dns: fix local dns entry for bw-r740 machine

p330 server fully empty and gone, only r740 remains :)

dns/production/buildpath.win.yaml

@@ -3,7 +3,7 @@
 : - octodns:
       cloudflare:
         auto-ttl: true
-        proxied: true
+        proxied: false
     ttl: 300
     type: A
     value: 83.113.30.49
@@ -22,7 +22,7 @@ www:
   octodns:
     cloudflare:
       auto-ttl: true
-      proxied: true
+      proxied: false
   ttl: 300
   type: A
   value: 83.113.30.49

docker/infrastructure/network/traefik/traefik.yml

@@ -8,6 +8,8 @@ entryPoints:
       trustedIPs:
         - "127.0.0.1/32"
         - "10.1.2.11/32" # nginxproxymanager
+        - "10.1.2.152/32" # caddy
+        - "10.0.0.0/8" # caddy pods
 
 providers:
   docker:

docker/personal/media/music/navidrome/docker-compose.yml

@@ -14,7 +14,7 @@ services:
       ND_SESSIONTIMEOUT: 24h
       ND_BASEURL: "http://navidrome.lan"
       ND_PORT: 4533
-      ND_REVERSEPROXYWHITELIST: "172.20.0.0/16,10.1.2.11/32"
+      ND_REVERSEPROXYWHITELIST: "172.20.0.0/16,10.1.2.11/32,10.1.2.152/32"
     volumes:
       - data:/data
       - "music:/music:ro"

docker/personal/radicale/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   radicale:
-    image: tomsquest/docker-radicale:3.7.3.0
+    image: tomsquest/docker-radicale:3.7.2.0
     container_name: radicale
     ports:
       - 5232

infra/pve/docker.tf

@@ -1,137 +0,0 @@
-/* 
-* Docker machine terraform file
-*/
-
-resource "proxmox_virtual_environment_download_file" "debian-latest-cloudimg" {
-  content_type = "iso"
-  datastore_id = "local"
-  file_name = "debian-12-generic-amd64.qcow2.img"
-  node_name = "pve"
-  url = "https://cloud.debian.org/images/cloud/bookworm/latest/debian-12-generic-amd64.qcow2"
-}
-
-resource "proxmox_virtual_environment_file" "docker-machine-cloud-config" {
-  content_type = "snippets"
-  datastore_id = "local"
-  node_name    = "pve"
-
-  source_raw {
-    data = <<-EOF
-    #cloud-config
-    package_update: true
-    packages:
-      - git
-      - ca-certificates
-      - wget
-      - curl
-      - gnupg2
-      - qemu-guest-agent
-      - nfs-common
-    runcmd:
-      - systemctl enable --now qemu-guest-agent
-      - install -m 0755 -d /etc/apt/keyrings
-      - curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
-      - chmod a+r /etc/apt/keyrings/docker.asc
-      - echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
-      - apt-get update
-      - apt-get -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
-      - docker swarm init
-      - git clone https://github.com/vhaudiquet/homeprod /root/homeprod
-      - mkdir /app
-      - echo "truenas.lan:/mnt/fast_app_data/docker-homeprod      /app     nfs     defaults,_netdev    0 0" >>/etc/fstab
-      - mount -t nfs truenas.lan:/mnt/fast_app_data/docker-homeprod /app
-      - echo "${var.sops_private_key}" | gpg --import
-    EOF
-    file_name = "docker-machine-cloud-config.yaml"
-  }
-}
-
-resource "proxmox_virtual_environment_vm" "docker-machine" {
-  name = "docker-machine"
-  node_name = "pve"
-  on_boot = true
-
-  agent {
-    enabled = true
-  }
-
-  tags = ["debian", "debian-latest", "docker", "terraform"]
-
-  cpu {
-    type = "host"
-    cores = 4
-    sockets = 1
-    flags = []
-  }
-
-  memory {
-    dedicated = 16192
-  }
-
-  network_device {
-    bridge = "vmbr0"
-    model = "virtio"
-    vlan_id = 2
-  }
-
-  lifecycle {
-    ignore_changes = [
-      network_interface_names,
-      mac_addresses,
-      ipv4_addresses,
-      ipv6_addresses,
-      id,
-      disk,
-      initialization,
-      vga
-    ]
-  }
-
-  boot_order = ["scsi0"]
-  scsi_hardware = "virtio-scsi-single"
-
-  vga {
-    type = "serial0"
-  }
-
-  disk {
-    interface = "scsi0"
-    iothread = true
-    datastore_id = "local-lvm"
-    size = 128
-    discard = "ignore"
-    file_id = proxmox_virtual_environment_download_file.debian-latest-cloudimg.id
-  }
-
-  vm_id = 701
-
-  initialization {
-    datastore_id = "local-lvm"
-    interface = "ide2"
-    
-    ip_config {
-      ipv4 {
-        address = "10.1.2.175/24"
-        gateway = "10.1.2.1"
-      }
-    }
-
-    user_account {
-      keys = [trimspace(var.ssh_public_key)]
-      password = var.machine_root_password
-      username = "root"
-    }
-
-    vendor_data_file_id = proxmox_virtual_environment_file.docker-machine-cloud-config.id
-  }
-
-  operating_system {
-    type = "l26"
-  }
-
-  tpm_state {
-    version = "v2.0"
-  }
-
-  serial_device {}
-}

infra/pve/docker/main.tf

@@ -1,39 +0,0 @@
-terraform {
-  required_providers {
-    docker = {
-      source  = "kreuzwerker/docker"
-      version = "3.6.2"
-    }
-  }
-}
-
-# Docker configuration
-provider "docker" {
-  host = "ssh://root@docker-machine.lan"
-}
-
-resource "docker_image" "swarm-cd" {
-  name = "ghcr.io/m-adawi/swarm-cd:latest"
-}
-
-resource "docker_container" "swarm-cd" {
-  name  = "swarm-cd"
-  image = docker_image.swarm-cd.image_id
-  volumes {
-      host_path = "/var/run/docker.sock"
-      container_path = "/var/run/docker.sock"
-      read_only = true
-  }
-  volumes {
-    host_path = "/root/homeprod/.swarmcd/repos.yaml"
-    container_path = "/app/repos.yaml"
-    read_only = true
-  }
-  volumes {
-    host_path = "/root/homeprod/.swarmcd/stacks.yaml"
-    container_path = "/app/stacks.yaml"
-    read_only = true
-  }
-
-  depends_on = [ docker_image.swarm-cd ]
-}

infra/pve/kube.tf

@@ -1,381 +0,0 @@
-/* 
-* Kubernetes cluster terraform file
-*/
-
-resource "proxmox_virtual_environment_download_file" "talos-cloudimg" {
-  content_type = "iso"
-  datastore_id = "local"
-  file_name = "talos-v1.11.1-nocloud-amd64.iso"
-  node_name = "pve"
-  url = "https://factory.talos.dev/image/ce4c980550dd2ab1b17bbf2b08801c7eb59418eafe8f279833297925d67c7515/v1.11.1/nocloud-amd64.iso"
-}
-
-resource "proxmox_virtual_environment_vm" "kube" {
-  name = "kube-talos"
-  description = "Kubernetes Talos Linux"
-  tags = ["kubernetes", "talos", "terraform"]
-
-  node_name = "pve"
-  vm_id = 703
-  machine = "q35"
-  keyboard_layout = "fr"
-
-  agent {
-    enabled = true
-  }
-  stop_on_destroy = true
-
-  cpu {
-    cores = 4
-    type = "x86-64-v3"
-  }
-
-  memory {
-    dedicated = 16192
-    floating = 16192
-  }
-
-  boot_order = ["scsi0", "ide0"]
-  scsi_hardware = "virtio-scsi-single"
-
-  cdrom {
-    file_id = proxmox_virtual_environment_download_file.talos-cloudimg.id
-    interface = "ide0"
-  }
-
-  disk {
-    interface = "scsi0"
-    iothread = true
-    datastore_id = "local-lvm"
-    size = 128
-    discard = "ignore"
-    file_format = "raw"
-  }
-
-  vga {
-    type = "serial0"
-  }
-
-  initialization {
-    datastore_id = "local-lvm"
-    interface = "ide2"
-
-    ip_config {
-      ipv4 {
-        address = "10.1.2.187/24"
-        gateway = "10.1.2.1"
-      }
-    }
-
-    user_account {
-      keys = [trimspace(var.ssh_public_key)]
-      password = var.machine_root_password
-      username = "root"
-    }
-  }
-
-  lifecycle {
-    ignore_changes = [ 
-      ipv4_addresses, ipv6_addresses, network_interface_names
-     ]
-  }
-
-  network_device {
-    bridge = "vmbr0"
-    model = "virtio"
-    vlan_id = 2
-  }
-
-  operating_system {
-    type = "l26"
-  }
-
-  tpm_state {
-    version = "v2.0"
-  }
-
-  serial_device {}
-}
-
-resource "talos_machine_secrets" "kube" {}
-
-data "talos_machine_configuration" "kube" {
-  cluster_name = "kube"
-  machine_type = "controlplane"
-  cluster_endpoint = "https://kube-talos.lan:6443"
-  machine_secrets = talos_machine_secrets.kube.machine_secrets
-  config_patches = [
-    yamlencode({
-      machine = {
-        install = {
-          image = "factory.talos.dev/installer/ce4c980550dd2ab1b17bbf2b08801c7eb59418eafe8f279833297925d67c7515:v1.11.1"
-        }
-        network = {
-          nameservers = [
-            "10.1.2.3"
-          ]
-        }
-      }
-      cluster = {
-        allowSchedulingOnControlPlanes = true
-        apiServer = {
-          certSANs = [
-            "kube-talos.lan"
-          ]
-        }
-        network = {
-          dnsDomain = "kube-talos.lan"
-          cni = {
-            name: "none"
-          }
-        }
-        proxy = {
-          disabled = true
-        }
-      }
-    })
-  ]
-}
-
-data "talos_client_configuration" "kube" {
-  cluster_name = "kube"
-  client_configuration = talos_machine_secrets.kube.client_configuration
-  nodes = ["kube-talos"]
-}
-
-resource "talos_machine_configuration_apply" "kube" {
-  client_configuration = talos_machine_secrets.kube.client_configuration
-  machine_configuration_input = data.talos_machine_configuration.kube.machine_configuration
-  node = "10.1.2.187" #proxmox_virtual_environment_vm.kube.ipv4_addresses[7][0] # lo + 6 talos-created interfaces before eth0
-  depends_on = [ proxmox_virtual_environment_vm.kube ]
-  lifecycle {
-    replace_triggered_by = [ proxmox_virtual_environment_vm.kube ]
-  }
-}
-
-resource "talos_machine_bootstrap" "kube" {
-  node = "10.1.2.187" #proxmox_virtual_environment_vm.kube.ipv4_addresses[7][0] # lo + 6 talos-created interfaces before eth0
-  client_configuration = talos_machine_secrets.kube.client_configuration
-  depends_on = [ talos_machine_configuration_apply.kube ]
-  lifecycle {
-    replace_triggered_by = [ proxmox_virtual_environment_vm.kube ]
-  }
-}
-
-resource "talos_cluster_kubeconfig" "kube" {
-  node = proxmox_virtual_environment_vm.kube.ipv4_addresses[7][0] # lo + 6 talos-created interfaces before eth0
-  depends_on = [ talos_machine_bootstrap.kube ]
-  client_configuration = talos_machine_secrets.kube.client_configuration
-}
-
-output "kubeconfig" {
-  sensitive = true
-  value = talos_cluster_kubeconfig.kube.kubeconfig_raw
-}
-
-resource "local_file" "kubeconfig" {
-    content     = "${talos_cluster_kubeconfig.kube.kubeconfig_raw}"
-    filename = "${path.module}/kubeconfig"
-    depends_on = [ talos_cluster_kubeconfig.kube ]
-}
-
-data "talos_client_configuration" "talosconfig" {
-  cluster_name = "homeprod"
-  client_configuration = talos_machine_secrets.kube.client_configuration
-  nodes = [proxmox_virtual_environment_vm.kube.ipv4_addresses[7][0]]
-}
-
-resource "local_file" "talosconfig" {
-    content     = "${data.talos_client_configuration.talosconfig.talos_config}"
-    filename = "${path.module}/talosconfig"
-    depends_on = [ data.talos_client_configuration.talosconfig ]
-}
-
-# TODO : Wait for talos_cluster_kubeconfig...
-resource "helm_release" "cilium" {
-  name = "cilium"
-  namespace = "kube-system"
-  repository = "https://helm.cilium.io/"
-  chart = "cilium"
-  wait = false
-  depends_on = [ local_file.kubeconfig ]
-
-  set {
-    name = "ipam.mode"
-    value = "kubernetes"
-  }
-  set {
-    name = "kubeProxyReplacement"
-    value = true
-  }
-  set {
-    name = "securityContext.capabilities.ciliumAgent"
-    value = "{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}"
-  }
-  set {
-    name = "securityContext.capabilities.cleanCiliumState"
-    value = "{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}"
-  }
-  set {
-    name = "cgroup.autoMount.enabled"
-    value = false
-  }
-  set {
-    name = "cgroup.hostRoot"
-    value = "/sys/fs/cgroup"
-  }
-  set {
-    name = "k8sServiceHost"
-    value = "localhost"
-  }
-  set {
-    name = "k8sServicePort"
-    value = 7445
-  }
-  set {
-    name = "etcd.clusterDomain"
-    value = "kube-talos.lan"
-  }
-  set {
-    name = "hubble.relay.enabled"
-    value = true
-  }
-  # Enable hubble ui
-  set {
-    name = "hubble.ui.enabled"
-    value = true
-  }
-  # Gateway API support
-  set {
-    name = "gatewayAPI.enabled"
-    value = true
-  }
-  set {
-    name = "gatewayAPI.enableAlpn"
-    value = true
-  }
-  set {
-    name = "gatewayAPI.enableAppProtocol"
-    value = true
-  }
-  # Gateway API trusted hops : for reverse proxy
-  set {
-    name = "gatewayAPI.xffNumTrustedHops"
-    value = 1
-  }
-  # Single-node cluster, so 1 operator only
-  set {
-    name = "operator.replicas"
-    value = 1
-  }
-  # L2 announcements
-  set {
-    name = "l2announcements.enabled"
-    value = true
-  }
-  set {
-    name = "externalIPs.enabled"
-    value = true
-  }
-  # Disable ingress controller (traefik will be used for now)
-  set {
-    name = "ingressController.enabled"
-    value = false
-  }
-  set {
-    name = "ingressController.loadbalancerMode"
-    value = "shared"
-  }
-  # Ingress controller for external : behind reverse proxy, trust 1 hop
-  set {
-    name = "envoy.xffNumTrustedHopsL7PolicyIngress"
-    value = 1
-  }
-  # Set cilium as default ingress controller
-  set {
-    name = "ingressController.default"
-    value = true
-  }
-  set {
-    name = "ingressController.service.externalTrafficPolicy"
-    value = "Local"
-  }
-}
-
-resource "kubernetes_namespace" "flux-system" {
-  metadata {
-    name = "flux-system"
-  }
-
-  lifecycle {
-    ignore_changes = [ metadata[0].annotations, metadata[0].labels ]
-  }
-
-  depends_on = [ talos_cluster_kubeconfig.kube, local_file.kubeconfig, helm_release.cilium ]
-}
-
-resource "kubernetes_secret" "flux-sops" {
-  metadata {
-    name = "flux-sops"
-    namespace = "flux-system"
-  }
-
-  type = "generic"
-
-  data = {
-    "sops.asc"=var.sops_private_key
-  }
-
-  depends_on = [ kubernetes_namespace.flux-system ]
-}
-
-resource "helm_release" "flux-operator" {
-  name = "flux-operator"
-  namespace = "flux-system"
-  repository = "oci://ghcr.io/controlplaneio-fluxcd/charts"
-  chart = "flux-operator"
-  wait = true
-  depends_on = [ kubernetes_secret.flux-sops ]
-}
-
-resource "helm_release" "flux-instance" {
-  name = "flux"
-  namespace = "flux-system"
-  repository = "oci://ghcr.io/controlplaneio-fluxcd/charts"
-  chart = "flux-instance"
-
-  values = [
-    file("values/components.yaml")
-  ]
-  set {
-    name = "instance.distribution.version"
-    value = "2.x"
-  }
-  set {
-    name = "instance.distribution.registry"
-    value = "ghcr.io/fluxcd"
-  }
-  set {
-    name = "instance.sync.name"
-    value = "homeprod"
-  }
-  set {
-    name = "instance.sync.kind"
-    value = "GitRepository"
-  }
-  set {
-    name = "instance.sync.url"
-    value = "https://github.com/vhaudiquet/homeprod"
-  }
-  set {
-    name = "instance.sync.path"
-    value = "kubernetes/"
-  }
-  set {
-    name = "instance.sync.ref"
-    value = "refs/heads/main"
-  }
-
-
-  depends_on = [ helm_release.flux-operator ]
-}

infra/pve/main.tf

@@ -1,46 +0,0 @@
-# Terraform providers configuration
-terraform {
-  required_providers {
-    proxmox = {
-      source = "bpg/proxmox"
-      version = "0.83.2"
-    }
-    talos = {
-      source  = "siderolabs/talos"
-      version = "0.9.0"
-    }
-    kubernetes = {
-      source = "hashicorp/kubernetes"
-      version = "2.38.0"
-    }
-    helm = {
-      source = "hashicorp/helm"
-      version = "2.17.0"
-    }
-  }
-}
-
-# Proxmox configuration
-provider "proxmox" {
-  endpoint = "https://pve.lan:8006/"
-  api_token = var.api_token
-  insecure = true
-  ssh {
-    agent    = true
-    username = "root"
-  }
-}
-
-# Talos configuration
-provider "talos" {}
-
-# Kubernetes configuration
-provider "kubernetes" {
-  config_path = "${path.module}/kubeconfig"
-}
-# Helm configuration
-provider "helm" {
-  kubernetes {
-    config_path = "${path.module}/kubeconfig"
-  }
-}

infra/pve/variables.tf

@@ -1,19 +0,0 @@
-variable "api_token" {
-  description = "Token to connect Proxmox API"
-  type = string
-}
-
-variable "machine_root_password" {
-  description = "Root password for VMs and containers"
-  type = string
-}
-
-variable "ssh_public_key" {
-  description = "Public SSH key authorized access for VMs and containers"
-  type = string
-}
-
-variable "sops_private_key" {
-  description = "Private SOPS GPG key for flux/kubernetes to decrypt secrets"
-  type = string
-}

infra/r740/kube/main.tf

@@ -44,7 +44,10 @@ data "talos_machine_configuration" "kube" {
         }
         network = {
           nameservers = [
-            "10.1.2.3"
+            # We need a set of nameservers that can work independently of kube
+            # to bootstrap. 
+            "10.1.2.148",
+            "1.1.1.1"
           ]
         }
         certSANs = [

infra/r740/kube/values/components.yaml

@@ -10,7 +10,7 @@ instance:
     type: kubernetes
     multitenant: false
     networkPolicy: true
-    domain: "kube-talos.lan"
+    domain: "cluster.local"
   kustomize:
     patches:
       - target:

kubernetes/code/gitea/release.yaml

@@ -12,6 +12,7 @@ spec:
         name: gitea
         namespace: gitea
       chart: gitea
+      version: '12.6.0'
       interval: 1m
   valuesFrom:
     - kind: Secret

kubernetes/code/gitea/values.yaml

@@ -1,5 +1,5 @@
 image:
-    tag: 1.25.5
+    tag: 1.26.2
 ingress:
     enabled: true
     hosts:
@@ -17,10 +17,10 @@ postgresql:
     global:
         postgresql:
             auth:
-                postgressPassword: ENC[AES256_GCM,data:MGHcVoXxZmaAaA==,iv:jzp5H+mT1mwbJvuDnlgfQBMsilAZcR9Wpdv1Bem8zvc=,tag:9vPppIbycDJfgRV45jkwFg==,type:str]
-                password: ENC[AES256_GCM,data:jm4ffAcu06Rqog==,iv:pBWzn+/Udl99Vv7bLRv37uNZjPY/xMqrvDgUw6o+Am8=,tag:Y8PEv+NoEr9YU86WVebZqQ==,type:str]
+                postgressPassword: ENC[AES256_GCM,data:kkMxHQT7J60iuQ==,iv:JvI007ZVrIIHmfuGAdmuRKAaRh8gCtiq6qM8Yp2IWkc=,tag:Jyba7SzI1xfi9TNkXynxnA==,type:str]
+                password: ENC[AES256_GCM,data:CRCV1V3w7Moy3Q==,iv:E+FS5bJciWJoF94xpC/L1laNmSLWrV0iZVNByr9H/5w=,tag:vCDiIy96vPnlE9sQVUzygA==,type:str]
                 database: gitea
-                username: ENC[AES256_GCM,data:OmrAE7E=,iv:ABU5b4rhwtxz0n8kwI7Nxqn0Cn//B4ScWJdYU3cE5ds=,tag:q/g0741vR06c5nDWGnTvYA==,type:str]
+                username: ENC[AES256_GCM,data:Dw/EEMs=,iv:HnuuzrPguaH4holONrijhhyysqcSsU/G2yQr8xdC7/c=,tag:L2/QifAkDlJTQE71EV/awA==,type:str]
     volumePermissions:
         enabled: true
 postgresql-ha:
@@ -41,8 +41,8 @@ gitea:
     oauth:
         - name: Authentik
           provider: openidConnect
-          key: ENC[AES256_GCM,data:BvrQCp1uuKsU+ghFqGDtDSXkx71byFQnOKSCU2iMLQebhsZdocZbJQ==,iv:WY3p4ygfc7CuEjK18Ktr2c/a5bDnCoyNSfKqjXwjZuY=,tag:INMKosSqPzJOCcZ9m3UKKQ==,type:str]
-          secret: ENC[AES256_GCM,data:7kWuHYZ+2UlLrlRC6bX54xu0EJ264pP3EkfycleNnE647+VNInviZ9OFdz+2E+Ujw5ktuU8Edl49ex/TZ3BLyBv5bgHgCySLIHrB9keEZIxuhnfV53csq7KmIvO+NALDbU2OlZZaiAyNMbJjRCSAxXRT2WtPVzadt6HkW3niiRE=,iv:4uWctDxVpRzqdErKp05WKuz7WYH5frktMe3gly4+VW0=,tag:isaFJX5Q+XaZnY1F2HFdfw==,type:str]
+          key: ENC[AES256_GCM,data:sWas2xxSbKqNVYlYDtwiiIdn8HXZoStZPeFkwl1nr1AlejB30i1HUw==,iv:NFcwnDIpFG+Kjr3kzeyKHEcXjxRLCiAkhFdP+fp1RiU=,tag:C31RLpMZkT6KBCJiTD0jjA==,type:str]
+          secret: ENC[AES256_GCM,data:CxPg3Dm/TH9q30Hm0uMZjxVeCkxDlb4QZLHKT21s53DBdrd4MbjwXFdYd9hXQ07Gp5XqR3caHukzKXRszcksoGXuXZtlDUv4/p0PGeWFnJBVBwy9BEzvpeK0VEyypk4pfcvxekMTOsdvHDVty9AFTRIBTk2UTHvvz62CbVLFaUk=,iv:KmzhXgEHBPzO8E3xWBLJiVGKmCZm0rTtpLEEMJRIpWU=,tag:fdiWV6+IbgSEgFdpBQFCKw==,type:str]
           autoDiscoverUrl: https://authentik.vhaudiquet.fr/application/o/gitea/.well-known/openid-configuration
     config:
         APP_NAME: Gitea
@@ -69,27 +69,27 @@ gitea:
             ISSUE_INDEXER_TYPE: bleve
             REPO_INDEXER_ENABLED: true
 sops:
-    lastmodified: "2026-04-05T11:32:32Z"
-    mac: ENC[AES256_GCM,data:etLsvUBjDtzqpwdP9jontcVmFRvvsy7z70Rcztvm6kNybRsWKss2hRarl+IhxBqI5rQYaWjON9BNpjIBjnmKVPiwV7lYF7cSTEiHrCCBrFyhwYKxgsgwZCWCfSgOLMlhTjI55wISPFyhHaC/O6CsuzcGRAQ52B2PZBaeY0vNgF4=,iv:aag0M1SJn7uVLu99wmGMp3Ms5jlJCTzkyGUsdzcrGAE=,tag:H2+gdObpNEnoDKaW3IT+wQ==,type:str]
+    lastmodified: "2026-05-28T15:35:45Z"
+    mac: ENC[AES256_GCM,data:5SokbHdILE0TuEC72R5ELHaTM7ZicBM3iYtFUD+lo7iMPXjiXSaCtq0k++uWvadD9dpBWkahWhdtoowP2V19fOfn63EnTEoo6FEIWq/7r78wDYuC+OGlTAfeBd4iwftuSdnlSEMzl4nplC0W3b0ozmfGkx+HyEB7AxlJy8A9y8g=,iv:Yw4R7eNlvF2wpppHw0CACl3BVdfgf7tM/ou5Ylw+3+A=,tag:E1szos8kGUaAakmgTCiz1A==,type:str]
     pgp:
-        - created_at: "2026-04-05T11:32:28Z"
+        - created_at: "2026-05-28T15:35:43Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA7uy4qQr71wiAQ/+KsQV7ZuIF9YaJQjnLJk88FP661mApTJeQRo7MI/SIGTK
-            Xrj2j9EU2QRny/56YD6x/vqENQ8Appnew4ejtLEJY/wWmfSaSuO0JWk40tOa95od
-            YxQhYBi0/DuCTtLdLs1lrOH+GEKSQNbE8Srv6gmaWweu1yLHUye44M8DxOd+/dbf
-            5q4sRtldgpAm8EFjdZQcollzoFyUDiE/G1bpml4hbkHVJhlSfJHTGN6bq96yuG2l
-            et0MnNAMW2EJh3w6vGk1CJfEB6LUfR6KNUM4oPI3qVy9GeGDgTi4xv1cYAiVIcEv
-            hXfDrwDGm1pUakLklzKcJ9TpNokPCimax5O2dNDKBdFaGuGVfYzIzcSIY1W3qZV9
-            KfpaCtkfIDOtwUdjvxcdhpGbYYckcEz0TFtwTIIPeznQvyhtqNcNV9TDxmDoQiYG
-            l1iY2dSoi7Fae7HT0QDrxw8rV9L2d+1qPkiEz9yOq+oJGYzuIy7ygPO7X1x2vkYm
-            lXoxVyFrbH3K4Wb4ibukdAkrqQKZYnhqpxtvB/SFTlS90r2wewQSfivBTHT3yh3d
-            j0Zjr2Ga8fiFdmy5ELyj7oKO4AWY67eFe1TdfV9dPb0qO7tVph2NbcNyhgp59ejk
-            lUjJCJKlDyysu7VAvF8RzzQhfwBrZqar55Mou+HvrypOJpoCCKH9GNiemoudSx3S
-            XAH+uZb87/xPqJP5XyXqOvW4WvLNRxCUcHwur9USiluKZYhdtaYicTOy3iif+sD+
-            m80ahUph//L/9qTbNQU51AF1Lq0X6Mh0GkBa1b61iJu/PWizjlEEJS+/xpN5
-            =FJi9
+            hQIMA7uy4qQr71wiAQ/9FLxfMYXeLbLSoIJCwNnJWZrsTisWs1anGACDwRtvDfVP
+            7EQGFJYOUkmEJU4RTaMHSbNSvIhdi9L3mkHTB1jL9hGoNsJJCkIBTXuihsRNyIOr
+            UFVsNOtMU7juHe73F7MtFUQbAHHVzaN0PK9ufmInYOHR0+9lJF6J708QaGIWVEg0
+            zhnm5mjvha3jdd3Cr+vwSKyvyV4Lp8JA24c3LsaZlhlnHqBmTYUAYTRIszDJhmsA
+            CGOtW9d+XKswdeChnouF4oJJ1tXzut0F4d1uSFrAL3VEzq6xbYE7jRCxeFIbbww1
+            WtiHkoAruhieV/1i95WptLG1iE0Yh08NIyqgHvFwRDn+uBy2IaDKPN+Ws7FKRve7
+            wkyLGgW8gue3fkO0Mf7tyT6ce3QSS07eCGY1BV7sV+a+ph99nrT9zilapnI8S58V
+            3+p6jfOsCBrDp5Kgz3bPDRp4piZ3k4zWakS6ku7gZn7OUwQe79CX9XFOPSLaSMm4
+            8AXZz1P8H4JR1CJH0kIpfJMyfzsVuugYhXPsRN7Y1eGIZfcUbpiVlT+oUUgTtmp7
+            VNcvIbH4GMskzxOSEbMZy+Gq0nxAfd3OwBYtbXHTsh3ww5Tqavm2DTAriBrLjFLf
+            fNV/BlLhzGHdaw+Oe4o7AKHtpQTy7UIZHqI9nC9weN6hmbaAGOPYgir5pIwhCCrS
+            XgEWijY36VlqM41ecYHCfsmWmG5OPVAL/2iwzeBIfWViYn5Lb4/5j2Yh3TnJKk3N
+            y5hMEwbS8AvMinYeXrHYchOMjn63xQ2dA/4bBtzg7p3rkMYsdXU93Eey+SkqnX4=
+            =fPDh
             -----END PGP MESSAGE-----
           fp: DC6910268E657FF70BA7EC289974494E76938DDC
     encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$

kubernetes/system/blocky/values.yaml

@@ -58,35 +58,35 @@ probes:
             failureThreshold: 30
 resources:
     limits:
+        cpu: 600m
+        memory: 768Mi
+    requests:
         cpu: 200m
         memory: 256Mi
-    requests:
-        cpu: 50m
-        memory: 64Mi
 # Full list of options https://github.com/0xERR0R/blocky/blob/main/docs/config.yml
 config: "upstreams:\n    groups:\n        default:\n            - 1.1.1.1\n            - 1.0.0.1\n        lan:\n            - 10.101.207.1\n\nconditional:\n    mapping:\n        lan: 10.101.207.1\n        cluster.local: 10.96.0.10\n        in-addr.arpa: 10.96.0.10\n\nblocking:\n    allowlists:\n        ads:\n            - |\n                dealabs.digidip.net\n                s.click.aliexpress.com\n                fonts.googleapis.com\n                fonts.gstatic.com\n                wl.spotify.com\n                www.googleadservices.com\n    \n    denylists:\n        ads:\n            - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts\n            - https://adaway.org/hosts.txt\n    \n    clientGroupsBlock:\n        default:\n            - ads\n    \n    blockType: zeroIp\n    blockTTL: 1m\n    loading:\n        refreshPeriod: 4h\n        downloads:\n            timeout: 60s\n\ncaching:\n    minTime: 5m\n    maxTime: 30m\n    # Disable negative caching (NXDOMAIN responses) for dynamic DNS\n    cacheTimeNegative: 0\n    prefetching: true\n    prefetchExpires: 2h\n    prefetchThreshold: 5\n\nprometheus:\n    enable: true\n    path: /metrics\n\nports:\n    dns: 53\n    http: 4000\n\nbootstrapDns: tcp+udp:1.1.1.1\n\nlog:\n    level: info\n    format: text\n    timestamp: true\n"
 sops:
-    lastmodified: "2026-05-02T17:51:26Z"
-    mac: ENC[AES256_GCM,data:J7EovwsXi2L9XocZoi5ann71DQ+wWZk2aCUbjvaGpv0yZC5g2HNccPVRvAj3y9SyMttLT8QlESXzHpEV2A6bOfmJf5v0ACYuWn5wKNlkaBdmTs1xwXp/RcpeOb+FCL9D+9hzjBO9XF6iXZLSj4pO/n1C0IhfeqYKdDC4tHkxOHA=,iv:Qm3Uh+UUSDWCxh7gWJ9x597aWXdMHxtpixE2BVlb6c8=,tag:aHbK26P4f9YV2uGLhpT6OA==,type:str]
+    lastmodified: "2026-05-26T22:01:30Z"
+    mac: ENC[AES256_GCM,data:PkXQH3Y+r4JUSRXJbNO+nQUhEvlQecvz5Jxwlb0bL3PPTi8Y8dCx9kxQAvMM9cijpcavGI04Fy0jRS07draTxlddzZ6FYqvVeu1FzQNtnVsobW/KNZ9mYIYPr9YEvybgHpdbbuO6lVjbERRrOLIFuECIpLoPX5D8+p8+43zBpAE=,iv:XJi6BsIC7wk7bqwSUFZMOwR3shYKjydvqBKNC55mmck=,tag:4C+QU5EAvUU+maw9txgGPQ==,type:str]
     pgp:
-        - created_at: "2026-05-02T17:51:25Z"
+        - created_at: "2026-05-26T22:01:29Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA7uy4qQr71wiAQ/+Po8UdkiFGt0LmcvCeSE23aoWwY4qi2FsGKdik+7sL3RN
-            gOt/VQ6geefhd4YDhH0jfd7TDXs7UTtYvKQ+IaKcRUyOrZzhrfTpNeT/lXuaTkHf
-            LAUiqyprq1RDzxxIPvgMh4DynfehgN8B81iMJox2/fD0oV7B6dIIABvAl87gzANw
-            7snQLJwdhNXFylKfrdC9A4AfYz7ycXBzEyYlY5BMZENw9yBGgZ1dZITU2KxeYCo/
-            gdVTCevybSBQ/Cq0+hI25ZF+nEIGjrVCN2AxPEUO98ljp4OZEu0p6KsMB4xgCD2j
-            l5LN6YPAu95TRx/bZinoHMMzth6WhFdUG0Anj2cIIYXOcreyzPxYGj+vwRlZFrkZ
-            gTU2vfpt/1Wx8ORRqocCkxZ3dMtm4KsGqe3xpd1y84ezL/bMLxSApn5e7Zzn1cEg
-            DoLwJGnZzSY4nRzfoGXOv6mjyTUVkqNexRlL2wIsgDP9VP/ohS9K2fFZzzJ/fXa1
-            G9DUg64SwfYIFzAgsyWwdE3kCJ/GSIAgrgNwBfZlLGdfB/PB2BkHNpzX4LROUEcD
-            HqqHtVlUIikiFdDQWwB5tS+APBCO6VuzKl1z3ROgV6xhvr4ZYkd9CHYu1S1r1XAs
-            JRCyow0zTLRYGQnDD8+RPQ4MsbzJsugA8Ac4bE4sVJpP8hloZBqHb38AkoUruDTS
-            XgE+Nxcy0/aznBgEscE/VuY/GTH1vwYl5/dAcV8GDYcNmd1tE9E1QwWsSurHt39u
-            +QdGZYoUbHPtsk/zODgEVqn0iTsqO7Y4Qmu93bYlYFQwCygAPKKpCaqmmu2U+rI=
-            =hq5F
+            hQIMA7uy4qQr71wiAQ//USgWAGbn6zOOTw0agC/U0bVyWv9Ez0QTqi/TD9Yv+p1U
+            ksQhSFLs12LiBcH2j/fWs8KdEYJAwDqr7nZJsddz2gEVua223Z94cRiby10SvXfU
+            bH4jpRsdWXj3dH9AET6N+uqiXocfDASE7G2WZalmVOQtsFi1SSVsrcAm/ODts4As
+            7H224kR4/rxWaCEZ0i6S6r9n9wIZiUZGrBk80W8bK/JWBbl4zfgJ9tkzk4NMpJXh
+            TDpaYJxV0T8/kqk/gPaECfN5Il+WgvVL95hS5FI+AxWyeHwWPd5sUgeil0dPoDOj
+            DlNuCyVepSqOo325JH7VoU19YRwYZwh0By//0WHOI8WIjQYUxXTAvHJyg61RLNK9
+            eqwIO6t2QZRol03MjXE7DCeoWraCG0nS+DDF0qHu8bNnhYHcBpiG8d8Lj9xpME51
+            UL1iXSyh461jEcX+8yTImAFMn9Pvt9r+Iv2vT0ZJH8k2Fzxxli+RPL6CQY2qKY7E
+            ibPM0S7nVc8Kb7214xkniped4muzZF2vQJ8qmbcLu9sr9LV5d5Y13OF1NUdc3DTX
+            aRAiVErL2QJujoM5xxDC9CTu11e6TfLN9XysM31sCgDIXMb4fKjxYbJxKY99Y1+S
+            nQO2CiCUCb+hDLaWdmdSv/FY+1tKX67vrU9YeJ6XVJQhVhR+Rt30bvGkNwy34C/S
+            XAHh0aE8KlrY1eCIf5RAygKgLEa1cehKvaGQMOoHWrPfOQUrA6lCvFVSxnwwduIm
+            pJRbIgcsoLUPFffYcDdDmnvmSOfdCNm84k/CUiCtZxqgUkIX98KrZhAVXzCf
+            =mAAM
             -----END PGP MESSAGE-----
           fp: DC6910268E657FF70BA7EC289974494E76938DDC
     encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$

kubernetes/system/coredns/zone-configmap.yaml

@@ -25,7 +25,7 @@ data:
 
     ; R740 and virtual machines
     r740            IN  A   10.1.1.223
-    bw-r740         IN  A   10.1.2.233
+    bw-r740         IN  A   10.1.2.117
     kube-r740       IN  A   10.1.2.171
     docker-r740     IN  A   10.1.2.212
     truenas         IN  A   10.1.2.139

kubernetes/system/traefik/values.yaml

@@ -8,35 +8,32 @@ ports:
                 - 127.0.0.1/32
                 # nginx-proxy
                 - 10.1.2.11/32
+                # caddy
+                - 10.1.2.152/32
+                - 10.0.0.0/8
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2025-03-22T13:26:30Z"
-    mac: ENC[AES256_GCM,data:PMUHyPCnIhmUo5N1mdoMhDLXaFN6Cl0IGuq8EG3MGtY5X1g1QboL5nI5o25evFbuXdZn9KB2AqgzPZBxykhVpz8W+mj987g4VeDJ7sU/OnJibHSo+ibqoo0NvQaAMukWevqI7fAQZoyI3PZi07mMGYw23h2cmaJmsuAuDnQ0CvA=,iv:RRV/BF7OXFmBJX5lXZjrG4+4jjbjzMrR8BByMo5hfwA=,tag:+lVLSfdjHeJjA3dKMiRIGA==,type:str]
+    lastmodified: "2026-05-26T11:18:08Z"
+    mac: ENC[AES256_GCM,data:mA5hLNB0rwSiGhnyi24AhZIPJsLpZ6PpbXDyoxZ0q6YjitrClxBEnn2dHtEl2MD6dSLmNMVxnnGyGtl7j4ahfqhuct+oPSepeWT1QX8Xj/mJ2Yrt8UZfGQ1R0Ye+rKGFybluMguCRufioGQpU3TLs2TxB6RxUAiGMI1GyT3JBDY=,iv:Pf617ZQBgYbGEsF7AOtyZBCPUycQ7U/D+Sdl+MCF4y0=,tag:tleTblRukBO0V+zfL05fQw==,type:str]
     pgp:
-        - created_at: "2025-03-22T13:26:30Z"
+        - created_at: "2026-05-26T11:18:08Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA7uy4qQr71wiAQ/8DGnKyC/pNGEAuuxcZjoLQhK8TJ3NgNQ3HBVLGpbVBb3S
-            P/n94oPwwEbWXpdq1/MapFgaiAP3kXyv308c0CeIICQvg9xFeXK7/o/X3ucJu/YV
-            TiMsBUCAIWKrN4lmNr3wgnMDQiRs9myzgmzJv3KOpbQr5cYnrT51spWCD2Nnt6Xm
-            HfLyZrxGscW0lrRi6jeg/7lts3HYEs75i8xUS95pj5/a+7i83sfpaAFdkGcxV6Vq
-            285Ys7S86Hrp2T0QkADHMJMXmbeTV18Psfy2v9SXgqeRMq1XHQDn+nPPkYY0kmhs
-            7xVEwGHYLkKuyNmTm+ygsQAVGd/kCeqO+hsdKRtmJ5f4vh0w1ePftScqbfEwNuDl
-            ygEVUIoVhDYdUKnjwqjgiOxsx3Y6+RS4g3vg6gNWk1HunM24bzkFRP4w1lVYB07n
-            hDcQeP0bqo7hopJjvM0VtXbSJq81duBup9DyyPaXOf30p0c+l9it4XdoeR7JaZ/y
-            nJ22POfQYCoJyKpgdB/eReLd/2MqLhdnsCUTd+CNTS1+nCz1M4JziagXU9CspnqP
-            sCYylw6aC9XfzScZldpysdqes1/1ZC9F2QeL6ZO66IRV3xBk/5eSsyZ275DRZYAj
-            P4jf1UhA4U0LQoVPAjh9cA8SLm29MgfEwoFSLGx6wsJ//ibxMIlxku9gkiRRTkPU
-            aAEJAhCQKhc7EsDKh7GgrlPh0763p+CuZR7yMp2W1kY9nU/w/802SgYEyLdPW1aY
-            gG3zMpt1roTOQI7D0jM7NjcYOLeOHWR0ac00wqv3S7I9+4tXOxuHyTX6Og19Z3GV
-            OUgA2wzhUFtj
-            =2DEs
+            hQIMA7uy4qQr71wiAQ/+PJv3xyn1nqVN4ENsKv1GgMaCrmD+F1bpyCEM6quoOe1V
+            Q3jnfTrHNKQySQFS+56KdWkpvf54jUtl2N+v+mAT+02FkdH+fkFQc0rSfqfpwE7H
+            8peu9wY5+nVRp3sUEacJjCgu44dzzIu0MzO9aHZw/JMr1Z+OF3mMeZ1vVEp43i6E
+            ZwCd3HYBQVJ8DaSdkrT/a3r69dJZKYq3mL9XLYzc/6C4JFAF3oOO5Xzkx4BAQKrM
+            CDyVCJ6RihOyysiexRFGu72wIbiE1gSVqLAYzl8XDJyCcVOX8ZRuMh2ImGyuCXtI
+            8dANf39gf57Z3qM9ljNHgtUkFqcpeE66SdNCSeLK7pDl/02k6dPJr98+e0VtZPfv
+            xt/sFUnAppi5dI4I4AZ1upqFWH3zpud+3G+5CYnfn0yqSgysuJyqzSYv7rjJVStY
+            oMdKprkLGcdLc9FJm3yaPluCnTGpPCaBpvx1bUlQSCIHcrbNj98kHjnuSDcUjgBc
+            xpcWmknbsZ0SFnU8fhe/p80Ud7h2Ya5Hp+GY+FPV2YDeQf03YKLGXujsVhm0scpo
+            KtAALuJo8uP3vniAaY6E1eQVZ09psqR3lFHgaRIyLVbOGkvOoE/sMVcS/odcKhgw
+            Gr6bb2iQ9b0seITxk09HV84uRirzgR+R2A2bxD38ASRzbYwDyA0UnJMSJK+ZttfS
+            XgERXIWVWlTL77IVifpdu+7EU+ElyCzlTLHIb0uqywVS2o/LzE+OgR+1tSj0SVl0
+            +NvGYouZlrecytaBj8MG9thv9kK/vNShrl0QeAWNch3Qza7Xb8eLOhumqZVFI9U=
+            =JbZl
             -----END PGP MESSAGE-----
           fp: DC6910268E657FF70BA7EC289974494E76938DDC
-    encrypted_regex: ^(password|ssh-key|api-key|user|username|privateKey|apiKey|extraArgs.*|extraEnvVars|.*secret.*|key|.*Password|.*\.ya?ml)$
-    version: 3.9.4
+    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
+    version: 3.10.2