Merge pull request #271 from vhaudiquet/dependabot/docker_compose/docker/home/esphome/esphome/esphome-2025.12.5

build(deps): bump esphome/esphome from 2025.12.3 to 2025.12.5 in /docker/home/esphome

.github/dependabot.yml

@@ -36,7 +36,6 @@ updates:
       - "/docker/production/semeryfr"
       - "/docker/production/vhaudiquetfr"
       - "/docker/tools/excalidraw"
-      - "/docker/tools/notesnook"
       - "/docker/tools/obsidian-livesync"
       - "/docker/tools/stirling-pdf"
   - package-ecosystem: "helm"
@@ -49,7 +48,9 @@ updates:
       - "/kubernetes/home/home-assisant"
       - "/kubernetes/infrastructure/authentik"
       - "/kubernetes/personal/linkwarden"
+      - "/kubernetes/personal/notesnook"
       - "/kubernetes/personal/photoprism"
+      - "/kubernetes/production/umami"
       - "/kubernetes/system/csi-driver-nfs"
       - "/kubernetes/system/external-dns"
       - "/kubernetes/system/traefik"

.swarmcd/stacks.yaml

@@ -163,13 +163,6 @@ excalidraw:
   branch: main
   compose_file: docker/tools/excalidraw/docker-compose.yml
 
-notesnook:
-  repo: homeprod
-  branch: main
-  compose_file: docker/tools/notesnook/docker-compose.yml
-  sops_files:
-    - docker/tools/notesnook/.env
-
 obsidian-livesync:
   repo: homeprod
   branch: main

docker/home/esphome/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   esphome:
-    image: ghcr.io/esphome/esphome:2025.11.3
+    image: ghcr.io/esphome/esphome:2025.12.5
     ports:
       - "6052"
     networks:

docker/home/matter-server/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   matter-server:
-    image: ghcr.io/home-assistant-libs/python-matter-server:8.1.0
+    image: ghcr.io/matter-js/python-matter-server:8.1.2
     container_name: matter-server
     restart: unless-stopped
     network_mode: host

docker/home/n8n/docker-compose.yml

@@ -1,9 +1,10 @@
 services:
   n8n:
-    image: docker.n8n.io/n8nio/n8n:1.122.5
+    image: docker.n8n.io/n8nio/n8n:2.2.6
     environment:
       - TZ=Europe/Paris
       - N8N_SECURE_COOKIE=false
+      - NODES_EXCLUDE="[]"
     ports:
       - "5678"
     networks:

docker/home/zigbee2mqtt/docker-compose.yml

@@ -2,7 +2,7 @@ services:
   zigbee2mqtt:
     container_name: zigbee2mqtt
     restart: unless-stopped
-    image: koenkk/zigbee2mqtt:2.7.0
+    image: koenkk/zigbee2mqtt:2.7.2
     networks:
       - default
       - proxy

docker/infrastructure/mail/roundcube/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   roundcube:
-    image: roundcube/roundcubemail:1.6.11-apache
+    image: roundcube/roundcubemail:1.6.12-apache
     container_name: roundcube
     networks:
       - default

docker/infrastructure/mail/stalwart/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   stalwart:
-    image: stalwartlabs/stalwart:v0.14.1
+    image: stalwartlabs/stalwart:v0.15.3
     container_name: stalwart
     networks:
       - default

docker/personal/gramps/docker-compose.yml

@@ -1,7 +1,7 @@
 services:
   grampsweb:
     container_name: grampsweb
-    image: ghcr.io/gramps-project/grampsweb:25.11.2
+    image: ghcr.io/gramps-project/grampsweb:25.12.0
     restart: always
     networks:
       - default
@@ -30,12 +30,12 @@ services:
       - "traefik.http.routers.grampsweb.rule=Host(`gramps.lan`)"
     healthcheck:
       test: curl -f http://127.0.0.1:5000 || exit 1
-      interval: 30s
-      retries: 6
+      interval: 1m
+      retries: 10
 
   grampsweb_celery:
     container_name: grampsweb_celery
-    image: ghcr.io/gramps-project/grampsweb:25.11.2
+    image: ghcr.io/gramps-project/grampsweb:25.12.0
     restart: always
     environment:
       - GRAMPSWEB_TREE="Gramps Web"  # will create a new tree if not exists

docker/personal/media/films-series/jackett/docker-compose.yml

@@ -1,7 +1,7 @@
 services:
   jackett:
     container_name: jackett
-    image: ghcr.io/hotio/jackett:release-0.24.402
+    image: ghcr.io/hotio/jackett:release-0.24.807
     ports:
       - "9117"
     networks:

docker/personal/media/films-series/jellyfin/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   jellyfin:
-    image: jellyfin/jellyfin:2025120105
+    image: jellyfin/jellyfin:2026010505
     container_name: jellyfin
     networks:
       - default

docker/personal/media/films-series/wizarr/docker-compose.yml

@@ -1,7 +1,7 @@
 services:
   wizarr:
     container_name: wizarr
-    image: ghcr.io/wizarrrr/wizarr:v2025.11.3
+    image: ghcr.io/wizarrrr/wizarr:v2025.12.0
     networks:
       - default
       - proxy

docker/personal/media/music/navidrome/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   navidrome:
-    image: deluan/navidrome:0.58.5
+    image: deluan/navidrome:0.59.0
     user: 1000:1000 # should be owner of volumes
     ports:
       - "4533"

docker/personal/paperless/docker-compose.yml

@@ -16,7 +16,7 @@ services:
       POSTGRES_DB: paperless
 
   paperless-webserver:
-    image: ghcr.io/paperless-ngx/paperless-ngx:2.20.1
+    image: ghcr.io/paperless-ngx/paperless-ngx:2.20.3
     restart: unless-stopped
     networks:
       - default

docker/personal/radicale/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   radicale:
-    image: tomsquest/docker-radicale:3.5.8.2
+    image: tomsquest/docker-radicale:3.5.10.0
     container_name: radicale
     ports:
       - 5232

docker/production/buildpath/.env

@@ -1,15 +1,17 @@
-ME_CONFIG_MONGODB_ADMINUSERNAME=ENC[AES256_GCM,data:GjWjDw==,iv:kBzyj+UsDd/el38BJFmn8CiDH0ojagZo91qyOAF7M8k=,tag:M7oaKZltblyTUp0ekD927w==,type:str]
-ME_CONFIG_MONGODB_ADMINPASSWORD=ENC[AES256_GCM,data:diSSmsCxW5A=,iv:6kEac9UIlp/ksuqbLrB75eoJA3ReGoJNs/Pnr3C26yA=,tag:xY+J92/KtEsoN2ziqGNZ6Q==,type:str]
-ME_CONFIG_MONGODB_URL=ENC[AES256_GCM,data:bUO+B5Bm7m/DUtCFpguFHQSyA7vkRbXcuPhYSNlpfnATVcgf,iv:WDSHNQyM5cnh1dxKAl0QXfXBmNfeoDjtZvKOeunvJAI=,tag:E0zwMGNECKYWvL/hFdanVg==,type:str]
-ME_CONFIG_BASICAUTH=ENC[AES256_GCM,data:nj4ofzIdqw==,iv:PkWzZ7mRaftatgX7Whk43S5W2r/M/QGgmLoJ2MIC3Dc=,tag:/J6R5bRgsUFiOectNaKnIw==,type:str]
-MONGO_USER=ENC[AES256_GCM,data:XopGfw==,iv:r2uoRr5k/nWSGiSOnseVze8UxeMxTnA174E2mWcxcO4=,tag:VWp076qsVpugr96cAwgiHQ==,type:str]
-MONGO_PASS=ENC[AES256_GCM,data:QY4VoeaySJU=,iv:STKUpM03rSmfSzkK1mmOP6IDmC4gOnyBUpYzTYylguo=,tag:AFx59JJavyf/qW4eEdn5Ug==,type:str]
-MONGO_HOST=ENC[AES256_GCM,data:iIPq+z4=,iv:Xrs9Z01H1/SnTGBTBHuFTCjU0CuCmHs0GABB6AL191E=,tag:LvgyigEAvac1tP6hF0O3+Q==,type:str]
-RIOT_API_KEY=ENC[AES256_GCM,data:Zi8LX8LuFcAtvX0gLUOOH2KjqOLWUeFWy//MQ1PBdUy/YXqbUJEOsszQ,iv:am8ZA80GQ/pxavda0AR5S3ps6WUXfnpVHb36hZvxroo=,tag:LFvcViq8GZhWD+f4d0904Q==,type:str]
-sops_lastmodified=2025-11-24T00:00:31Z
-sops_mac=ENC[AES256_GCM,data:z/Va9k5vTCwmoVntX693PcV95D+fKrlmfe75ldyfkowCrgG/vl7s8uglKjn+wUixMdjz+bDYqR/RXovq9KmXhJO4TYOJd0JZdTXWqn+Ekk8OxooPLOgUdPvrL6rc3Iz53AhplSvAcoLzstZf8Z2WRGNIGve3jONJLFdFI+rL1HQ=,iv:SKTJDTBB6OGqBSfKLjj+xHG7c3ierdCo7mmQ9/+Z/gg=,tag:J92wwQtIyofqqnbm/sYtpA==,type:str]
-sops_pgp__list_0__map_created_at=2025-11-24T00:00:31Z
-sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ/+Ny6UKLVYWP+9bmkZcKBvQXuCti45eWD2NsEKWMtO2LoF\nw5qqzLS1DLWLMBFQz+sn35a6N/RBHfN2LeZehM0c3MKXeTQvkozoxY0Qsj/B4pds\n5XTYpF73wjBCqm48A3Bh3Y9JNl7IiEbbQmGfeunloAr2WWrKsX2ugb3Emay8UrQL\nNvaK8yLV8WfvOWopgeJfGTjV7IPEgW6CBKif8meSq1+D6YLNRbmqpup5eMnZPOWn\ngrH821Q3O8XrKKuALM9N7b+pyBWCqA/R2ohxkLsxHCHNVdDKMQiwGha7y+pu4Fz6\nfEymEw+BPFvwPhcpxMCeT3h1kEX1dbyrvuayrqilCuiSuWNybRNUr/Awpigc9swR\nslW4Tf8ojvnWurBrVbIHxT7uP6xpO9ByzrYCtHauPLuyerlt50GC4Rc6bcJ40Mml\ne0vhrCvoJfUNX+Hfy280rP8NP+K7tPXIhwAK8JRTIwebF1Z1V4qSbvblZlgjglPt\nq/kSy2QTkPfhAohCNEGQK2xkaCAgWhMHPZoYV2We4GCaPT81g6DH/JH/wwGg3uTD\nY15vhHitcgoe9Z9B4V+rW3LQcx59vfvsMkjdPpkzfjCPcOLicR+ZzmmACuZal6aa\n09N4nqd6ESLUc11u4ojcExfbRNbS8IrVRnJxUKe8neI8ANTBAQn/oIidi1OjixvS\nXgHF3afYw7it86b51pEhgwTQ3TxMC5rIix2UUk9EUHOMUxG86Dtf4Cs4S6x/a5q+\nfJ9q+931YCyRQDN3C9H+MSIYWa8d+xAf76ShVS0hW3+//X0Hel2HMb/VNX53jOY=\n=OcbU\n-----END PGP MESSAGE-----
+ME_CONFIG_MONGODB_ADMINUSERNAME=ENC[AES256_GCM,data:FdAhZA==,iv:YXd83wy5lKSybwYdmhXA2DwbVnffX/6R7gn3doDnI1E=,tag:BLYvP9IFNky37COZOgyJvw==,type:str]
+ME_CONFIG_MONGODB_ADMINPASSWORD=ENC[AES256_GCM,data:uvZn2q5dpbc=,iv:4ExRNf2gYK1W/VMKrcXNO5kPKjJmxml1uj44j643mvw=,tag:Xf2wKugbuOU3GlPYlLttIg==,type:str]
+ME_CONFIG_MONGODB_URL=ENC[AES256_GCM,data:porEOpLQZF2J5pvRaktvnoh76MhfjBZ3PN8dNwhNAfKs8ipO,iv:7kl+7+C1MaOGM0Gu0jzJEp1Wvl/xz0i5oW5U8EACMKs=,tag:3+xIM62x+2HMA1AggM4mww==,type:str]
+ME_CONFIG_BASICAUTH=ENC[AES256_GCM,data:lxxYUfK5cA==,iv:hbw6UUCxTZ9h+XJd0Wesz5T3L5MkBc+JA0SNUogtsOE=,tag:gCyyA6hOIcIvs+HyeqKs/A==,type:str]
+MONGO_USER=ENC[AES256_GCM,data:osGR9w==,iv:648Yv0sPTvq95q0jcRWSD14HZr6tN2I4ffw/STe38xY=,tag:rVK7sBlAuhsisPPyfnIPMg==,type:str]
+MONGO_PASS=ENC[AES256_GCM,data:2SloANMJ1mQ=,iv:PK2LyBfivEH1EjtRk76BPlnLXfAykC/F40skCeoK7NQ=,tag:JEZXKe4gNj36yLX5wlW5tQ==,type:str]
+MONGO_HOST=ENC[AES256_GCM,data:fwvt86U=,iv:YJam2joeQkaVCFUPpc7sPw6ucHpTauiJzC754VsgLPY=,tag:nUQVmxsYbmhlWwz01kHpsw==,type:str]
+MONGO_INITDB_ROOT_USERNAME=ENC[AES256_GCM,data:dSNu/Q==,iv:jJYxTZw06/npxgw5zaS5SSC4LyGzr/TLdu5JdDUtqFQ=,tag:d+q5DLS6AHakPnk9089XpQ==,type:str]
+MONGO_INITDB_ROOT_PASSWORD=ENC[AES256_GCM,data:uD3YRK4xCx8=,iv:jJVjuUBfDuiWa23UGa/n2z0uAkbr4N6Zo9Ee45R1tTs=,tag:RBn0jse9u795RHNc09cBqA==,type:str]
+RIOT_API_KEY=ENC[AES256_GCM,data:E+w0JQlYW7Bjn2wwnkb0hlYmq3ZteS2LB4NWo2l/o+30+uOTAYzpeDgy,iv:xPZmat+pexxgYxqlkBLlD6sorxRpPlBcwMbo8QDFwjg=,tag:5Loj4AGmr13HGKyVbDozqg==,type:str]
+sops_lastmodified=2025-12-31T13:08:07Z
+sops_mac=ENC[AES256_GCM,data:h+aeLcXC3s8gcIlwrU7fHwGIkp1caqMqJcQLdQmFnrtlP9gmx1iOZlZo8yRC8m+imIezhLfjI0yfHdPjyfxw9KTeNoCjNRKyDGfDhbHr0vfPQsrifjeaZj477634WA8MVcL8HrfVwZIHjh+I3fcgVI0kFbcI8/3lkEws/T4oD70=,iv:lc8ltcjngeHueLgXee539iIpIMjvcJpUAec1TGmJuY0=,tag:FkwHdQ0C4QxObEQFL6aefg==,type:str]
+sops_pgp__list_0__map_created_at=2025-12-31T13:08:07Z
+sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ/+LVciLRpDVh/AlYawgSfwVs8ltal1+3MCHYhdwjFAggJ8\ng6twtj4szAVR7UbT0Qh2hP+my7KLLN1K+Rv/jnsXPhOFo0o8AB0Un+hCFB1i+KLd\ni6cWbv+jCqxRALf98TYe0xDMIfoPKXaIYjV2qlYmGWe3/Sd2+7KbwAKZCehZD1jV\nh21YVeVn7dlv3zPAp5mpH+6yPMp3ZSTAYa8MkUnnS3cUWlWSMHsGwlA9CUvJtKaz\ndkW6n90zEGJrfb6ATH2dPJawWNOp0q/Gcx2uci4Ro09U1jOK7ugSDWxjGOuV9TAL\nYsRYz7LH5yOLpz9HlrZH882SJWZS9xoEV8jOZN1I3NmtJY1KsgAW3BFEsbCA58Q5\nTZFKhH7XK9FW4NbRzHYxHCCZSfGtBCQyUpusGALXnQmkKHJ4MlnrxH9yBX7Go8ph\nCqQ7gvBmNjUZrgp+VWb8+ziDCfYbZDADV4cva4STcjnmFxRiFO1xvYEJpEo2H1gK\nQcMsOruazL3UGkZxWh2Od7bi1K+2Io/TNSKMTboTqgJAOcMO4Ssxn59yYhfDdS2i\n8/mlv4ADPOL4be1400/Tp33QpPnRojyJAM9b8IdJ6ahevVGjGuKPuvrzDs8lYwht\n6eKrbV3mHBv5ZUvSmeTOIwxE8moePDEkUrr3HCfxaaJcMrcjgSkGhCCN4KHbj8TS\nXgFGOX7/BZNOR1SyfBY1gc30Vdy3d7513Gpfcuwsd7Rc+0Ue+p4ysA3dBp+KWhVO\nPkfwdiVFOOvEPoUoanyUqMlvj3ENabNNmHc8jZ23FRxtlfbcyecTT+uckRXgvpU=\n=5/Ac\n-----END PGP MESSAGE-----
 sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.10.2

docker/production/buildpath/docker-compose.yml

@@ -1,16 +1,16 @@
 services:
   mongo:
     hostname: mongo
-    image: mongo:8.0.1
+    image: mongo:8.2.3
     restart: always
-    user: 2000:2000
+    user: root:root
     volumes:
-      - mongo_data:/data/db:Z
-      - mongo_data:/data/configdb:Z
+      - bpmongo_data:/data/db:Z
+      - bpmongo_config:/data/configdb:Z
     env_file: .env
 
   patch_detector:
-    image: git.vhaudiquet.fr/vhaudiquet/lolstats-patch_detector:5ecd5f8a954031909425346d40c18ec89d97406c
+    image: git.vhaudiquet.fr/vhaudiquet/lolstats-patch_detector:de9406a583835dc0840da8586a6d539abdfb603f
     build: ./patch_detector
     restart: "no"
     deploy:
@@ -22,7 +22,7 @@ services:
 
 
   match_collector:
-    image: git.vhaudiquet.fr/vhaudiquet/lolstats-match_collector:5ecd5f8a954031909425346d40c18ec89d97406c
+    image: git.vhaudiquet.fr/vhaudiquet/lolstats-match_collector:de9406a583835dc0840da8586a6d539abdfb603f
     build: ./match_collector
     restart: "no"
     deploy:
@@ -33,7 +33,7 @@ services:
     env_file: .env
 
   frontend:
-    image: git.vhaudiquet.fr/vhaudiquet/lolstats-frontend:5ecd5f8a954031909425346d40c18ec89d97406c
+    image: git.vhaudiquet.fr/vhaudiquet/lolstats-frontend:de9406a583835dc0840da8586a6d539abdfb603f
     build: ./frontend
     restart: always
     networks:
@@ -48,12 +48,8 @@ services:
     env_file: .env
 
 volumes:
-  mongo_data:
-    driver: local
-    driver_opts:
-      type: 'none'
-      o: 'bind'
-      device: '/app/buildpath/data/_data'
+  bpmongo_data:
+  bpmongo_config:
 
 networks:
   proxy:

docker/production/vhaudiquetfr/docker-compose.yml

@@ -1,7 +1,7 @@
 services:
   vhaudiquetfr:
     container_name: vhaudiquetfr
-    image: git.vhaudiquet.fr/vhaudiquet/vhaudiquet.fr:bd5a8ff9fae266a2905e8421689caef2197e00cf
+    image: git.vhaudiquet.fr/vhaudiquet/vhaudiquet.fr:93dda1dd8445d885d96e8d3ec5937492a620b0d0
     networks:
       - default
       - proxy

docker/tools/notesnook/.env

@@ -1,22 +0,0 @@
-WEBRISK_API_URI=
-INSTANCE_NAME=ENC[AES256_GCM,data:qEEZGdAX83nTP2isYB1sVSUlfLiv6Xw=,iv:vdLcvAbaCd2bEpHfQVv2CQEHO3cFdvLfgEGIMS/lA2w=,tag:uPUhfd/nuuxegH2RXkADSA==,type:str]
-NOTESNOOK_API_SECRET=ENC[AES256_GCM,data:o9/2+nDeoBAXFE8R,iv:8Lzz6Flltia+pr6CmdaGaba8x/+KnIjhKdwJOkgX3ys=,tag:hHI3VZj/uOrmSMmhh+T4yA==,type:str]
-DISABLE_SIGNUPS=ENC[AES256_GCM,data:w1MjyQ==,iv:NKjhnLyPeOakGSMwVmOft7WtK6ggDYx0OucmUZId4Dc=,tag:wk5GpTs5xOMQ2S6w1MLjQA==,type:str]
-SMTP_USERNAME=ENC[AES256_GCM,data:N6/huGyOvYbkb580YyZ+5u3chhA=,iv:pyglhbFMwyRxI1k9bmMS0sr/x+5RXn/I+fKavdNUSCc=,tag:/XgQDqYugazoFb0NQJGjSg==,type:str]
-SMTP_PASSWORD=ENC[AES256_GCM,data:L2FG6mz9BlhuFfLNDa0=,iv:1P6ABsBleUYAn+Yz6qC3MbD2bR85HTrxM0aH8eRLVNY=,tag:IAggPwIHY5hobYobIGm8Qw==,type:str]
-SMTP_HOST=ENC[AES256_GCM,data:3NSiYgn8jooDDZLTuTgj8Jah,iv:k0sz5H35fv9xzgfyV/NyE9CUVJySFvgbIoKuq7s+VF4=,tag:W7Ce8BUIz5bULaPOwIcv/Q==,type:str]
-SMTP_PORT=ENC[AES256_GCM,data:AxM/,iv:tsQ8RA8f6YhxACcgUaHE3RgADcXB0hAd3dIkEtch0Bc=,tag:fxInjB435fi9XzLqdoOJwg==,type:str]
-NOTESNOOK_APP_PUBLIC_URL=ENC[AES256_GCM,data:DCTjjJBUapunw5wZpQEWZscUtOZiAoWJFw==,iv:e192t2+LDSh6YokJso2I2hD3Z2yRJ4g0QwUyRSnACBo=,tag:ULInUTM5qbGJlCrVpkDxIg==,type:str]
-AUTH_SERVER_PUBLIC_URL=ENC[AES256_GCM,data:9Nt/sTzOZwQZoaErm7epTw+buoWXQXQ8jZtlVZzLoiGDh7mjx9x9jQ==,iv:d0MvX6CWvEyx7YwIgGo3SIXV3hmZA3KqU5255gRhVAo=,tag:doKLa1njr4bK0lTy2i53DA==,type:str]
-NOTESNOOK_APP_PUBLIC_URL=ENC[AES256_GCM,data:tzfOXeT0jBubJnvcx+EHmHQJhXXyJjkgMw==,iv:HM5ykxZ9E5BwLOU1+6pY9777Tz7CmPS+JyrBLbIj7BA=,tag:/1NhvVLkq4w+yWWWs338bA==,type:str]
-MONOGRAPH_PUBLIC_URL=ENC[AES256_GCM,data:nTvb9xckE3Dwb8e3ngQimwbbEqu37kUgEQVJ9dKDAIAPkU7HumXMn3Y=,iv:QDjvaxuLWR80VL05C/lL17EVUpMsb8TF/9WRLw6fAPk=,tag:rdrAZlpJ5kY1O9QgmErBDQ==,type:str]
-ATTACHMENTS_SERVER_PUBLIC_URL=ENC[AES256_GCM,data:SxJr4/nJRij39l6EACQz83dg8IPiSe9PjD7i6l9xAkpyvA==,iv:rrj951k7KQ8+FbU8cenkBv3ESBB7B6dpcX8aLeVjtNk=,tag:nVQyawlBhd69f+3MIk/Ftg==,type:str]
-NOTESNOOK_CORS_ORIGINS=ENC[AES256_GCM,data:DOUsLeX882mGUKz1NcMhBRPydhoBYlxoyoSTSe6NEIiF9YM1TZwOBaJqw9zbdjy45zxzuvXxZmAFt+CL91/8oVHUMX2kBi1cT88W2nZU5g==,iv:sPUEYWPfTTR5o8Dm4rtFyD1rjkTkV9GgGlbZJPMPZGM=,tag:qNxvouzH/lgRZXWQtAGxsA==,type:str]
-NOTESNOOK_CORS=ENC[AES256_GCM,data:H4pMn0DbumkeWxLjbKqvd//hTKav7Yucz9QT/Nnvu0sLLOiDMg3exKQy33VEWFuGs3F4CuqzcT2tKmi3viXbGQ9CnNsZp6EhBv1eWBQ21g==,iv:RI8hq0B/HJ98HTKg5y9TAZGzTulokqeqghXej/J6UHA=,tag:cvm+i+oNND7/340fV/VdsQ==,type:str]
-sops_lastmodified=2025-10-15T14:21:43Z
-sops_mac=ENC[AES256_GCM,data:+1PYCITFsGvfXDUAFAaDW6gBqfi/cE8Hrp9yw/wuS6E2Q1iw1GGEiFzeK/IL57MUvAZSdQkmv2bNrnboeDBYhHhADdqJdqht1SNui50aEYdLaHHUFADx54b157Op6HLYSccG1J6Hm7riBeurCDUxpC0hJ1whLva2V/T73LnzAf0=,iv:fsmU91jFjSDNjDfaki1c00cS2cya4jcVwd3pbSl/VBs=,tag:SOitwcXraXgrJVmfuLkDKg==,type:str]
-sops_pgp__list_0__map_created_at=2025-10-15T14:21:43Z
-sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ//Rp9OH/H6e414f5jzczN4JgAUcJ7iWvP7CfvPN6gMZiFf\nAHlzejEGhfSxyx8/HNrdWK2BQn1wEqKCTAfB4LtHFNXEvUlMUdxjbzVaqGk8YUQF\nrRduMHpHNamsalk+4Kz7oHWpjw994qxpypHvsFxczAH2NLzYD+brEovaRDi+XTUy\n+e64wNnLhDJS1Xtm2urF1dvs/XQmCYxIpANqGvMezS+vHT8fDQze9Ka1KJh+E/rp\nCFCu3rSbs74E4QjttDoHF1FgMqB1HnbyRStBnq62BjsUMGuV560m/9R76Q++QUBa\nG78pg87ixBtJib24eApeLRMqiIGCdSNxIPn2+b069k5Chp+KCuFl9OAxFUYWIuLs\nmzrizfMKY2iWxBbkn14p24dgHDTkIEnwTOIHSzXHy02AZFcY/Z15R/Yj/nsvnMzO\nUwY931MMoWjME5R/lWrLzBz9FniYxxPwosDzYPdJH9+tJIs4C9EQmmDbKR48inLF\nkNP/ZzNmmhosOHzAEVNlmOo955YTSeGwGLxTsqtpJzNesGnA5q+ENq5Li2v26RTm\nijZJG+U2MyM55jWdETm3bkPwZooUOxpKmJy1gaXNl8/b1Pp0t3fQRWKGGwhsFWsI\nZ8j2++lW+1Gu5EcpjvFH6jdEfDh1R4UMlRO/pyBpWDdBrCwxrPlOv/j2/ogCdEfS\nXgFQwcLcFtZleLH537SZLgf8IJhrKQr6MM8jQf1tv1sLZC0LF3Ojhw9zs8YrX821\nwg3kw0Vd0gsKxxcQHaoLHqwTV/dY0kSHjkbCzG53XT2+p97PFNjhAEKBvNovov8=\n=qFED\n-----END PGP MESSAGE-----
-sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
-sops_unencrypted_suffix=_unencrypted
-sops_version=3.10.2

docker/tools/notesnook/docker-compose.yml

@@ -1,224 +0,0 @@
-services:
-  notesnook-db:
-    image: mongo:8.0.15
-    hostname: notesnookdb
-    user: mongodb:mongodb
-    volumes:
-      - dbdata:/data/db
-      - dbdata:/data/configdb
-    networks:
-      - notesnook
-    command: --replSet rs0 --bind_ip_all
-    healthcheck:
-      test: echo 'db.runCommand("ping").ok' | mongosh mongodb://localhost:27017 --quiet
-      interval: 40s
-      timeout: 30s
-      retries: 3
-      start_period: 60s
-
-  notesnook-s3:
-    image: minio/minio:RELEASE.2024-07-29T22-14-52Z
-    # ports:
-      # - 9000:9000
-    networks:
-      - notesnook
-      - proxy
-    volumes:
-      - s3data:/data/s3
-    environment:
-      MINIO_BROWSER: "on"
-    env_file: .env
-    command: server /data/s3 --console-address :9090
-    healthcheck:
-      test: timeout 5s bash -c ':> /dev/tcp/127.0.0.1/9000' || exit 1
-      interval: 40s
-      timeout: 30s
-      retries: 3
-      start_period: 60s
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.notesnook-s3.rule=Host(`notesnook.vhaudiquet.fr`) && PathPrefix(`/s3`)"
-      - "traefik.http.routers.notesnook-s3.middlewares=notesnook-s3"
-      - "traefik.http.middlewares.notesnook-s3.stripprefix.prefixes=/s3"
-      - "traefik.docker.network=proxy"
-      - "traefik.http.routers.notesnook-s3.entrypoints=http"
-
-  identity-server:
-    image: streetwriters/identity:v1.0-beta.5
-    ports:
-      - 8264
-    networks:
-      - notesnook
-      - proxy
-    env_file: .env
-    depends_on:
-      - notesnook-db
-    healthcheck:
-      test: wget --tries=1 -nv -q  http://localhost:8264/health -O- || exit 1
-      interval: 40s
-      timeout: 30s
-      retries: 3
-      start_period: 60s
-    environment:
-      NOTESNOOK_SERVER_PORT: 5264
-      NOTESNOOK_SERVER_HOST: notesnook-server
-      IDENTITY_SERVER_PORT: 8264
-      IDENTITY_SERVER_HOST: identity-server
-      SSE_SERVER_PORT: 7264
-      SSE_SERVER_HOST: sse-server
-      SELF_HOSTED: 1
-      IDENTITY_SERVER_URL: https://notesnook.vhaudiquet.fr/identity
-      NOTESNOOK_APP_HOST: https://app.notesnook.com
-      MONGODB_CONNECTION_STRING: mongodb://notesnookdb:27017/identity?replSet=rs0
-      MONGODB_DATABASE_NAME: identity
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.identity-server.rule=Host(`notesnook.vhaudiquet.fr`) && PathPrefix(`/identity`)"
-      - "traefik.http.routers.identity-server.middlewares=identity-server,notesnook-server-cors"
-      - "traefik.http.middlewares.identity-server.stripprefix.prefixes=/identity"
-      - "traefik.docker.network=proxy"
-      - "traefik.http.routers.identity-server.entrypoints=http"
-      - "traefik.http.services.identity-server.loadbalancer.server.port=8264"
-
-  notesnook-server:
-    image: streetwriters/notesnook-sync:v1.0-beta.5
-    ports:
-      - 5264
-    networks:
-      - notesnook
-      - proxy
-    env_file: .env
-    depends_on:
-      - notesnook-s3
-      - identity-server
-    healthcheck:
-      test: wget --tries=1 -nv -q  http://localhost:5264/health -O- || exit 1
-      interval: 40s
-      timeout: 30s
-      retries: 3
-      start_period: 60s
-    environment:
-      NOTESNOOK_SERVER_PORT: 5264
-      NOTESNOOK_SERVER_HOST: notesnook-server
-      IDENTITY_SERVER_PORT: 8264
-      IDENTITY_SERVER_HOST: identity-server
-      SSE_SERVER_PORT: 7264
-      SSE_SERVER_HOST: sse-server
-      SELF_HOSTED: 1
-      IDENTITY_SERVER_URL: https://notesnook.vhaudiquet.fr/identity
-      NOTESNOOK_APP_HOST: https://app.notesnook.com
-      MONGODB_CONNECTION_STRING: mongodb://notesnookdb:27017/?replSet=rs0
-      MONGODB_DATABASE_NAME: notesnook
-      S3_INTERNAL_SERVICE_URL: "http://notesnook-s3:9000"
-      S3_INTERNAL_BUCKET_NAME: "attachments"
-      S3_ACCESS_KEY_ID: "${MINIO_ROOT_USER:-minioadmin}"
-      S3_ACCESS_KEY: "${MINIO_ROOT_PASSWORD:-minioadmin}"
-      S3_SERVICE_URL: "${ATTACHMENTS_SERVER_PUBLIC_URL}"
-      S3_REGION: "us-east-1"
-      S3_BUCKET_NAME: "attachments"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.notesnook-server.rule=Host(`notesnook.vhaudiquet.fr`)"
-      - "traefik.http.services.notesnook-server.loadbalancer.server.port=5264"
-      - "traefik.docker.network=proxy"
-      - "traefik.http.routers.notesnook-server.entrypoints=http"
-      - "traefik.http.routers.notesnook-server.middlewares=notesnook-server-cors"
-      - "traefik.http.middlewares.notesnook-server-cors.headers.accesscontrolalloworiginlist=*"
-      - "traefik.http.middlewares.notesnook-server-cors.headers.accesscontrolallowmethods=*"
-      - "traefik.http.middlewares.notesnook-server-cors.headers.accesscontrolallowheaders=*"
-      - "traefik.http.middlewares.notesnook-server-cors.headers.accesscontrolallowcredentials=true"
-  
-  sse-server:
-    image: streetwriters/sse:v1.0-beta.5
-    ports:
-      - 7264
-    env_file: .env
-    depends_on:
-      - identity-server
-      - notesnook-server
-    networks:
-      - notesnook
-      - proxy
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.sse-server.rule=Host(`notesnook.vhaudiquet.fr`) && PathPrefix(`/sse`)"
-      - "traefik.http.services.sse-server.loadbalancer.server.port=7264"
-      - "traefik.http.routers.sse-server.middlewares=sse-server,notesnook-server-cors"
-      - "traefik.http.middlewares.sse-server.stripprefix.prefixes=/sse"
-      - "traefik.docker.network=proxy"
-      - "traefik.http.routers.sse-server.entrypoints=http"
-    healthcheck:
-      test: wget --tries=1 -nv -q  http://localhost:7264/health -O- || exit 1
-      interval: 40s
-      timeout: 30s
-      retries: 3
-      start_period: 60s
-    environment:
-      NOTESNOOK_SERVER_PORT: 5264
-      NOTESNOOK_SERVER_HOST: notesnook-server
-      IDENTITY_SERVER_PORT: 8264
-      IDENTITY_SERVER_HOST: identity-server
-      SSE_SERVER_PORT: 7264
-      SSE_SERVER_HOST: sse-server
-      SELF_HOSTED: 1
-      IDENTITY_SERVER_URL: https://notesnook.vhaudiquet.fr/identity
-      NOTESNOOK_APP_HOST: https://app.notesnook.com
-
-  monograph-server:
-    image: streetwriters/monograph:1.2.4
-    # ports:
-      # - 6264:3000
-    env_file: .env
-    depends_on:
-      - notesnook-server
-    networks:
-      - notesnook
-      - proxy
-    healthcheck:
-      test: wget --tries=1 -nv -q  http://localhost:3000/api/health -O- || exit 1
-      interval: 40s
-      timeout: 30s
-      retries: 3
-      start_period: 60s
-    environment:
-      NOTESNOOK_SERVER_PORT: 5264
-      NOTESNOOK_SERVER_HOST: notesnook-server
-      IDENTITY_SERVER_PORT: 8264
-      IDENTITY_SERVER_HOST: identity-server
-      SSE_SERVER_PORT: 7264
-      SSE_SERVER_HOST: sse-server
-      SELF_HOSTED: 1
-      IDENTITY_SERVER_URL: https://notesnook.vhaudiquet.fr/identity
-      NOTESNOOK_APP_HOST: https://app.notesnook.com
-      API_HOST: http://notesnook-server:5264
-      MONOGRAPH_PUBLIC_URL: https://notesnook.vhaudiquet.fr/monograph
-      PUBLIC_URL: https://notesnook.vhaudiquet.fr/monograph
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.monograph-server.rule=Host(`notesnook.vhaudiquet.fr`) && PathPrefix(`/monograph`)"
-      - "traefik.http.routers.monograph-server.middlewares=monograph-server,notesnook-server-cors"
-      - "traefik.http.middlewares.monograph-server.stripprefix.prefixes=/monograph"
-      - "traefik.docker.network=proxy"
-      - "traefik.http.routers.monograph-server.entrypoints=http"
-      - "traefik.http.services.monograph-server.loadbalancer.server.port=3000"
-
-networks:
-  notesnook:
-
-  proxy:
-    name: proxy
-    external: true
-
-volumes:
-  dbdata:
-    driver: local
-    driver_opts:
-      type: 'none'
-      o: 'bind'
-      device: '/app/notesnook/dbdata/_data'
-  s3data:
-    driver: local
-    driver_opts:
-      type: 'none'
-      o: 'bind'
-      device: '/app/notesnook/s3data/_data'

infra/r740/kube/main.tf

@@ -0,0 +1,311 @@
+terraform {
+  required_providers {
+    talos = {
+      source  = "siderolabs/talos"
+      version = "0.9.0"
+    }
+    kubernetes = {
+      source = "hashicorp/kubernetes"
+      version = "2.36.0"
+    }
+    helm = {
+      source = "hashicorp/helm"
+      version = "2.17.0"
+    }
+  }
+}
+
+# Talos configuration
+provider "talos" {}
+
+# Kubernetes configuration
+provider "kubernetes" {
+  config_path = "${path.module}/kubeconfig"
+}
+# Helm configuration
+provider "helm" {
+  kubernetes {
+    config_path = "${path.module}/kubeconfig"
+  }
+}
+
+resource "talos_machine_secrets" "kube" {}
+
+data "talos_machine_configuration" "kube" {
+  cluster_name = "kube-${var.physical_hostname}"
+  machine_type = "controlplane"
+  cluster_endpoint = "https://${var.kube_host}:6443"
+  machine_secrets = talos_machine_secrets.kube.machine_secrets
+  config_patches = [
+    yamlencode({
+      machine = {
+        install = {
+          image = "factory.talos.dev/installer/ce4c980550dd2ab1b17bbf2b08801c7eb59418eafe8f279833297925d67c7515:v1.11.5"
+        }
+        network = {
+          nameservers = [
+            "10.1.2.3"
+          ]
+        }
+        certSANs = [
+          "${var.kube_host}", "${var.kube_hostname}"
+        ]
+      }
+      cluster = {
+        clusterName = "kube-${var.physical_hostname}"
+        allowSchedulingOnControlPlanes = true
+        apiServer = {
+          certSANs = [
+            "${var.kube_host}", "${var.kube_hostname}"
+          ]
+        }
+        network = {
+          dnsDomain = "cluster.local"
+          cni = {
+            name: "none"
+          }
+        }
+        proxy = {
+          disabled = true
+        }
+      }
+    })
+  ]
+}
+
+data "talos_client_configuration" "kube" {
+  cluster_name = "kube-${var.physical_hostname}"
+  client_configuration = talos_machine_secrets.kube.client_configuration
+  nodes = ["${var.kube_host}"]
+}
+
+resource "talos_machine_configuration_apply" "kube" {
+  client_configuration = talos_machine_secrets.kube.client_configuration
+  machine_configuration_input = data.talos_machine_configuration.kube.machine_configuration
+  node = var.kube_host
+  depends_on = [ talos_machine_secrets.kube ]
+}
+
+resource "talos_machine_bootstrap" "kube" {
+  node = var.kube_host
+  client_configuration = talos_machine_secrets.kube.client_configuration
+  depends_on = [ talos_machine_configuration_apply.kube, talos_machine_secrets.kube ]
+}
+
+resource "talos_cluster_kubeconfig" "kube" {
+  node = var.kube_host
+  depends_on = [ talos_machine_bootstrap.kube ]
+  client_configuration = talos_machine_secrets.kube.client_configuration
+}
+
+output "kubeconfig" {
+  sensitive = true
+  value = talos_cluster_kubeconfig.kube.kubeconfig_raw
+}
+
+resource "local_file" "kubeconfig" {
+    content     = "${talos_cluster_kubeconfig.kube.kubeconfig_raw}"
+    filename = "${path.module}/kubeconfig"
+    depends_on = [ talos_cluster_kubeconfig.kube ]
+}
+
+data "talos_client_configuration" "talosconfig" {
+  cluster_name = "kube-${var.physical_hostname}"
+  client_configuration = talos_machine_secrets.kube.client_configuration
+  nodes = [var.kube_host]
+}
+
+resource "local_file" "talosconfig" {
+    content     = "${data.talos_client_configuration.talosconfig.talos_config}"
+    filename = "${path.module}/talosconfig"
+    depends_on = [ data.talos_client_configuration.talosconfig ]
+}
+
+# TODO : Wait for talos_cluster_kubeconfig...
+resource "helm_release" "cilium" {
+  name = "cilium"
+  namespace = "kube-system"
+  repository = "https://helm.cilium.io/"
+  chart = "cilium"
+  wait = false
+  depends_on = [ local_file.kubeconfig, talos_cluster_kubeconfig.kube ]
+
+  set {
+    name = "ipam.mode"
+    value = "kubernetes"
+  }
+  set {
+    name = "kubeProxyReplacement"
+    value = true
+  }
+  set {
+    name = "securityContext.capabilities.ciliumAgent"
+    value = "{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}"
+  }
+  set {
+    name = "securityContext.capabilities.cleanCiliumState"
+    value = "{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}"
+  }
+  set {
+    name = "cgroup.autoMount.enabled"
+    value = false
+  }
+  set {
+    name = "cgroup.hostRoot"
+    value = "/sys/fs/cgroup"
+  }
+  set {
+    name = "k8sServiceHost"
+    value = "localhost"
+  }
+  set {
+    name = "k8sServicePort"
+    value = 7445
+  }
+  set {
+    name = "etcd.clusterDomain"
+    value = "cluster.local"
+  }
+  set {
+    name = "hubble.relay.enabled"
+    value = true
+  }
+  # Enable hubble ui
+  set {
+    name = "hubble.ui.enabled"
+    value = true
+  }
+  # Gateway API support
+  set {
+    name = "gatewayAPI.enabled"
+    value = true
+  }
+  set {
+    name = "gatewayAPI.enableAlpn"
+    value = true
+  }
+  set {
+    name = "gatewayAPI.enableAppProtocol"
+    value = true
+  }
+  # Gateway API trusted hops : for reverse proxy
+  set {
+    name = "gatewayAPI.xffNumTrustedHops"
+    value = 1
+  }
+  # Single-node cluster, so 1 operator only
+  set {
+    name = "operator.replicas"
+    value = 1
+  }
+  # L2 announcements
+  set {
+    name = "l2announcements.enabled"
+    value = true
+  }
+  set {
+    name = "externalIPs.enabled"
+    value = true
+  }
+  # Disable ingress controller (traefik will be used for now)
+  set {
+    name = "ingressController.enabled"
+    value = false
+  }
+  set {
+    name = "ingressController.loadbalancerMode"
+    value = "shared"
+  }
+  # Ingress controller for external : behind reverse proxy, trust 1 hop
+  set {
+    name = "envoy.xffNumTrustedHopsL7PolicyIngress"
+    value = 1
+  }
+  # Set cilium as default ingress controller
+  set {
+    name = "ingressController.default"
+    value = true
+  }
+  set {
+    name = "ingressController.service.externalTrafficPolicy"
+    value = "Local"
+  }
+}
+
+resource "kubernetes_namespace" "flux-system" {
+  metadata {
+    name = "flux-system"
+  }
+
+  lifecycle {
+    ignore_changes = [ metadata[0].annotations, metadata[0].labels ]
+  }
+
+  depends_on = [ talos_cluster_kubeconfig.kube, local_file.kubeconfig, helm_release.cilium ]
+}
+
+resource "kubernetes_secret" "flux-sops" {
+  metadata {
+    name = "flux-sops"
+    namespace = "flux-system"
+  }
+
+  type = "generic"
+
+  data = {
+    "sops.asc"=var.sops_private_key
+  }
+
+  depends_on = [ kubernetes_namespace.flux-system ]
+}
+
+resource "helm_release" "flux-operator" {
+  name = "flux-operator"
+  namespace = "flux-system"
+  repository = "oci://ghcr.io/controlplaneio-fluxcd/charts"
+  chart = "flux-operator"
+  wait = true
+  depends_on = [ kubernetes_secret.flux-sops ]
+}
+
+resource "helm_release" "flux-instance" {
+  name = "flux"
+  namespace = "flux-system"
+  repository = "oci://ghcr.io/controlplaneio-fluxcd/charts"
+  chart = "flux-instance"
+
+  values = [
+    file("values/components.yaml")
+  ]
+  set {
+    name = "instance.distribution.version"
+    value = "2.x"
+  }
+  set {
+    name = "instance.distribution.registry"
+    value = "ghcr.io/fluxcd"
+  }
+  set {
+    name = "instance.sync.name"
+    value = "homeprod"
+  }
+  set {
+    name = "instance.sync.kind"
+    value = "GitRepository"
+  }
+  set {
+    name = "instance.sync.url"
+    value = "https://github.com/vhaudiquet/homeprod"
+  }
+  set {
+    name = "instance.sync.path"
+    value = "kubernetes/"
+  }
+  set {
+    name = "instance.sync.ref"
+    value = "refs/heads/main"
+  }
+
+
+  depends_on = [ helm_release.flux-operator ]
+}

infra/r740/kube/variables.tf

@@ -0,0 +1,16 @@
+variable "sops_private_key" {
+  description = "Private SOPS GPG key for flux/kubernetes to decrypt secrets"
+  type = string
+}
+variable "kube_hostname" {
+  description = "Kubernetes cluster hostname"
+  type = string
+}
+variable "kube_host" {
+  description = "Kubernetes cluster host"
+  type = string
+}
+variable "physical_hostname" {
+  description = "Host name of the physical host for the kubernetes VM"
+  type = string
+}

infra/r740/proxmox/docker.tf

@@ -24,6 +24,7 @@ resource "proxmox_virtual_environment_file" "docker-machine-cloud-config" {
       - qemu-guest-agent
       - nfs-common
     runcmd:
+      - systemctl mask tmp.mount
       - systemctl enable --now qemu-guest-agent
       - install -m 0755 -d /etc/apt/keyrings
       - curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc

kubernetes/code/gitea/values.yaml

@@ -1,5 +1,5 @@
 image:
-    tag: 1.24.3
+    tag: 1.25.3
 ingress:
     enabled: true
     hosts:
@@ -17,10 +17,10 @@ postgresql:
     global:
         postgresql:
             auth:
-                postgressPassword: ENC[AES256_GCM,data:Lqe5Sx1rYyHK6g==,iv:nORpoyPzjAMghIeufPNrUnG7pi0YszOYwaWUdl2IyEc=,tag:cOzImE2HlZhItR7OGoJmgQ==,type:str]
-                password: ENC[AES256_GCM,data:AkUd6d32sjBZig==,iv:IaMaIvyCKQy2lq82HxsEeiLf7j+6+p3rV8jCMRysgTo=,tag:tLK1tim6i1EeK4bJyFptfg==,type:str]
+                postgressPassword: ENC[AES256_GCM,data:wi0/uHE8IGcy+g==,iv:zSKYKgJ5SkGMJnJstUZIESpo03BhDOeG7ZKlZzaSsog=,tag:d5Vye+jdCrLXmv8tAqFSnw==,type:str]
+                password: ENC[AES256_GCM,data:w8x48V/wQlgRPQ==,iv:m1BvWULmBVriSygqIkhkB/91wsAP62HZySy4KgpLJLw=,tag:bw+f0orhIqtfzXozNHuyHQ==,type:str]
                 database: gitea
-                username: ENC[AES256_GCM,data:jVMd2yM=,iv:bKIg47uWcsHZIB9o3LFrppWY/HvNAGRra1gHtt9zOf8=,tag:6872w7HOGAoVy6RhayqwbQ==,type:str]
+                username: ENC[AES256_GCM,data:ES78eak=,iv:9Pw1v/0CyZXoboevc99+jpAs+6INV+KM4HZt1XRFlVU=,tag:Q2n8Amg9tB3f09VwSVebtA==,type:str]
     volumePermissions:
         enabled: true
 postgresql-ha:
@@ -41,8 +41,8 @@ gitea:
     oauth:
         - name: Authentik
           provider: openidConnect
-          key: ENC[AES256_GCM,data:taMkaU5kqwgKbSjPOT345KIE5SICdnjQRzVs6YKGcMGomkUKJRq7Cw==,iv:9UhNZ4jj1Hl4gS5xcBLTTGtlELqvNfGjxB08nRk9Gig=,tag:fRMTXQRyEgs2euN4bj7H+w==,type:str]
-          secret: ENC[AES256_GCM,data:D/14Oe3iE02HgiQ/dC5pfXHEC8HFoFm8Xp7LAC4kMlj0F2hx/ep516IJrC9J8s2KuutqT9WLRO4Fh6eaLh4M4zOr3rlxiLEq/fnIc5hvDsTxZAyWK7QUHv7d5/zCa8XCib0xxeX180lIR/DUNTv4OrtQBYg/uSUO/8x/Kze83Z0=,iv:X+XWtvYn8w+LUsXk4j1mFdEoRdpEIVMzw6TNGFY5YzQ=,tag:WcQ6MT3mdsxQOsTqA5PZbQ==,type:str]
+          key: ENC[AES256_GCM,data:3e/XN6dAoE2J6ag5xkRP9LU2FT4rrsWB0DXv6ucksPW9Fkg6ZPwVLg==,iv:toID+fZWmMemwQt6DEZPk97xmdTbujVYUdNYesJykDM=,tag:2MTySscnX/PMruEbJhe4iA==,type:str]
+          secret: ENC[AES256_GCM,data:8WBfYnDZsBnHm7FkS3cvgo7rIFwfnf9hw71oLdzTjhZkVVYA7nFk7FhhxFtA+WaFfZlhjemcYhhbHCw6zekwaKqNmczto8lbYgbhvDfx2oOUkVk33EbNb/3VTfZbIfsII0lBNanGBP/GsD+TPq535QPLnoTa70cgo5ihzYqJzQA=,iv:+GDXnjLrzKSwHNR3h/TXR1h3ZaVwAG9SdbDOS4CQikc=,tag:NAfSSp7reK5JpMgVLigExA==,type:str]
           autoDiscoverUrl: https://authentik.vhaudiquet.fr/application/o/gitea/.well-known/openid-configuration
     config:
         APP_NAME: Gitea
@@ -69,27 +69,27 @@ gitea:
             ISSUE_INDEXER_TYPE: bleve
             REPO_INDEXER_ENABLED: true
 sops:
-    lastmodified: "2025-12-05T19:41:30Z"
-    mac: ENC[AES256_GCM,data:vnq6D9k/4JOdkMr4YOJRRZhWjJBakzmtuk50vmTzO5cpkK97sjCZRm4CtCnolmUZxvUgLtENjUKxt3Mr8IWbd+xWQDx+sa/ZEoncK2zxOOJnMsdRtbVY0zeuK2wWgncEFxbudGo2tewBd4qLiwBeIaMgMrhIHluB+iahKgoTqw0=,iv:ENoRWvGBtvfaBbLytmd1gAyeg7L6iyewfTkUYmee8Cg=,tag:IF7Df8OOxH2HAhJeOhW3zA==,type:str]
+    lastmodified: "2026-01-03T10:30:06Z"
+    mac: ENC[AES256_GCM,data:cPqxcS0hMiof5YqTTcop9ofH77Teuf6pqp8zInQ9a9rqz7QxjOA88jLBOV/RitirwADebs0E3RnH8z6QdEv62xrOvbBO2BxLFOSnnWQtuAUXSuVxaDLiLiUQIzo53A8mB14jh9i6VfHzlScQg0u4gHzQkQy5ejato80uHqdlIxY=,iv:fKRjCeS8VRauzPCodW2aZhMQlyoqnzc9zsHPBgrOrg8=,tag:z3ZTTaKtU/SmH3skQ+Qsqg==,type:str]
     pgp:
-        - created_at: "2025-12-05T19:41:30Z"
+        - created_at: "2026-01-03T10:30:06Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA7uy4qQr71wiAQ//S/uYUC8ZESfaeLPGbat+vWkqyqimnfA5XEeJN/6KPtC6
-            sAyQAkzdecJCKqVHo/4MC31ICpzQG1KEUAxnfuPWHaGNY8DDaFAo1H5Ici+Wji6S
-            KP9Ti7NqRhiJ+IeImAPObeqBxi+vnAepCuzac/SWoulyIYT/l90bdYmT71x362pw
-            QrDGbeiwulHAWAHA7O9/Baob01vlKH6+oGHl2gT5biabMxUVXYZ4s1KZt6W3znq6
-            2I1L8nKGZCR2R64diOG06i8Yom57c41cdlOio7m4hoZ13Phuwna7mQrqrGyLtGwj
-            2N5NvaijoxNtetCOLkZ9eh2IwvO4f4CvN55RWZVg+Kc5kyhtUlr9dCx+wj/DY4rn
-            SYBfAWJUhFC7RfTLhv3qUn5OQmPxt0xrrW7ijJTBX+bb5FZyiH/SztA9o0OJDnwV
-            icMlKEiPD4Ip5UxSR8ZRj0lvJkbTf/KJ52dzhklIpiweb1nLG8YUAP2MEu73USS7
-            jgaC4PpBTwNsEclQ8E8/Y7sS2uDeyfwntpYsKSQsvLS6HWjpn3ymWX6sVr7N303q
-            CrWH5NfTe9aETbOdGU/DT3g8Ie51YpIId6fYXPp9SNXW1omAFVS1jrxSWCwyrz+w
-            frQ6ZYWEU26C+9eY9uqLTNveJ6YSTnbDvL8pS5qf4o04014WSgYJfr+0MkXO/SbS
-            XgGZk59IZXXZ8gzqD93ZFrDAD40DYUqb6nRN8Dupn4zdYAlMxk/V98vKyJ3W9y9r
-            28qlvoWagN/To2EP40jc6qTYdKVVS73asEadcG6IZV2A9J7htqiGRvTvQN51oQs=
-            =CQiX
+            hQIMA7uy4qQr71wiAQ//QE//P/iZi988famrsHGf8+LohKQM31uj8lr+tlwAp2UC
+            yZGRcxwCskx4zO2xYgq695vz7ZU+xCgQdcBfZW5SHUEuw+6tL0hMShj6McHXeKdC
+            5tA17ejv6tspMyBxs3jyMFp1YqzrIOBt/E9WMSBi66LVmynxfITT14CJUT8hJCzD
+            21/10AeCS9uVUwQLDwqSChtW5JVJ/lKkCfp75/tml53rlVAKJQWuJ2XUW2iIydcU
+            F/Y8yWGCeLiaXxX9as/h1CmUwdkjywHHIFK4YwqudzzQ+oB4z+C0PipJAUibqkpC
+            V+jhIyCpjUDEjzqEOtZH3b9T8TNIpL56ecYOmjF7i+IIMFaBnPzQoIUwP8kGkv0p
+            1HQJaXPYWlchrG/DNwmtyP2wzIdT+N75Lbq/zu6YI7pXkByF2KpsxeMa0pWbnt5+
+            neDrcyttXmd7VkJEWYa+74lPKoza+Q9zdrG0rzSVpB/oYXcJBtvtC3euoxQA8sSa
+            sEnbjnORh9QROwzJ+J+RaIF1JbMOnIqhyeAO6t1ANhJFh+Y+JtAr4am+kCfMdB9k
+            7q5bRUvBtBtwVbJAjW1LiixrmaqhTaKnUmqoMxjUWuqAdvdPOqFNzIYChBVD/avp
+            aWs76Wjipm57GOVmL3qjkBufznyAMaf04BdW/lN+BtPr9dAMr7Cd6ttv+WvVUYvS
+            XgEY4RkuRJqrnKpGlfOpng/O9f0MBRat1by8D9/9T858k34plMEts6G0tE0H8GQt
+            2LwVen6E/6yUCTjpxz+FW5+TMxtBLZppebyNQ5eDrF4a9ZnhtReExpm7gBs9waA=
+            =EW1c
             -----END PGP MESSAGE-----
           fp: DC6910268E657FF70BA7EC289974494E76938DDC
     encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$

kubernetes/personal/notesnook/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: notesnook
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml
+secretGenerator:
+  - name: notesnook-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml

kubernetes/personal/notesnook/kustomizeconfig.yaml

@@ -0,0 +1,6 @@
+nameReference:
+- kind: Secret
+  version: v1
+  fieldSpecs:
+  - path: spec/valuesFrom/name
+    kind: HelmRelease

kubernetes/personal/notesnook/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: notesnook

kubernetes/personal/notesnook/release.yaml

@@ -0,0 +1,19 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: notesnook
+  namespace: notesnook
+spec:
+  interval: 1m
+  chart:
+    spec:
+      sourceRef:
+        kind: HelmRepository
+        name: notesnook
+        namespace: notesnook
+      chart: notesnook
+      version: '1.0.5'
+      interval: 1m
+  valuesFrom:
+    - kind: Secret
+      name: notesnook-values

kubernetes/personal/notesnook/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: notesnook
+  namespace: notesnook
+spec:
+  interval: 1m
+  url: https://gitlab.ibaraki.app/api/v4/projects/130/packages/helm/stable

kubernetes/personal/notesnook/values.yaml

@@ -0,0 +1,65 @@
+instance:
+    name: vhaudiquet-notesnook
+api:
+    secret: ENC[AES256_GCM,data:C3mpoEG6y6IShpX1+o9eNn8NACaKy8s1xw5tY1/ncBzqaKrK3YiE7K0rl4d6Bq6q,iv:rGWxSmV98ef8Qx1jkVbQEKPkFmGEaCOXXFFZ4I1US7s=,tag:VBDOhPRTRRhFu5cU024Sqg==,type:str]
+    knownProxies: 10.0.0.0/8
+    disableSignups: true
+publicUrls:
+    app: https://app.notesnook.com
+    auth: https://auth-nook.vhaudiquet.fr
+    monograph: https://n.vhaudiquet.fr
+    attachments: http://localhost:9000
+smtp:
+    username: ENC[AES256_GCM,data:C4dTnVaJCwxqTdevLJ+a9eJOWPk=,iv:9iHoQzZjHjmOuaoOWdedPHuv06MqtXZXJhWGiTdzhwE=,tag:xDL+WInm/Ms/LuZi53JuHA==,type:str]
+    password: ENC[AES256_GCM,data:tIkKqwVBy94oqFJH0V8=,iv:cOKiwDhngz6mnZlD+XSfWFg1KZa+UCkhXKBgjK7IdnE=,tag:91d/aUlfeHbJqtRWPmTskQ==,type:str]
+    host: mail.vhaudiquet.fr
+    port: 465
+ingress:
+    enabled: true
+    hosts:
+        identity:
+            - host: auth-nook.vhaudiquet.fr
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+        notesnook:
+            - host: nook.vhaudiquet.fr
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+        sse:
+            - host: sse-nook.vhaudiquet.fr
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+        monograph:
+            - host: n.vhaudiquet.fr
+              paths:
+                - path: /
+                  pathType: ImplementationSpecific
+sops:
+    lastmodified: "2025-12-26T18:18:01Z"
+    mac: ENC[AES256_GCM,data:Xy9P+Ifuz18apN7GoYdehc2bzTjUKMJAT7f8HZNTnvV/wkZEt4EUGJL2WGex12nYQyj6Ut+I9pwFwwX5m0oLO82s1zS2DK3BiaxFa6LFJ2VDUthKt8h9ZTNeT+2P5S5cOvEMvS6tljX8y8/HCUwVMCXGMNCIl8RtWo1Q9CgLjrw=,iv:6MdJwJh3xVrXX6sKCQMAEIpdOD8E0V6+305xcaQnnMI=,tag:5JE9M09u6ukPoQBzT9g0sA==,type:str]
+    pgp:
+        - created_at: "2025-12-26T18:18:01Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7uy4qQr71wiAQ/+KZ6WDFaDTZVt6n+pu1hwxhNC9ShCSSLkiHlZjtX9DW8O
+            eizwH6GAG8LQeKYr61aXXVwxsqDdM9gx/i0ynDO4fflqEQniEjlFzBeVhsqOf3CX
+            rL5WImv0LSe9KjFNAZvfBhtUVENfN/Tu6RGagNb98ChOoH10MvmrzQ5t754AKPVM
+            hB2f5kmOn0evFQQftYyXkQqzLvhlqdGGfBnCutXDoLz67RQwB37npzXx/c+GtlOX
+            Msmp4wiYqlX9v97vjLHUX/ZeBtzm38DzUw+OTcnDPbsdZpeUMqYnpkIl8GIgSd2D
+            2jZUJU4wYyOCYCnfw0+zXu3O5/1bzZ9fdc5FH6A+OlJUFbMLPXx7n9uhVOztxQ1g
+            5ajZKkszSWk58IvaTueDL2QjxhJLop1y4JITgzOhiSPserXrizGn765bVEAtY8kR
+            zgULAG5f41zeoJzzdMyuCFUlIJec4DFigbe7fRul4sJEjeeHtDdyINWuUXCnS4ZX
+            e8/ZZ0+z98IMm7Lstb75rUezTUdlIxfJ+EtAX3L1Bdb4yJZ3i3E1VTQKWxaZWrcc
+            zF5nOIZsHgD22Um8fA4mDlhX5/ygiKMHxZe2pdwps4F7H0rRzVLlM5n4g+71WeMe
+            0eT4atgKPICzMNkyRJ/KWrtk4c6Kq7sSqpQKlcFsRLMga1ZBt0LQwFW+G7PU30vS
+            XAFljxtoFrbdc8Yl37cQh9XCBqXMqUXSNd9t1hsgv+Vsrmv6ntPVStep8Fod/n16
+            nCACAKTOe//z0OmwUXxdUCIqT/N+XEA8tOrHS+HsbB5MCfnexLDul/yUfviZ
+            =yK0X
+            -----END PGP MESSAGE-----
+          fp: DC6910268E657FF70BA7EC289974494E76938DDC
+    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
+    version: 3.10.2

kubernetes/production/umami/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: umami
+resources:
+  - namespace.yaml
+  - repository.yaml
+  - release.yaml
+secretGenerator:
+  - name: umami-values
+    files:
+      - values.yaml=values.yaml
+configurations:
+  - kustomizeconfig.yaml

kubernetes/production/umami/kustomizeconfig.yaml

@@ -0,0 +1,6 @@
+nameReference:
+- kind: Secret
+  version: v1
+  fieldSpecs:
+  - path: spec/valuesFrom/name
+    kind: HelmRelease

kubernetes/production/umami/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: umami

kubernetes/production/umami/release.yaml

@@ -0,0 +1,19 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: umami
+  namespace: umami
+spec:
+  interval: 1m
+  chart:
+    spec:
+      sourceRef:
+        kind: HelmRepository
+        name: umami
+        namespace: umami
+      chart: umami
+      version: '7.1.0'
+      interval: 1m
+  valuesFrom:
+    - kind: Secret
+      name: umami-values

kubernetes/production/umami/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: umami
+  namespace: umami
+spec:
+  interval: 1m
+  url: https://charts.christianhuth.de

kubernetes/production/umami/values.yaml

@@ -0,0 +1,33 @@
+ingress:
+    enabled: true
+    hosts:
+        - host: umami.vhaudiquet.fr
+          paths:
+            - path: /
+              pathType: ImplementationSpecific
+sops:
+    lastmodified: "2025-12-29T18:15:28Z"
+    mac: ENC[AES256_GCM,data:npCm/Cwhn5wCsf5qIu2rcwVP+OFe8Ph1qRHQriVANMTC9dioFPuS5IMU1RRnJPNt9y0nE5hSscg5LrfGBB5qCPUbqj3Ca9/Iv3raZLYR6SUcAaitFlxhdcFSEXOhLa+PW6yW5RZjjD9uD0IEuOje3+oa+05kIm3HqdL5Qszarns=,iv:LlywSpl9l1iEa9f1KatvLJSGU/jZWvUbK1HI9uRpZT4=,tag:I3L6JD3GeLNlrR8e5Gz3JA==,type:str]
+    pgp:
+        - created_at: "2025-12-29T18:15:28Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7uy4qQr71wiAQ//S5Ormwo6DS8bywMVa3JJLuBbkD1aIvuxItPHzdJFte24
+            1b3xRi/byR3i5pgOg55/VPNfscxZranA0GGayYALAepTpdKwYHkrfeZF4RNZHlwe
+            C/7eQoljncOyGUw4txEcD0gfMkQ9aNYYnSs0GwWYylpc/dxaogzwsmsZOGNVK0Rc
+            oeOFonEABIFs/dW+pGTAyUnexJPZO9cWQyt22dEDzRRiifPOJGcSE9+2RICS5p4A
+            75riaa9jC/ANrDi3d/fTYFffAStggChNUtDQMzSKP/itpqK4rs+xWRcsF/U4LLZM
+            xgDPHzJsw4apZiDT+p4dH43DWmEATPcUH/UftG420cHOJdeU7rMuabVbxRXJeXA2
+            1idQiODRW4pEUNEqPMTtjrmxl+SVvCx2TlJ31idiJL9rM0DXfzEF0dacnTjV4LuW
+            2oo9CiU5n+Vh6PRKPYkBXxc0GF6Vcs9/SZj47X8RQcxxqP9BoEZs4JclIS6OGiY7
+            K8dw/xDmpHhLgQ1JCHEWAVuKDNH+KcnMm0mzmCHetI5yMXDVQpxuTkquhUptV3VA
+            XL5+girkZ5W1XMuQiKYcKzS/r3UOHieKBRLw+MhuN+MRLOLr9FRQ+YbEGQ5Mi57R
+            Qcp+nycwU+59rFRjpJaKauRDNZx3P9GnpTJBL9L/4/uibYtyyWEmMNWQcDtyhPnS
+            XAG3SEsYE0547TKm/fP7q9rnAOfKwV4NwBBzGblAUJa/HIFjsT7uGicRdTexrvkK
+            pbIqbyBn0qr8Y1ipaqEimfyc6OT5JDT8239SYnOwG4QPz4DV5vibjG24kykf
+            =GDKV
+            -----END PGP MESSAGE-----
+          fp: DC6910268E657FF70BA7EC289974494E76938DDC
+    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
+    version: 3.10.2