🔄 synced file(s) with geekifier/xenu-ng (#19)

Co-authored-by: geekifier <null>

Author: geekifier

.mise.toml

@@ -13,25 +13,25 @@ TALOS_DIR = "{{config_root}}/talos"
 python = "3.13"
 "pipx:makejinja" = "2.8.0"
 "pipx:flux-local" = "7.5.6"
-talhelper = "3.0.29"
+talhelper = "3.0.30"
 uv = "latest"
 k9s = "latest"
 helm-diff = "latest"
-"aqua:cilium/cilium-cli" = "0.18.4"
-"aqua:cli/cli" = "2.74.2"
-"aqua:cloudflare/cloudflared" = "2025.6.1"
-"aqua:cue-lang/cue" = "0.13.1"
+"aqua:cilium/cilium-cli" = "0.18.5"
+"aqua:cli/cli" = "2.75.0"
+"aqua:cloudflare/cloudflared" = "2025.7.0"
+"aqua:cue-lang/cue" = "0.13.2"
 "aqua:FiloSottile/age" = "1.2.1"
-"aqua:fluxcd/flux2" = "2.6.2"
+"aqua:fluxcd/flux2" = "2.6.4"
 "aqua:getsops/sops" = "3.10.2"
 "aqua:go-task/task" = "3.44.0"
-"aqua:helm/helm" = "3.18.3"
-"aqua:helmfile/helmfile" = "1.1.2"
+"aqua:helm/helm" = "3.18.4"
+"aqua:helmfile/helmfile" = "1.1.3"
 "aqua:jqlang/jq" = "1.7.1"
 "aqua:kubernetes-sigs/kustomize" = "5.6.0"
 "aqua:kubernetes/kubectl" = "1.32.2"
-"aqua:mikefarah/yq" = "4.45.4"
-"aqua:siderolabs/talos" = "1.10.4"
+"aqua:mikefarah/yq" = "4.46.1"
+"aqua:siderolabs/talos" = "1.10.5"
 "aqua:yannh/kubeconform" = "0.7.0"
 "go:github.com/VictoriaMetrics-Community/mcp-victoriametrics/cmd/mcp-victoriametrics" = { version = "latest" }
 "go:github.com/backube/volsync/kubectl-volsync" = { version = "latest" }

bootstrap/helmfile.yaml

@@ -31,7 +31,7 @@ releases:
     namespace: kube-system
     atomic: true
     chart: cilium/cilium
-    version: 1.17.5
+    version: 1.17.6
     values: ['{{ requiredEnv "ROOT_DIR" }}/kubernetes/apps/kube-system/cilium/app/helm/values.yaml']
 
   - name: coredns
@@ -54,22 +54,22 @@ releases:
     namespace: cert-manager
     atomic: true
     chart: jetstack/cert-manager
-    version: v1.18.1
+    version: v1.18.2
     values: ['{{ requiredEnv "ROOT_DIR" }}/kubernetes/apps/cert-manager/cert-manager/app/helm/values.yaml']
     needs: ['kube-system/spegel']
 
   - name: flux-operator
     namespace: flux-system
     atomic: true
     chart: controlplaneio/flux-operator
-    version: 0.23.0
+    version: 0.24.1
     values: ['{{ requiredEnv "ROOT_DIR" }}/kubernetes/apps/flux-system/flux-operator/app/helm/values.yaml']
     needs: ['cert-manager/cert-manager']
 
   - name: flux-instance
     namespace: flux-system
     atomic: true
     chart: controlplaneio/flux-instance
-    version: 0.23.0
+    version: 0.24.1
     values: ['{{ requiredEnv "ROOT_DIR" }}/kubernetes/apps/flux-system/flux-instance/app/helm/values.yaml']
     needs: ['flux-system/flux-operator']

kubernetes/apps/auth/authelia/app/helmrelease.yaml

@@ -37,7 +37,7 @@ spec:
           app:
             image:
               repository: ghcr.io/authelia/authelia
-              tag: 4.39.4@sha256:64b356c30fd817817a4baafb4dbc0f9f8702e46b49e1edb92ff42e19e487b517
+              tag: 4.39.5@sha256:023e02e5203dfa0ebaee7a48b5bae34f393d1f9cada4a9df7fbf87eb1759c671
             env:
               AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true"
               X_AUTHELIA_CONFIG_FILTERS: template

kubernetes/apps/default/homepage/app/config/services.yaml

@@ -1,7 +1,7 @@
 - Home:
     - BlueIris:
         icon: blue-iris.png
-        href: http://bi.${SECRET_DOMAIN_INT}
+        href: http://blueiris.${SECRET_DOMAIN_INT}
         description: Cameras
 - Games:
     - Minecraft Maps:

kubernetes/apps/default/homepage/app/helmrelease.yaml

@@ -44,7 +44,7 @@ spec:
           app:
             image:
               repository: ghcr.io/gethomepage/homepage
-              tag: v1.3.2@sha256:4f923bf0e9391b3a8bc5527e539b022e92dcc8a3a13e6ab66122ea9ed030e196
+              tag: v1.4.0@sha256:63434aafeb3d49be1f21ebd3c5d777fe5b7794c31342daad4e96f09b72a57188
             env:
               TZ: ${CLUSTER_TZ}
               HOMEPAGE_ALLOWED_HOSTS: *host

kubernetes/apps/default/miniflux/app/helmrelease.yaml

@@ -28,7 +28,7 @@ spec:
           app:
             image:
               repository: ghcr.io/miniflux/miniflux
-              tag: 2.2.9
+              tag: 2.2.10
             envFrom:
               - secretRef:
                   name: miniflux-secret
@@ -77,6 +77,10 @@ spec:
     ingress:
       app:
         annotations:
+          nginx.ingress.kubernetes.io/auth-method: "GET"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.auth.svc.cluster.local:9091/api/authz/auth-request"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth-k8s.${SECRET_DOMAIN_INT}?rm=$request_method"
+          nginx.ingress.kubernetes.io/auth-response-headers: "Remote-User,Remote-Name,Remote-Groups,Remote-Email"
           gethomepage.dev/enabled: "true"
           gethomepage.dev/group: Media
           gethomepage.dev/description: RSS Reader

kubernetes/apps/default/miniflux/app/values.yaml

@@ -9,3 +9,7 @@ controllers:
             value: 1
           - name: BASE_URL
             value: https://rss.${SECRET_DOMAIN_INT}
+          - name: AUTH_PROXY_HEADER
+            value: Remote-User
+          - name: AUTH_PROXY_USER_CREATION
+            value: 1

kubernetes/apps/default/navidrome/app/helmrelease.yaml

@@ -28,12 +28,12 @@ spec:
         replicas: 1
         strategy: Recreate
         annotations:
-          # reloader.stakater.com/auto: "true"
+          reloader.stakater.com/auto: "true"
         containers:
           app:
             image:
               repository: deluan/navidrome
-              tag: "0.56.1"
+              tag: "0.57.0"
             env:
               TZ: ${CLUSTER_TZ}
               ND_LOGLEVEL: info
@@ -44,6 +44,9 @@ spec:
               ND_MUSICFOLDER: /public/Media/Music
               ND_IMAGECACHESIZE: "500MB"
               ND_SCANNER_SCHEDULE: "@every 4h"
+            envFrom:
+              - secretRef:
+                  name: navidrome-secret
             probes:
               liveness: &probes
                 enabled: true

kubernetes/apps/default/navidrome/app/kustomization.yaml

@@ -3,3 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./helmrelease.yaml
+  - ./secret.sops.yaml

kubernetes/apps/default/navidrome/app/secret.sops.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: navidrome-secret
+stringData:
+    ND_LASTFM_APIKEY: ENC[AES256_GCM,data:F/H1UKq1SAF3v133nxuD0+foIiBRac6M6T33jIhNLJI=,iv:pO5D7lZZXF2r8sZN9AtZnpZNZeV0Vjbpxe3W8Orpmyw=,tag:HUPz5gTzPvJnGiXaEScYpA==,type:str]
+    ND_LASTFM_SECRET: ENC[AES256_GCM,data:B+Wq9BJLqaQnu+sd/qYXOiyyW36+4If+ppd+fX8n4JE=,iv:YFAY2XjYFr2NHN6WYLgGmaJexVuPGmYw7hcCcVYDfvU=,tag:20lPy/PFjgMECP5IR0ul/g==,type:str]
+sops:
+    age:
+        - recipient: age1a68j5zasa55y39u5ecus7g4dzl3rqp0u6h6jwpuw3743cdf9dd4sykfhr4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxOEtvWkp0RklibUpsS0d0
+            V0Z1QWV6SXN0eklxYWhnMTdlZXRQRzBnRVNnCnFIcTEzc3g2QkxmYTYyNkt5VkM1
+            UzZlZDMycHVoNEQxMHRQV2VwbmF5Z0UKLS0tIHpjeVJEQUNjKytlR1JRb2J1YXA0
+            UWtSUmVQRUYya3I1bzVwMThnM3R3NEUKK42Yi71h3S04afyynSjHR1+tXeyd++c4
+            YJlkogj/ftT9bmvZLP9U6wOteZ2hyAIxGKTXLQJsWF5EX45wa3CL6w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-07T01:17:34Z"
+    mac: ENC[AES256_GCM,data:72qHR516HZWVpm1GMCwl4Fag+OMmxd5QjZt1OhHaG6256pb+YYxOhxBqB4xfqzGG0YnEbt4CpfogjMaDjdf+HJH30n132xsxXAeYqBxHtaGAK44Y9uNhlB7Mt++6srTtdd9ypUWdiuV/7hYbceqm02eO368ybsnOXECgnPeDaus=,iv:DY4Fep4FgRhdG1WfAdJGEWQpBlF2wpl7g2ioTidGmpU=,tag:6atDpbmWMJTquar37K9UiQ==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    mac_only_encrypted: true
+    version: 3.10.2