🔄 synced file(s) with geekifier/xenu-ng

.mise.toml

@@ -13,25 +13,25 @@ TALOS_DIR = "{{config_root}}/talos"
 python = "3.13"
 "pipx:makejinja" = "2.8.0"
 "pipx:flux-local" = "7.5.6"
-talhelper = "3.0.29"
+talhelper = "3.0.30"
 uv = "latest"
 k9s = "latest"
 helm-diff = "latest"
-"aqua:cilium/cilium-cli" = "0.18.4"
-"aqua:cli/cli" = "2.74.2"
-"aqua:cloudflare/cloudflared" = "2025.6.1"
-"aqua:cue-lang/cue" = "0.13.1"
+"aqua:cilium/cilium-cli" = "0.18.5"
+"aqua:cli/cli" = "2.75.0"
+"aqua:cloudflare/cloudflared" = "2025.7.0"
+"aqua:cue-lang/cue" = "0.13.2"
 "aqua:FiloSottile/age" = "1.2.1"
-"aqua:fluxcd/flux2" = "2.6.2"
+"aqua:fluxcd/flux2" = "2.6.4"
 "aqua:getsops/sops" = "3.10.2"
 "aqua:go-task/task" = "3.44.0"
-"aqua:helm/helm" = "3.18.3"
-"aqua:helmfile/helmfile" = "1.1.2"
+"aqua:helm/helm" = "3.18.4"
+"aqua:helmfile/helmfile" = "1.1.3"
 "aqua:jqlang/jq" = "1.7.1"
 "aqua:kubernetes-sigs/kustomize" = "5.6.0"
 "aqua:kubernetes/kubectl" = "1.32.2"
-"aqua:mikefarah/yq" = "4.45.4"
-"aqua:siderolabs/talos" = "1.10.4"
+"aqua:mikefarah/yq" = "4.46.1"
+"aqua:siderolabs/talos" = "1.10.5"
 "aqua:yannh/kubeconform" = "0.7.0"
 "go:github.com/VictoriaMetrics-Community/mcp-victoriametrics/cmd/mcp-victoriametrics" = { version = "latest" }
 "go:github.com/backube/volsync/kubectl-volsync" = { version = "latest" }

bootstrap/helmfile.yaml

@@ -31,7 +31,7 @@ releases:
     namespace: kube-system
     atomic: true
     chart: cilium/cilium
-    version: 1.17.5
+    version: 1.17.6
     values: ['{{ requiredEnv "ROOT_DIR" }}/kubernetes/apps/kube-system/cilium/app/helm/values.yaml']
 
   - name: coredns
@@ -54,22 +54,22 @@ releases:
     namespace: cert-manager
     atomic: true
     chart: jetstack/cert-manager
-    version: v1.18.1
+    version: v1.18.2
     values: ['{{ requiredEnv "ROOT_DIR" }}/kubernetes/apps/cert-manager/cert-manager/app/helm/values.yaml']
     needs: ['kube-system/spegel']
 
   - name: flux-operator
     namespace: flux-system
     atomic: true
     chart: controlplaneio/flux-operator
-    version: 0.23.0
+    version: 0.24.1
     values: ['{{ requiredEnv "ROOT_DIR" }}/kubernetes/apps/flux-system/flux-operator/app/helm/values.yaml']
     needs: ['cert-manager/cert-manager']
 
   - name: flux-instance
     namespace: flux-system
     atomic: true
     chart: controlplaneio/flux-instance
-    version: 0.23.0
+    version: 0.24.1
     values: ['{{ requiredEnv "ROOT_DIR" }}/kubernetes/apps/flux-system/flux-instance/app/helm/values.yaml']
     needs: ['flux-system/flux-operator']

kubernetes/apps/auth/authelia/app/helmrelease.yaml

@@ -37,7 +37,7 @@ spec:
           app:
             image:
               repository: ghcr.io/authelia/authelia
-              tag: 4.39.4@sha256:64b356c30fd817817a4baafb4dbc0f9f8702e46b49e1edb92ff42e19e487b517
+              tag: 4.39.5@sha256:023e02e5203dfa0ebaee7a48b5bae34f393d1f9cada4a9df7fbf87eb1759c671
             env:
               AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true"
               X_AUTHELIA_CONFIG_FILTERS: template

kubernetes/apps/default/homepage/app/config/services.yaml

@@ -1,7 +1,7 @@
 - Home:
     - BlueIris:
         icon: blue-iris.png
-        href: http://bi.${SECRET_DOMAIN_INT}
+        href: http://blueiris.${SECRET_DOMAIN_INT}
         description: Cameras
 - Games:
     - Minecraft Maps:

kubernetes/apps/default/homepage/app/helmrelease.yaml

@@ -44,7 +44,7 @@ spec:
           app:
             image:
               repository: ghcr.io/gethomepage/homepage
-              tag: v1.3.2@sha256:4f923bf0e9391b3a8bc5527e539b022e92dcc8a3a13e6ab66122ea9ed030e196
+              tag: v1.4.0@sha256:63434aafeb3d49be1f21ebd3c5d777fe5b7794c31342daad4e96f09b72a57188
             env:
               TZ: ${CLUSTER_TZ}
               HOMEPAGE_ALLOWED_HOSTS: *host

kubernetes/apps/default/miniflux/app/helmrelease.yaml

@@ -28,7 +28,7 @@ spec:
           app:
             image:
               repository: ghcr.io/miniflux/miniflux
-              tag: 2.2.9
+              tag: 2.2.10
             envFrom:
               - secretRef:
                   name: miniflux-secret
@@ -77,6 +77,10 @@ spec:
     ingress:
       app:
         annotations:
+          nginx.ingress.kubernetes.io/auth-method: "GET"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.auth.svc.cluster.local:9091/api/authz/auth-request"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth-k8s.${SECRET_DOMAIN_INT}?rm=$request_method"
+          nginx.ingress.kubernetes.io/auth-response-headers: "Remote-User,Remote-Name,Remote-Groups,Remote-Email"
           gethomepage.dev/enabled: "true"
           gethomepage.dev/group: Media
           gethomepage.dev/description: RSS Reader

kubernetes/apps/default/miniflux/app/values.yaml

@@ -9,3 +9,7 @@ controllers:
             value: 1
           - name: BASE_URL
             value: https://rss.${SECRET_DOMAIN_INT}
+          - name: AUTH_PROXY_HEADER
+            value: Remote-User
+          - name: AUTH_PROXY_USER_CREATION
+            value: 1

kubernetes/apps/default/navidrome/app/helmrelease.yaml

@@ -28,12 +28,12 @@ spec:
         replicas: 1
         strategy: Recreate
         annotations:
-          # reloader.stakater.com/auto: "true"
+          reloader.stakater.com/auto: "true"
         containers:
           app:
             image:
               repository: deluan/navidrome
-              tag: "0.56.1"
+              tag: "0.57.0"
             env:
               TZ: ${CLUSTER_TZ}
               ND_LOGLEVEL: info
@@ -44,6 +44,9 @@ spec:
               ND_MUSICFOLDER: /public/Media/Music
               ND_IMAGECACHESIZE: "500MB"
               ND_SCANNER_SCHEDULE: "@every 4h"
+            envFrom:
+              - secretRef:
+                  name: navidrome-secret
             probes:
               liveness: &probes
                 enabled: true

kubernetes/apps/default/navidrome/app/kustomization.yaml

@@ -3,3 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./helmrelease.yaml
+  - ./secret.sops.yaml

kubernetes/apps/default/navidrome/app/secret.sops.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: navidrome-secret
+stringData:
+    ND_LASTFM_APIKEY: ENC[AES256_GCM,data:F/H1UKq1SAF3v133nxuD0+foIiBRac6M6T33jIhNLJI=,iv:pO5D7lZZXF2r8sZN9AtZnpZNZeV0Vjbpxe3W8Orpmyw=,tag:HUPz5gTzPvJnGiXaEScYpA==,type:str]
+    ND_LASTFM_SECRET: ENC[AES256_GCM,data:B+Wq9BJLqaQnu+sd/qYXOiyyW36+4If+ppd+fX8n4JE=,iv:YFAY2XjYFr2NHN6WYLgGmaJexVuPGmYw7hcCcVYDfvU=,tag:20lPy/PFjgMECP5IR0ul/g==,type:str]
+sops:
+    age:
+        - recipient: age1a68j5zasa55y39u5ecus7g4dzl3rqp0u6h6jwpuw3743cdf9dd4sykfhr4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxOEtvWkp0RklibUpsS0d0
+            V0Z1QWV6SXN0eklxYWhnMTdlZXRQRzBnRVNnCnFIcTEzc3g2QkxmYTYyNkt5VkM1
+            UzZlZDMycHVoNEQxMHRQV2VwbmF5Z0UKLS0tIHpjeVJEQUNjKytlR1JRb2J1YXA0
+            UWtSUmVQRUYya3I1bzVwMThnM3R3NEUKK42Yi71h3S04afyynSjHR1+tXeyd++c4
+            YJlkogj/ftT9bmvZLP9U6wOteZ2hyAIxGKTXLQJsWF5EX45wa3CL6w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-07T01:17:34Z"
+    mac: ENC[AES256_GCM,data:72qHR516HZWVpm1GMCwl4Fag+OMmxd5QjZt1OhHaG6256pb+YYxOhxBqB4xfqzGG0YnEbt4CpfogjMaDjdf+HJH30n132xsxXAeYqBxHtaGAK44Y9uNhlB7Mt++6srTtdd9ypUWdiuV/7hYbceqm02eO368ybsnOXECgnPeDaus=,iv:DY4Fep4FgRhdG1WfAdJGEWQpBlF2wpl7g2ioTidGmpU=,tag:6atDpbmWMJTquar37K9UiQ==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    mac_only_encrypted: true
+    version: 3.10.2

kubernetes/apps/default/prowlarr/app/helmrelease.yaml

@@ -39,7 +39,7 @@ spec:
           app:
             image:
               repository: ghcr.io/home-operations/prowlarr
-              tag: 2.0.0.5094@sha256:5b890c19bf39a1ca3d889d2b8a6f6a9f1bfa2f63ad51d700f64fd2bd11eec089
+              tag: 2.0.1.5101@sha256:e9e0cf64a1ab90ca61688de85bb732d7c3e5142d40a2d9af6172551252cb31c3
             env:
               TZ: ${CLUSTER_TZ}
               PROWLARR__SERVER__PORT: &containerPort 80

kubernetes/apps/default/radarr/app/helmrelease.yaml

@@ -64,7 +64,7 @@ spec:
           app:
             image:
               repository: ghcr.io/home-operations/radarr
-              tag: 5.27.0.10101@sha256:f1a47717f5792d82becbe278c9502d756b898d63b2c637da131172c4adf1ffc7
+              tag: 5.27.1.10122@sha256:e6e4fb8383b9f232a5f7d6d7c1eadd03501685468c382131643ba8aed03098ba
             env:
               TZ: ${CLUSTER_TZ}
               RADARR__SERVER__PORT: &containerPort 80

kubernetes/apps/flux-system/flux-instance/app/helm/values.yaml

@@ -2,7 +2,7 @@
 instance:
   distribution:
     # renovate: datasource=github-releases depName=controlplaneio-fluxcd/distribution
-    version: 2.6.2
+    version: 2.6.4
   cluster:
     networkPolicy: false
   components:

kubernetes/apps/flux-system/flux-instance/app/helmrelease.yaml

@@ -10,7 +10,7 @@ spec:
     mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
     operation: copy
   ref:
-    tag: 0.23.0
+    tag: 0.24.1
   url: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-instance
   verify:
     provider: cosign

kubernetes/apps/flux-system/flux-operator/app/helmrelease.yaml

@@ -10,7 +10,7 @@ spec:
     mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
     operation: copy
   ref:
-    tag: 0.23.0
+    tag: 0.24.1
   url: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator
   verify:
     provider: cosign

kubernetes/apps/kube-system/cilium/app/helm/values.yaml

@@ -2,29 +2,33 @@
 autoDirectNodeRoutes: true
 bpf:
   masquerade: true
-  # Ref: https://github.com/siderolabs/talos/issues/10002
-  hostLegacyRouting: true
-cni:
-  # Required for pairing with Multus CNI
-  exclusive: false
+  preAllocateMaps: true
+#Enable BPF clock source probing for more efficient tick retrieval.
+bpfClockProbe: true
+bgpControlPlane:
+  enabled: true
 cgroup:
   automount:
     enabled: false
   hostRoot: /sys/fs/cgroup
-# NOTE: devices might need to be set if you have more than one active NIC on your hosts
-# devices: eno+ eth+
+cni:
+  # Required for pairing with Multus CNI
+  exclusive: false
 endpointRoutes:
   enabled: true
 envoy:
   enabled: false
 dashboards:
   enabled: true
+# this requires node/pod bounce
+# https://docs.cilium.io/en/latest/operations/performance/tuning/#ipv4-big-tcp
+# enableIPv4BIGTCP: true
 hubble:
-  enabled: true
-  relay:
-    enabled: true
-  ui:
-    enabled: true
+  enabled: false
+  # relay:
+  #   enabled: true
+  # ui:
+  #   enabled: true
 ipam:
   mode: kubernetes
 ipv4NativeRoutingCIDR: "100.64.0.0/16"
@@ -36,7 +40,8 @@ l2announcements:
   enabled: true
 loadBalancer:
   algorithm: maglev
-  mode: "snat"
+  # try switching to dsr again from snat
+  mode: "dsr"
 localRedirectPolicy: true
 operator:
   dashboards:
@@ -45,7 +50,7 @@ operator:
     enabled: true
     serviceMonitor:
       enabled: true
-  replicas: 1
+  replicas: 2
   rollOutPods: true
 prometheus:
   enabled: true
@@ -74,5 +79,6 @@ securityContext:
       - NET_ADMIN
       - SYS_ADMIN
       - SYS_RESOURCE
-socketLB:
-  hostNamespaceOnly: true
+# no longer needed?
+# socketLB:
+#   hostNamespaceOnly: true

kubernetes/apps/kube-system/cilium/app/helmrelease.yaml

@@ -19,7 +19,7 @@ spec:
   chart:
     spec:
       chart: cilium
-      version: 1.17.5
+      version: 1.17.6
       sourceRef:
         kind: HelmRepository
         name: cilium

kubernetes/apps/kube-system/cilium/app/networks.yaml

@@ -23,3 +23,51 @@ spec:
   nodeSelector:
     matchLabels:
       kubernetes.io/os: linux
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumbgpadvertisement_v2alpha1.json
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPAdvertisement
+metadata:
+  name: l3-bgp-advertisement
+  labels:
+    advertise: bgp
+spec:
+  advertisements:
+    - advertisementType: Service
+      service:
+        addresses: ["LoadBalancerIP"]
+      selector:
+        matchExpressions:
+          - { key: somekey, operator: NotIn, values: ["never-used-value"] }
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumbgppeerconfig_v2alpha1.json
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPPeerConfig
+metadata:
+  name: l3-bgp-peer-config
+spec:
+  families:
+    - afi: ipv4
+      safi: unicast
+      advertisements:
+        matchLabels:
+          advertise: bgp
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumbgpclusterconfig_v2alpha1.json
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPClusterConfig
+metadata:
+  name: l3-bgp-cluster-config
+spec:
+  nodeSelector:
+    matchLabels:
+      kubernetes.io/os: linux
+  bgpInstances:
+    - name: cilium
+      localASN: 64514
+      peers:
+        - name: unifi
+          peerASN: 64512
+          peerAddress: 192.168.1.1
+          peerConfigRef:
+            name: l3-bgp-peer-config

kubernetes/apps/kube-system/reloader/app/helmrelease.yaml

@@ -10,7 +10,7 @@ spec:
     mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
     operation: copy
   ref:
-    tag: 2.1.4
+    tag: 2.1.5
   url: oci://ghcr.io/stakater/charts/reloader
 ---
 # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json

kubernetes/apps/minecraft/kustomization.yaml

@@ -0,0 +1,13 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: minecraft
+components:
+  - ../../components/common
+  - ../../components/repos/app-template
+resources:
+  - ./mc-common/ks.yaml
+  - ./mc-deadly/ks.yaml
+  - ./mc-friendly/ks.yaml
+  - ./mc-router/ks.yaml

kubernetes/apps/minecraft/mc-common/configs/common-config.configmap.yaml

@@ -0,0 +1,13 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/configmap.json
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mc-common-config-cm
+data:
+  # /data/plugins/BlueMap/core.conf
+  bluemap_core.conf: |
+    accept-download: true
+    renderThreadCount: -4
+    metrics: true
+    data: "bluemap"
+    scan-for-mod-resources: true