIJec4DFigbe7fRul4sJEjeeHtDdyINWuUXCnS4ZX
e8/ZZ0+z98IMm7Lstb75rUezTUdlIxfJ+EtAX3L1Bdb4yJZ3i3E1VTQKWxaZWrcc
zF5nOIZsHgD22Um8fA4mDlhX5/ygiKMHxZe2pdwps4F7H0rRzVLlM5n4g+71WeMe
0eT4atgKPICzMNkyRJ/KWrtk4c6Kq7sSqpQKlcFsRLMga1ZBt0LQwFW+G7PU30vS
XAFljxtoFrbdc8Yl37cQh9XCBqXMqUXSNd9t1hsgv+Vsrmv6ntPVStep8Fod/n16
nCACAKTOe//z0OmwUXxdUCIqT/N+XEA8tOrHS+HsbB5MCfnexLDul/yUfviZ
=yK0X
-----END PGP MESSAGE-----
fp: DC6910268E657FF70BA7EC289974494E76938DDC
encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
version: 3.10.2

36
kubernetes/personal/photoprism/values.yaml
View File

@@ -1,6 +1,6 @@
image:
repository: photoprism/photoprism
tag: "260305"
tag: "251130"
pullPolicy: IfNotPresent
ingress:
main:
@@ -36,27 +36,27 @@ mariadb:
repository: bitnamilegacy/mariadb
tag: 12.0.2-debian-12-r0
sops:
lastmodified: "2026-05-01T22:39:49Z"
mac: ENC[AES256_GCM,data:YGVQb50DrFv/ehU+dxsoP/e8ARKVPfr/6c2x1pQbZ7cNiNu7k1Zgt+bEHkkKm+FT44bltL374Jf2HqT/0gvmgMGp/8ukjZ5hRLwbqS1fOKR8SVQ8fp2EId0P7HcRl7Qqr6lF15hKXQ+SPl6KDPvDWKh0pq192W8dP76D7h5aKDw=,iv:c1xytratCfO8V4nkdvxeKT2kWOYHBkwoTc5Ic+yjpWQ=,tag:kdxAidCO1VLPxiwq3eCRxQ==,type:str]
lastmodified: "2025-12-04T23:21:48Z"
mac: ENC[AES256_GCM,data:UbrmZVQ9Jcy7/+N9agnQI201d5kp8lIeJ3bBymKpU7ORyYouA+AyllVts3sqWFQhFnbK2Be1IkOY+F9iEvKrjJn6frtd7b1Qz1q8j1COdpQ+h/Ok11yCsaqkVfDr32to7zlf7fHW3YdcEEmYFt/CbbzMM4C4fbxHcgFOlyzrcDk=,iv:iYggVr703vYaZ/bPXZywYOeP6ePTxyGyoLI1jfsbSFE=,tag:Ic8e2mnZD69JAlwiQmeV6A==,type:str]
pgp:
- created_at: "2026-05-01T22:39:48Z"
- created_at: "2025-12-04T23:21:48Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7uy4qQr71wiAQ/9F+u/hWM4smi4yqnU7vzRfWwjCuvdtWAR6N4MqiBLFfqr
tpzY8UCfaTlfEtwDZWUSN/gzZG56YcMTR6OOrCQ8rkiKYGwuj92Z8LgpcDRBAHeG
gYaNG9vRmmzyZpD6K6pSoG8lk7mzB1Tp80me9E7LJTDhAn70cDATLp1wADkD0KF1
pq44qPcRaem42kEx6Um1sAy5NiBBxvYqdKPRXLs0q1EyZByxKjlhZi0qasCfe4lJ
fsdduUgRi3Td7KvfhQ1e6jjNNMpyZIHbME3Hn18h5PxVd1B3FzzBzSHlaDKBQsYT
2cx6VMGVqM4dy+CHkpE+QlAA0EOhS0b/7FwppCgEhlEvbH7uCjq/13vZdKoUIwqt
AaHPaf/HX7PipQjoQf7vjfaMjPwCFwqoeK2cVNmgK0j0b2CyjLDDs5xh0SuFt/Ia
DviSBGNeIv9Vhm7jhlJH0odFzBmBOkiUyUFV1h/6u2qpjz+H+qAX+5xx/++cGkW6
4G69+7NP6JUksSbcvAl6Nk1sRsvTrcRdpmBO42/aUq7nlgOAxk9e0y7INYHe3Ycv
N7ZTm7VOuIVopQfl8F2/tOIdJIm6hJfmJ/hdhxbDZKSRiejenU7vgdQgTM+PQ0l7
0QVRP1mahh1EqsyqFrrVpv+o7XQsyldb8KCefWMEMGHrot944YTxzfwY3riaPXfS
XgESSHvPYIgLIj+6bvvopB5v2q+NwfBciOrZekmWYTkN6cFOizp36JKIOA4Dq6z5
0hwGgiPvYsu9WgbWYUY21qO9jvDmjT5Yym5ktbNogckXw3/TusVqPeAkdNIjZNU=
=PSUH
hQIMA7uy4qQr71wiAQ//XxIcDxmC0y3KzKw6OxM/9Z5HPcdJvfyXaQ7nOIqob4OH
1ST3R2R5liDI2XOE0Eb2cLs0LACAih0PycWfju8fLkDeB9ztenxKnCW1DFbUYmpw
DXrW/opbGXMLBdPcsoq6GPeWjlNypXepIXGWwgT/+gdxZPKsqxHglauCnVHub/Ki
inoFimxvkVaAefFTOazJvFfSfWI04KPSl0PgnwzWna/7rycFDYkidVKjBkmHAGad
BFwhXFWi4taKPdNH3/7WBYlOyB+fs7xNPENQP8Fj7/oqF8Vb9pYTpPIGvgXNC/pB
0DbtvprxAxKYGODHn5WJIjnUBkYVkq+B8q7ZsjxeFdUfNXU+89f24PSGDe0VKMFf
7mJ3cio0uhizslbwtUQvFOC5I7HEjWIFGoulQqDjXXE2ocGlsS8vvW1NYtJGpJx0
aYRIRdM5+CM2tSLbZVik3IGqEmnLKNhMtObxFt0UXeoUwzBFNMQLO8zw+Fxy9VEq
gzrmNYnnFfx5oiwg7OWmsq7NoXTkhB+VktCb3Bcl3JjJgqalquqmmodThFhU52Ac
yRhGhjrBcsXx12BCy6r3Hq6nn9PFjZsBRJvXw2WSsevBghOTWSuXRmaT05aMoiD7
y5ia09N4xKvms8/e4qhwpNV/X2Ee4rS3diQFNunxk5aZTPO5kpy704KthDFODnvS
XgGcE+XcinmUFJ1RasziSK6RoYMpSK+JaNgpJMyuaz1iQu9Wc9ptnXgEees5qH2g
2rA2AzfdcBhZIHWAak2LZuuC9i5O0YGP89idZOjuEaUyGdOHzgB+jQnJ97c4pPE=
=wfLM
-----END PGP MESSAGE-----
fp: DC6910268E657FF70BA7EC289974494E76938DDC
encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$

13
kubernetes/production/umami/kustomization.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: umami
resources:
- namespace.yaml
- repository.yaml
- release.yaml
secretGenerator:
- name: umami-values
files:
- values.yaml=values.yaml
configurations:
- kustomizeconfig.yaml

6
kubernetes/production/umami/kustomizeconfig.yaml
View File

@@ -1,6 +0,0 @@
nameReference:
- kind: Secret
version: v1
fieldSpecs:
- path: spec/valuesFrom/name
kind: HelmRelease

4
kubernetes/production/umami/namespace.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: umami

19
kubernetes/production/umami/release.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: umami
namespace: umami
spec:
interval: 1m
chart:
spec:
sourceRef:
kind: HelmRepository
name: umami
namespace: umami
chart: umami
version: '7.1.0'
interval: 1m
valuesFrom:
- kind: Secret
name: umami-values

8
kubernetes/production/umami/repository.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: umami
namespace: umami
spec:
interval: 1m
url: https://charts.christianhuth.de

33
kubernetes/production/umami/values.yaml
View File

@@ -1,33 +0,0 @@
ingress:
enabled: true
hosts:
- host: umami.vhaudiquet.fr
paths:
- path: /
pathType: ImplementationSpecific
sops:
lastmodified: "2025-12-29T18:15:28Z"
mac: ENC[AES256_GCM,data:npCm/Cwhn5wCsf5qIu2rcwVP+OFe8Ph1qRHQriVANMTC9dioFPuS5IMU1RRnJPNt9y0nE5hSscg5LrfGBB5qCPUbqj3Ca9/Iv3raZLYR6SUcAaitFlxhdcFSEXOhLa+PW6yW5RZjjD9uD0IEuOje3+oa+05kIm3HqdL5Qszarns=,iv:LlywSpl9l1iEa9f1KatvLJSGU/jZWvUbK1HI9uRpZT4=,tag:I3L6JD3GeLNlrR8e5Gz3JA==,type:str]
pgp:
- created_at: "2025-12-29T18:15:28Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7uy4qQr71wiAQ//S5Ormwo6DS8bywMVa3JJLuBbkD1aIvuxItPHzdJFte24
1b3xRi/byR3i5pgOg55/VPNfscxZranA0GGayYALAepTpdKwYHkrfeZF4RNZHlwe
C/7eQoljncOyGUw4txEcD0gfMkQ9aNYYnSs0GwWYylpc/dxaogzwsmsZOGNVK0Rc
oeOFonEABIFs/dW+pGTAyUnexJPZO9cWQyt22dEDzRRiifPOJGcSE9+2RICS5p4A
75riaa9jC/ANrDi3d/fTYFffAStggChNUtDQMzSKP/itpqK4rs+xWRcsF/U4LLZM
xgDPHzJsw4apZiDT+p4dH43DWmEATPcUH/UftG420cHOJdeU7rMuabVbxRXJeXA2
1idQiODRW4pEUNEqPMTtjrmxl+SVvCx2TlJ31idiJL9rM0DXfzEF0dacnTjV4LuW
2oo9CiU5n+Vh6PRKPYkBXxc0GF6Vcs9/SZj47X8RQcxxqP9BoEZs4JclIS6OGiY7
K8dw/xDmpHhLgQ1JCHEWAVuKDNH+KcnMm0mzmCHetI5yMXDVQpxuTkquhUptV3VA
XL5+girkZ5W1XMuQiKYcKzS/r3UOHieKBRLw+MhuN+MRLOLr9FRQ+YbEGQ5Mi57R
Qcp+nycwU+59rFRjpJaKauRDNZx3P9GnpTJBL9L/4/uibYtyyWEmMNWQcDtyhPnS
XAG3SEsYE0547TKm/fP7q9rnAOfKwV4NwBBzGblAUJa/HIFjsT7uGicRdTexrvkK
pbIqbyBn0qr8Y1ipaqEimfyc6OT5JDT8239SYnOwG4QPz4DV5vibjG24kykf
=GDKV
-----END PGP MESSAGE-----
fp: DC6910268E657FF70BA7EC289974494E76938DDC
encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
version: 3.10.2

13
kubernetes/system/blocky/kustomization.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: blocky
resources:
- namespace.yaml
- repository.yaml
- release.yaml
secretGenerator:
- name: blocky-values
files:
- values.yaml=values.yaml
configurations:
- kustomizeconfig.yaml

6
kubernetes/system/blocky/kustomizeconfig.yaml
View File

@@ -1,6 +0,0 @@
nameReference:
- kind: HelmRepository
version: v1
fieldSpecs:
- path: spec/chart/spec/sourceRef/name
kind: HelmRelease

7
kubernetes/system/blocky/namespace.yaml
View File

@@ -1,7 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: blocky
labels:
app.kubernetes.io/name: blocky
app.kubernetes.io/component: dns

19
kubernetes/system/blocky/release.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: blocky
namespace: blocky
spec:
interval: 1m
chart:
spec:
sourceRef:
kind: HelmRepository
name: blocky
namespace: blocky
chart: blocky
version: "11.2.1"
interval: 1m
valuesFrom:
- kind: Secret
name: blocky-values

8
kubernetes/system/blocky/repository.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: blocky
namespace: blocky
spec:
interval: 1h
url: https://k8s-home-lab.github.io/helm-charts/

93
kubernetes/system/blocky/values.yaml
View File

@@ -1,93 +0,0 @@
# Default values for blocky (k8s-home-lab chart)
image:
repository: ghcr.io/0xerr0r/blocky
tag: v0.24
pullPolicy: IfNotPresent
controller:
replicas: 2
dnsPolicy: ClusterFirst
strategy: RollingUpdate
rollingUpdate:
maxUnavailable: 0
maxSurge: 1
env:
TZ: Europe/Paris
service:
main:
enabled: false
dns-tcp:
enabled: false
dns-udp:
enabled: true
type: LoadBalancer
loadBalancerIP: 10.1.2.148
ports:
dns:
port: 53
protocol: UDP
probes:
liveness:
enabled: true
custom: true
spec:
tcpSocket:
port: 53
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readiness:
enabled: true
custom: true
spec:
tcpSocket:
port: 53
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 3
startup:
enabled: true
custom: true
spec:
tcpSocket:
port: 53
initialDelaySeconds: 5
periodSeconds: 2
timeoutSeconds: 3
failureThreshold: 30
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 64Mi
# Full list of options https://github.com/0xERR0R/blocky/blob/main/docs/config.yml
config: "upstreams:\n groups:\n default:\n - 1.1.1.1\n - 1.0.0.1\n lan:\n - 10.101.207.1\n\nconditional:\n mapping:\n lan: 10.101.207.1\n cluster.local: 10.96.0.10\n in-addr.arpa: 10.96.0.10\n\nblocking:\n allowlists:\n ads:\n - |\n dealabs.digidip.net\n s.click.aliexpress.com\n fonts.googleapis.com\n fonts.gstatic.com\n wl.spotify.com\n www.googleadservices.com\n \n denylists:\n ads:\n - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts\n - https://adaway.org/hosts.txt\n \n clientGroupsBlock:\n default:\n - ads\n \n blockType: zeroIp\n blockTTL: 1m\n loading:\n refreshPeriod: 4h\n downloads:\n timeout: 60s\n\ncaching:\n minTime: 5m\n maxTime: 30m\n # Disable negative caching (NXDOMAIN responses) for dynamic DNS\n cacheTimeNegative: 0\n prefetching: true\n prefetchExpires: 2h\n prefetchThreshold: 5\n\nprometheus:\n enable: true\n path: /metrics\n\nports:\n dns: 53\n http: 4000\n\nbootstrapDns: tcp+udp:1.1.1.1\n\nlog:\n level: info\n format: text\n timestamp: true\n"
sops:
lastmodified: "2026-05-02T17:51:26Z"
mac: ENC[AES256_GCM,data:J7EovwsXi2L9XocZoi5ann71DQ+wWZk2aCUbjvaGpv0yZC5g2HNccPVRvAj3y9SyMttLT8QlESXzHpEV2A6bOfmJf5v0ACYuWn5wKNlkaBdmTs1xwXp/RcpeOb+FCL9D+9hzjBO9XF6iXZLSj4pO/n1C0IhfeqYKdDC4tHkxOHA=,iv:Qm3Uh+UUSDWCxh7gWJ9x597aWXdMHxtpixE2BVlb6c8=,tag:aHbK26P4f9YV2uGLhpT6OA==,type:str]
pgp:
- created_at: "2026-05-02T17:51:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7uy4qQr71wiAQ/+Po8UdkiFGt0LmcvCeSE23aoWwY4qi2FsGKdik+7sL3RN
gOt/VQ6geefhd4YDhH0jfd7TDXs7UTtYvKQ+IaKcRUyOrZzhrfTpNeT/lXuaTkHf
LAUiqyprq1RDzxxIPvgMh4DynfehgN8B81iMJox2/fD0oV7B6dIIABvAl87gzANw
7snQLJwdhNXFylKfrdC9A4AfYz7ycXBzEyYlY5BMZENw9yBGgZ1dZITU2KxeYCo/
gdVTCevybSBQ/Cq0+hI25ZF+nEIGjrVCN2AxPEUO98ljp4OZEu0p6KsMB4xgCD2j
l5LN6YPAu95TRx/bZinoHMMzth6WhFdUG0Anj2cIIYXOcreyzPxYGj+vwRlZFrkZ
gTU2vfpt/1Wx8ORRqocCkxZ3dMtm4KsGqe3xpd1y84ezL/bMLxSApn5e7Zzn1cEg
DoLwJGnZzSY4nRzfoGXOv6mjyTUVkqNexRlL2wIsgDP9VP/ohS9K2fFZzzJ/fXa1
G9DUg64SwfYIFzAgsyWwdE3kCJ/GSIAgrgNwBfZlLGdfB/PB2BkHNpzX4LROUEcD
HqqHtVlUIikiFdDQWwB5tS+APBCO6VuzKl1z3ROgV6xhvr4ZYkd9CHYu1S1r1XAs
JRCyow0zTLRYGQnDD8+RPQ4MsbzJsugA8Ac4bE4sVJpP8hloZBqHb38AkoUruDTS
XgE+Nxcy0/aznBgEscE/VuY/GTH1vwYl5/dAcV8GDYcNmd1tE9E1QwWsSurHt39u
+QdGZYoUbHPtsk/zODgEVqn0iTsqO7Y4Qmu93bYlYFQwCygAPKKpCaqmmu2U+rI=
=hq5F
-----END PGP MESSAGE-----
fp: DC6910268E657FF70BA7EC289974494E76938DDC
encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
version: 3.10.2

1
kubernetes/system/cilium/pool.yaml
View File

@@ -5,4 +5,3 @@ metadata:
spec:
blocks:
- cidr: "10.1.2.171/32"
- cidr: "10.1.2.148/32"

79
kubernetes/system/coredns/etcd.yaml
View File

@@ -1,79 +0,0 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: etcd
namespace: coredns
labels:
app.kubernetes.io/name: etcd
app.kubernetes.io/component: dns-backend
spec:
serviceName: etcd
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: etcd
template:
metadata:
labels:
app.kubernetes.io/name: etcd
spec:
containers:
- name: etcd
image: quay.io/coreos/etcd:v3.5.17
ports:
- containerPort: 2379
name: client
- containerPort: 2380
name: peer
env:
- name: ETCD_DATA_DIR
value: /etcd-data
- name: ETCD_LISTEN_CLIENT_URLS
value: http://0.0.0.0:2379
- name: ETCD_ADVERTISE_CLIENT_URLS
value: http://etcd.coredns.svc.cluster.local:2379
- name: ETCD_LISTEN_PEER_URLS
value: http://0.0.0.0:2380
- name: ETCD_INITIAL_ADVERTISE_PEER_URLS
value: http://etcd-0.etcd.coredns.svc.cluster.local:2380
- name: ETCD_INITIAL_CLUSTER
value: etcd-0=http://etcd-0.etcd.coredns.svc.cluster.local:2380
- name: ETCD_NAME
value: etcd-0
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
volumeMounts:
- name: etcd-data
mountPath: /etcd-data
volumeClaimTemplates:
- metadata:
name: etcd-data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
name: etcd
namespace: coredns
labels:
app.kubernetes.io/name: etcd
spec:
type: ClusterIP
ports:
- port: 2379
targetPort: 2379
name: client
- port: 2380
targetPort: 2380
name: peer
selector:
app.kubernetes.io/name: etcd

15
kubernetes/system/coredns/kustomization.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: coredns
resources:
- namespace.yaml
- repository.yaml
- release.yaml
- zone-configmap.yaml
- etcd.yaml
secretGenerator:
- name: coredns-values
files:
- values.yaml=values.yaml
configurations:
- kustomizeconfig.yaml

6
kubernetes/system/coredns/kustomizeconfig.yaml
View File

@@ -1,6 +0,0 @@
nameReference:
- kind: HelmRepository
version: v1
fieldSpecs:
- path: spec/chart/spec/sourceRef/name
kind: HelmRelease

7
kubernetes/system/coredns/namespace.yaml
View File

@@ -1,7 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: coredns
labels:
app.kubernetes.io/name: coredns
app.kubernetes.io/component: dns

19
kubernetes/system/coredns/release.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: coredns
namespace: coredns
spec:
interval: 1m
chart:
spec:
sourceRef:
kind: HelmRepository
name: coredns
namespace: coredns
chart: coredns
version: "1.45.2"
interval: 1m
valuesFrom:
- kind: Secret
name: coredns-values

8
kubernetes/system/coredns/repository.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: coredns
namespace: coredns
spec:
interval: 1h
url: https://coredns.github.io/helm

108
kubernetes/system/coredns/values.yaml
View File

@@ -1,108 +0,0 @@
replicaCount: 2
image:
repository: coredns/coredns
tag: 1.14.3
pullPolicy: IfNotPresent
deployment:
dnsPolicy: ClusterFirst
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 0
maxSurge: 1
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /ready
port: 8181
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 3
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
serviceType: ClusterIP
service:
annotations:
io.cilium/lb-ipam-ips: ""
servers:
- zones:
- zone: cluster.local
port: 53
plugins:
- name: kubernetes
parameters: cluster.local in-addr.arpa ip6.arpa
configBlock: |-
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
- zones:
- zone: .
port: 53
plugins:
- name: errors
- name: health
configBlock: lameduck 5s
- name: ready
- name: debug
- name: file
parameters: /etc/coredns/zones/lan.zone lan
configBlock: |-
reload 10s
fallthrough
- name: etcd
parameters: lan
configBlock: |-
path /skydns
endpoint http://etcd.coredns.svc.cluster.local:2379
fallthrough
- name: cache
parameters: 30
- name: loadbalance
- name: log
extraVolumeMounts:
- name: zone-config
mountPath: /etc/coredns/zones
readOnly: true
extraVolumes:
- name: zone-config
configMap:
name: coredns-lan-zone
sops:
lastmodified: "2026-05-02T16:59:44Z"
mac: ENC[AES256_GCM,data:H4uRid1Fqx4JzsF43TSGa7QcGjpXLAHiM0N3Kf4z7ab4eMlTy1+RXMV7xVT9BinjZzH6P+ENxo0yVOsdt0Yu467KJhGznNWlb2MC2TElPxZ9/yItJ+hdVGHGWbVGFWUL5NOUQ9fY2NPGw0CGr8qyftLr5Qkx0LO/VUgKWkq6RWM=,iv:9+V/sCBhfWAsIvr4DsWQgkeqQZQyT4Ti3Y+qCEZqU5c=,tag:JCRONb54BpXQzYhhPs7VGA==,type:str]
pgp:
- created_at: "2026-05-02T16:59:43Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7uy4qQr71wiAQ/9HzeTVqelbvPtluYa5xGvoYNeEEXg43CwrwZ1/z5yFWvx
DoOCeyro5wFsNC6td7n2HVhtK0ULkfrMHH8OC+7L3bXbnlEnQzITmDggAUvfegCv
b/7ohPkOdLvi6qXbr8bgqCZYFnPq+gUs3UOPh5Tl6wgzRSFXw2Hsb4YmQkvZJUNb
PhPpLIUe/ECE4hmEjO5v9o3X0o7qZ3bahf9mZZlnJnvXT7R/DM8eeWTis/q0WSHE
XnclhOX4GlMwXxa65sRrShuPcsV3qqX3VWOSWJFBhGx/FDtZTkhlHGQ9YhF2TzbB
xxCrn87mH2W13NH6jQOQYPh1JTTJbgZZMZXgyPNmPDSYZE1kxTdrz4l4mcmCDND0
hY3T8iR8ap2b3HhSNCqC1C0QN/bK217hTs8cJHWRRfa6jfh12imwk2XhJkB3zZxV
O1oSb6eiP0ba0CgXu31shmfXuTAeVbTm6E50heYorjQKR5djjnOVwQUdmis1Awae
AQTiWtBBbOgfX5WA5b6wInFr0WEsshG+YuqfB7FhJpo2SHyeFhgk47ssHWSeBpPv
wa4OAGaMkdGoePQhApZFrBCZHslEhPE+XQlDdyOtXCmxBOcLwe59ikWLV75j0DzS
NRUNOBYQ8Q1Y6Su/sJWW7TykQkmDirU+oIYxAngZyIyJSWvARPd6fJJvkqqg013S
XgH1+LQJWNEJzIaLKCWbkZXnMstsOYrs4ynV4f/QZKU+Md5CgVbjy9KIC/trfNhj
1t9kkyVVOEO7UmRhMyl8pK2gQDiOBrkhUJ5tSNFEfxM1llZ4GZRV+SUuMC3UzVA=
=l7Wo
-----END PGP MESSAGE-----
fp: DC6910268E657FF70BA7EC289974494E76938DDC
encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
version: 3.10.2

67
kubernetes/system/coredns/zone-configmap.yaml
View File

@@ -1,67 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns-lan-zone
namespace: coredns
labels:
app.kubernetes.io/name: coredns
app.kubernetes.io/component: dns-zone
data:
lan.zone: |
$ORIGIN lan.
@ IN SOA ns.lan. admin.lan. (
2024010101 ; serial
3600 ; refresh
1800 ; retry
604800 ; expire
86400 ) ; minimum
IN NS ns.lan.
; Nameserver record
ns IN A 10.1.2.172
; Static hosts
openwrt IN A 10.1.1.1
; R740 and virtual machines
r740 IN A 10.1.1.223
bw-r740 IN A 10.1.2.233
kube-r740 IN A 10.1.2.171
docker-r740 IN A 10.1.2.212
truenas IN A 10.1.2.139
; PVE
pve IN A 10.1.2.10
docker-homeprod IN A 10.1.2.12
; Ligory
pve-ligory IN A 10.2.2.10
docker-ligory IN A 10.2.2.232
; IoT
c210 IN A 10.1.1.106
elegoo-neptune-4pro IN A 10.1.1.155
; docker-r740 services
esphome IN A 10.1.2.212
excalidraw IN A 10.1.2.212
gramps IN A 10.1.2.212
jackett IN A 10.1.2.212
jellyseerr IN A 10.1.2.212
mqtt IN A 10.1.2.212
n8n IN A 10.1.2.212
obsidian-livesync IN A 10.1.2.212
paperless IN A 10.1.2.212
proxy IN A 10.1.2.212
radarr IN A 10.1.2.212
radicale IN A 10.1.2.212
sonarr IN A 10.1.2.212
stirling-pdf IN A 10.1.2.212
syncthing-valentin IN A 10.1.2.212
tandoor IN A 10.1.2.212
traefik IN A 10.1.2.212
transmission IN A 10.1.2.212
tubearchivist IN A 10.1.2.212
webmail IN A 10.1.2.212
wizarr IN A 10.1.2.212
zigbee2mqtt IN A 10.1.2.212

55
kubernetes/system/external-dns/values.yaml
View File

@@ -1,39 +1,38 @@
provider:
name: coredns
registry: noop
policy: upsert-only
sources:
- ingress
- service
name: pihole
registry: noop
policy: upsert-only
sources:
- ingress
domainFilters:
- lan
- .lan
extraArgs:
- ENC[AES256_GCM,data:pWoRZNy0bqOOC/KNOy5u6yVpqJv29cJIgQ==,iv:gWQc3vdCwT7V67D0tyrPASAUNhVKjc2SIBLcQutIWG8=,tag:q6C1CLTMiGv0ZJ4jrPYOGg==,type:str]
env:
- name: ETCD_URLS
value: ENC[AES256_GCM,data:w4cTglu/bE5AkzdHdXhC8B0IazuxfQECVdPB3S2kUSJ8L4Q21oUQOs8I,iv:p560+9a3EqNcnA83Ahx/91w0PfzqWlAY8KRhbaCO5t4=,tag:ajc0Al6wZTOVrkLDXG90+w==,type:str]
- ENC[AES256_GCM,data:ym7grahK+0f0ydcdbWjamJdu/fOBUdH186xaQVaXZWEb,iv:PYGTuE/0z23pXVmitjDRcESs6dwuZA89VUhC1Dw/YlI=,tag:eIFd/J0gk8AWkaBmkHXoxg==,type:str]
- ENC[AES256_GCM,data:ah50AImpMpFgRmu7IFsOKUO8WK+dcFSQakw=,iv:WyrXKk0WxD86A3nDu2kvjZD185LZhDwTx28g9tPvgFA=,tag:B/7Kv4FT9l3SjIuGboIkaQ==,type:str]
- ENC[AES256_GCM,data:5eFuaAUaRwrscxSSEOKpLxUrfgo+jfim,iv:6MQ10olVkkRzOaOf02vWKOrvmwgmEr1HedHpraprEaY=,tag:Kc2F03NjLMWmzHaByYHR9A==,type:str]
sops:
lastmodified: "2026-05-02T14:07:20Z"
mac: ENC[AES256_GCM,data:unn1TyPyIJZZZl3rB07iCjBJLP5dACsEowaHG2kPD7ItcLeZhz8gjy0Mz0lPgZXizBLtxdPxlH9W4DPZM6tIudghKovOg7ivoUlA78We87wOxACzAlLwG02vw4f5CKwopqEpdcl9aprLbg815IzcDdsKqSLHIw+Xdm0nW4rP+T0=,iv:YCoJhgO4hlcCcvVx/dxrIBR1677U9UREX26QPB8G/WY=,tag:PguKaLKr6wm93OgYgzEENQ==,type:str]
lastmodified: "2025-08-27T10:07:50Z"
mac: ENC[AES256_GCM,data:wb+0NBxUIqQUbCVsEZUTE7fAvFy+pxaxaD+zb76BploLk0qzB66Ui+xvArNW1RV8qOVTr/fLLxAcIfDlmN+HvJRFeUZLUhZroZXWIIElDN6O8IgzFRy3B+ps5bhVtkgUGACdmML9NJ7wCKEX67AqbuqquR/JagN55cDSTzhUvwk=,iv:qIu3X8SD5H/iKkJvwfK1aI0Rd4/fpt9ApIT5cpEDwVs=,tag:9nvr+LnN1RA8WQgtUg+GTA==,type:str]
pgp:
- created_at: "2026-05-02T14:07:18Z"
- created_at: "2025-08-27T10:07:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7uy4qQr71wiAQ/+OD3xMKWh/zrmSAzeha7eBUQqxV4Md+Sk5ZaZZpJwXm0F
Icb4N7rMRZiUL/BXaH7dDyLNKFbqTGTtLhBtp8IbW6Y6pijQDa3lgX2aC2LjZYP2
GTILWOVYMo18h/idESrj9RBpODDCLUwDUipmNNDrNmeq+aotWEBGZgum2mE/lIdY
Xx+gK9y6vE4IRnDp0AMBahYenO1QrzmzEJphBocw9H9RBwrXx3a4Ke4NY56/0cn+
Q0+pBZdN4T+tmsplwT55I/2UIyyuLWLzfiXqgzP9PHj2qasP/0txDr3cL1bdMnLU
U3ubRFbWHwstjKvsc7sHEZscaSE6CXzpxMCQs98q0I119+l5K4cm/n7ch3b7JDFB
vRuYVdNXBllKMbSdvl++zhh9eYD/gofkZhx9cpJTrku8u6IlKuZkuTjNPp4QtkY6
pPbC42znQ1xhEw5y4YtCxCfynhjCIko31P0uraMu5Ni8nPwt+nWANKLXn6T0VzlM
lFuU2FiPm9/p/4vNd3WlN73ShEf+QCUR6fZqJDEWY82lbdxMX5+p3JKbWtiY+rbH
scKh6hH1PAEYxNQosOabQWnt095niHXseWRAAYaRkm86jB500noYZw9sASmARFT6
ojrl+hKzUqZa7Y5QIG3VFEiLJKIMDDoT8ojeKkuq5jCznInMdqQ/LlRX68IPI53S
XgGNlbkKDLJx2r8ImRTXDkXIJT0d7iBnWksUHYgNnMnFgd8cR5Kud2NU2Hfh5zbQ
2q3dcJiO58H3CK6fZQhLkyTbodvD8+4z6E9rblWeAZR03qf8UPW2UmmWPlRgUPc=
=SbhF
hQIMA7uy4qQr71wiAQ/+IMnGLNPR17dXFL/tT/Jzm2SbZnRQJVk8pEikESBazMHy
qcXjwI4ZXOVKC9Azc1jwigWx1wsRzksqHWI7YihkJKSTWgDkr/WbRZUkkndMyC6o
1rUghPTMnw3ykrLOHw0dP5KrQyeTqj3EakJKzPLl1M5AqOlRIEQzJhpcGACy9teR
RZ4Z0WQL4lxl1bVQ/Yq+o7iEWDqAwlLxllBnvAz/nIfMQgaTfa9UyEz5Up71nXtz
f98txsSmB0kEYqEJNeNSQa6+MFT1OXJX8XijlfcEYVIyX7XO8+vKu99Neae026Ki
o+yXgVB8UIV/8tfhhRYofYFEUP9SPNeIrlJlXPopv1axnhhxCJeUUMDfQtrQFR1Q
8AUNbWluEU5q3/YLtk1HsLIDHGLG4o2WIS67Do3Feik3oZc5jP4b2sLrsSYc/2Rn
DkjDrnYKqXojr2jD4B9fMiKen1/MxqZwP78CFNNIjqDf44fvmHPK1BlCUbMmBmyV
yti3wTZEWUa3P9a1EApt3/ez+51o4R1q5En6bkZWqrzDtjd1qhs8ygP1pyU5eRJZ
dn0FzzDn4UuecCjXx6rZLw8ugSPIw+z3BMvB/JRx6OY3Dm6NKHBwfdIELoWwpWoY
28cH5X8hfVhr3uDIXmXVkJhrri3q35mRQnBIw+Gw7hgeMfWdLLmMSgwhCVvWNwDU
aAEJAhBlX9Uiqb+tS5fNYsnGVwS4XNIUozxtkdy3t+ZHK/rqCJ0qVr6m2rTO8QCg
jfNwgjOfpFC5YSsHjEuPaISBTfEMJea/1fqeUoPSXIMtgnceOT5xeqR5d7K1cOKR
sRirvHEkhbG3
=uej8
-----END PGP MESSAGE-----
fp: DC6910268E657FF70BA7EC289974494E76938DDC
encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$

13
kubernetes/tools/dashy/kustomization.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: dashy
resources:
- namespace.yaml
- repository.yaml
- release.yaml
secretGenerator:
- name: dashy-values
files:
- values.yaml=values.yaml
configurations:
- kustomizeconfig.yaml

6
kubernetes/tools/dashy/kustomizeconfig.yaml
View File

@@ -1,6 +0,0 @@
nameReference:
- kind: Secret
version: v1
fieldSpecs:
- path: spec/valuesFrom/name
kind: HelmRelease

4
kubernetes/tools/dashy/namespace.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: dashy

19
kubernetes/tools/dashy/release.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: dashy
namespace: dashy
spec:
interval: 1m
chart:
spec:
reconcileStrategy: Revision
sourceRef:
kind: HelmRepository
name: dashy
namespace: dashy
chart: dashy
interval: 1m
valuesFrom:
- kind: Secret
name: dashy-values

8
kubernetes/tools/dashy/repository.yaml
View File

@@ -1,8 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: dashy
namespace: dashy
spec:
interval: 1m
url: https://ivanwongtf.github.io/nas-helm-charts/

11
kubernetes/tools/dashy/values.yaml
View File

@@ -1,11 +0,0 @@
ingress:
main:
enabled: true
hosts:
- host: dashy.lan
paths:
- path: /
pathType: ImplementationSpecific
persistence:
data:
enabled: true