🔄 synced file(s) with geekifier/xenu-ng

Author: geekifier

.mise.toml

@@ -18,14 +18,14 @@ uv = "latest"
 k9s = "latest"
 helm-diff = "latest"
 "aqua:cilium/cilium-cli" = "0.18.8"
-"aqua:cli/cli" = "2.83.0"
+"aqua:cli/cli" = "2.83.1"
 "aqua:cloudflare/cloudflared" = "2025.11.1"
 "aqua:cue-lang/cue" = "0.15.0"
 "aqua:FiloSottile/age" = "1.2.1"
 "aqua:fluxcd/flux2" = "2.7.3"
 "aqua:getsops/sops" = "3.11.0"
-"aqua:go-task/task" = "3.45.4"
-"aqua:helm/helm" = "3.19.0"
+"aqua:go-task/task" = "3.45.5"
+"aqua:helm/helm" = "3.19.2"
 "aqua:helmfile/helmfile" = "1.1.9"
 "aqua:jqlang/jq" = "1.8.1"
 "aqua:kubernetes-sigs/kustomize" = "5.7.1"

kubernetes/apps/db/cloudnative-pg/cluster/pg16-monolith.yaml

@@ -5,13 +5,14 @@ kind: Cluster
 metadata:
   name: &clusterName postgres16
 spec:
-  instances: 2
-  imageName: ghcr.io/cloudnative-pg/postgresql:16.8
+  instances: 1
+  imageName: ghcr.io/cloudnative-pg/postgresql:17.6
   primaryUpdateStrategy: unsupervised
   primaryUpdateMethod: switchover
   storage:
     size: 20Gi
-    storageClass: longhorn-cluster
+    storageClass: longhorn-cluster-best-effort
+    resizeInUseVolumes: false
   enableSuperuserAccess: true
   postgresql:
     parameters:
@@ -55,30 +56,6 @@ spec:
         secretAccessKey:
           name: cloudnative-pg-garage-secret
           key: CNPG_S3_SECRET_ACCESS_KEY
-
-  # Note: previousCluster needs to be set to the name of the previous
-  # cluster when recovering from an existing cnpg cluster
-  bootstrap:
-    initdb:
-      import:
-        schemaOnly: true
-        type: monolith
-        databases: ["*"]
-        roles: ["*"]
-        source:
-          externalCluster: &sourceCluster vacuum2
-  # Note: externalClusters is needed when recovering from an existing cnpg cluster
-  externalClusters:
-    - name: *sourceCluster
-      connectionParameters:
-        host: vacuum2.${SECRET_DOMAIN_INT}
-        user: postgres
-        dbname: postgres
-        port: "5432"
-        sslmode: prefer
-      password:
-        key: password
-        name: pgsql-vacuum-postgres
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/postgresql.cnpg.io/scheduledbackup_v1.json
 apiVersion: postgresql.cnpg.io/v1

kubernetes/apps/db/cloudnative-pg/cluster/pg17-monolith.yaml

@@ -0,0 +1,91 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/postgresql.cnpg.io/cluster_v1.json
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: &clusterName postgres17
+spec:
+  instances: 2
+  imageName: ghcr.io/cloudnative-pg/postgresql:17.6
+  primaryUpdateStrategy: unsupervised
+  primaryUpdateMethod: switchover
+  storage:
+    size: 20Gi
+    storageClass: longhorn-cluster-best-effort
+    resizeInUseVolumes: false
+  enableSuperuserAccess: true
+  postgresql:
+    parameters:
+      max_connections: "300"
+      shared_buffers: "128MB"
+      pg_stat_statements.max: "10000"
+      pg_stat_statements.track: all
+  nodeMaintenanceWindow:
+    inProgress: false
+    # prevent node drain issues with Longhorn strict-local volumes
+    reusePVC: false
+  resources:
+    requests:
+      cpu: 250m
+      memory: 512Mi
+    limits:
+      memory: 2Gi
+  monitoring:
+    enablePodMonitor: true
+
+  backup:
+    retentionPolicy: 30d
+    barmanObjectStore: &barmanObjectStore
+      data:
+        compression: bzip2
+      wal:
+        compression: bzip2
+        maxParallel: 1
+      destinationPath: s3://cloudnative-pg/
+      endpointURL: "http://blackhole2.${SECRET_DOMAIN_INT}:3900"
+      # Note: serverName version needs to be incremented
+      # when recovering from an existing cnpg cluster
+      serverName: postgres17-02
+      s3Credentials:
+        region:
+          name: cloudnative-pg-garage-secret
+          key: CNPG_S3_REGION
+        accessKeyId:
+          name: cloudnative-pg-garage-secret
+          key: CNPG_S3_ACCESS_KEY_ID
+        secretAccessKey:
+          name: cloudnative-pg-garage-secret
+          key: CNPG_S3_SECRET_ACCESS_KEY
+
+  bootstrap:
+    initdb:
+      import:
+        type: monolith
+        databases: ["*"]
+        roles: ["*"]
+        source:
+          externalCluster: postgres16-source
+
+  externalClusters:
+    - name: postgres16-source
+      connectionParameters:
+        host: postgres16-rw.db.svc.cluster.local
+        user: postgres
+        dbname: postgres
+        port: "5432"
+      password:
+        name: postgres16-superuser
+        key: password
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/postgresql.cnpg.io/scheduledbackup_v1.json
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: postgres17-daily
+  namespace: db
+spec:
+  schedule: "@daily"
+  immediate: true
+  backupOwnerReference: self
+  cluster:
+    name: postgres17

kubernetes/apps/db/cloudnative-pg/db/teslamate.yaml

@@ -34,6 +34,8 @@ spec:
     DATABASE_USER: "{{.Role}}"
     DATABASE_PASS: "{{.Password}}"
     DATABASE_NAME: "{{.Database}}"
+    # We need to set this manually because the value forced by the operator overwrited Teslamate's app port
+    PORT: "4000"
 ---
 apiVersion: db.movetokube.com/v1alpha1
 kind: PostgresUser

kubernetes/apps/db/cloudnative-pg/operator/kustomization.yaml

@@ -5,6 +5,7 @@ resources:
   - ./helmrelease.yaml
   - ./garage.secret.sops.yaml
   - ../cluster/pg16-monolith.yaml
+  - ../cluster/pg17-monolith.yaml
 # configMapGenerator:
 #   - name: vm-kube-state-metrics-cm
 #     files:

kubernetes/apps/db/ext-postgres-operator/app/helmrelease.yaml

@@ -26,7 +26,7 @@ spec:
     keepHistory: false
   valuesFrom:
     - kind: Secret
-      name: &pgSecretName postgres16-superuser
+      name: &pgSecretName postgres17-superuser
       valuesKey: username
       targetPath: postgres.user
     - kind: Secret

kubernetes/apps/default/miniflux/app/secret.sops.yaml

@@ -3,7 +3,7 @@ kind: Secret
 metadata:
     name: miniflux-secret
 stringData:
-    DATABASE_URL: ENC[AES256_GCM,data:FvEGzbTVNqeuGg/LyeBtDP1fQ91Xlx5duUxHZIeFIZ6gV3zf0Jwcq6rEh4Rah/GvceGvQ83GHeXUTPAVy7aSmCnH+0boOmWnhMum583jMkd1DCsT70c5rXr+JtV3eRr3vOBO5l51095eIn3XXcRwtJ34bIse6hHbWWwgUi/DZRiegACkNURNGMk=,iv:sZjoRVvffSkdNGAgfzr8VZuizOW0gj7qNUbMf5aa+ZM=,tag:ODDYOyggcbTSadlIRLgoEg==,type:str]
+    DATABASE_URL: ENC[AES256_GCM,data:94GVTlNHEUYkCJEIjUWVlg4dKK01xwuRnIYTKcAtWn/wvtRqSa1x0rUbRI8l30HdECLRbpkwqNnIJY5Qs5hLMsGP5weB8HnWfElxOK4YGZzhwuecmkJ5bN8cNvfve5fRLtWZtGcfXXuz30qQxYruk5i8zw/P8WP6mWB0K7+jX+Q9usDkOLdTJYg=,iv:YVnzbG+tx7Mr9Mi2GdT09T4jEC5TU2VjhDBGwFaKV2s=,tag:F4+pChoUdTdQ23j+/PqLfA==,type:str]
     ADMIN_USERNAME: ENC[AES256_GCM,data:GscFoe0=,iv:JWQvtp6mP3EOlrlERdsiMrLDNGo63f06yD83iv6nqNs=,tag:AtH3d7okwe7IbSPu7QsoYQ==,type:str]
     ADMIN_PASSWORD: ENC[AES256_GCM,data:6bwjatwbw246QNiaLCLMP/ERutih2c6KWuci0S/LNic=,iv:xrJx/81fC8Op8wob0pER2BAStGXI2qanKaf9Sh4GdCQ=,tag:JMiGUryozxCcn3eEz6NrYw==,type:str]
 sops:
@@ -17,8 +17,8 @@ sops:
             RDd2U0drbEdBSlUzM2tqNllwdFV1bUUKpHodzy+B3c17l6MXv4yCxMwVyOeZS0qU
             UFNWn45CooTgqw8LQWrntXaGLfupe2caifsRa4py0JyTufgYZHZGig==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-18T12:52:23Z"
-    mac: ENC[AES256_GCM,data:CqHQBm6Zm0ievdzhen59Z6JvV8OrfiQD9Cq0muBVp81SGpgRxpPHLlVMlnLGLeNttDIUf+MCakMrutsvB9d6K3Fu5PKd1/A+JMaCaHaTmA8HQkPh9hp68i31wOd2RA9DDgz1XM50lHv7mr06jYhvzh65o0lPnV6g68jJPp2+NtQ=,iv:RHyTUSZAhCiFzRuEkZioYJmUE+9fs/Dq70CPqGEjpxQ=,tag:xz5Qf9ppU2rlFfWcPEREzQ==,type:str]
+    lastmodified: "2025-11-11T20:34:35Z"
+    mac: ENC[AES256_GCM,data:rLwLvvMYwJoQggpz+6ZmdDeW+4dBvs2C80GGYKQoxDtb8Smn0RmoNesG8PIMV94NbYbjPGBvG/Yayh1sf+2GaT7lMdFZWl5+VqRDCDj7/T4uauHPtn9R5yF/2uOb46xeVjW5eko5m6+r6UklXecWRPHU5zzvSOnq+EAN2v6Rj1Q=,iv:xPKMH/9eYpx3x43J9/t1EPQaGbTyJfetpIAYXOP1/Kg=,tag:4Q/oFECH4EvVv/V39tr9PQ==,type:str]
     encrypted_regex: ^(data|stringData)$
     mac_only_encrypted: true
-    version: 3.10.1
+    version: 3.11.0

kubernetes/apps/default/spoolman/app/secret.sops.yaml

@@ -3,7 +3,7 @@ kind: Secret
 metadata:
     name: spoolman-secret
 stringData:
-    SPOOLMAN_DB_HOST: ENC[AES256_GCM,data:cTDkHd4cbKZTHZgElwUdQIQeWe2Sl3q/RGJkhX8G2DZ5GA==,iv:Sna0inSs426J3kIarBlxSJrYUMCd05jeNNU4A9h0ZvA=,tag:cU9Q7F301ztr04BiZ7eoEg==,type:str]
+    SPOOLMAN_DB_HOST: ENC[AES256_GCM,data:ibyuoZbnYbCLVWSXKWMrEdpuIVbn32D770/5wJsjMxF4Ew==,iv:33+79KOw9Wq36UVdDM4EACWI7TtW9tnr373Bc8K7dSQ=,tag:O5IeA8ybG9l86OVxrcB7Og==,type:str]
     SPOOLMAN_DB_PORT: ENC[AES256_GCM,data:Ag5Lyw==,iv:5j72OaI6BghJxbYJmllDhufP2rKnWFN2e175yNB7FIE=,tag:C4RnHF5w3PGRk/ql5Znnhg==,type:str]
     SPOOLMAN_DB_TYPE: ENC[AES256_GCM,data:kJD0hPuJqA0=,iv:WalatG+dvBPD929Ja1svvCYxygNxOLzsztziynCjDag=,tag:1+dMJWlC9MaC2s2qoM6yjA==,type:str]
     SPOOLMAN_DB_NAME: ENC[AES256_GCM,data:B7hisDGmca8=,iv:zo4cOylF7RLg54ktYUUoFqCWS4VzKoDXUOL+AracKyM=,tag:u4xjoPzoFS/a0l8KKUglIw==,type:str]
@@ -21,8 +21,8 @@ sops:
             eDRSUm9XRkRJMkZ6T2llS3dYY3Jid2cKIfzmEgv02gSnJerAx0iB4+i0s4Hb5sfX
             NDngSVouDeaxEltj0jtnEIpIgdkqTw0dnkHUR/yf/LtfWMn8x9F1FA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-19T00:04:58Z"
-    mac: ENC[AES256_GCM,data:X5cK7EB/IIUf5AtWGEF5c3JxIMXBM6lrR0hrK1v/gLFHWzyq7J+a+Ty2+0mbSmJb8nvUthJT25Jn7B3hqVj1CvwrxnfSthET8FW/ka6nihANdPfJufDH644lF8oLjHoZUvlttxuyZRB8/5jCb75LbBHVgd1becQjIdwhwj94DGQ=,iv:KpLwdiTz298LhiQ2dERYhGPNzBpmRT4RnX5qZcm4Sxk=,tag:7Lm6U4/XP17q9x2YNEuqqA==,type:str]
+    lastmodified: "2025-11-11T20:31:46Z"
+    mac: ENC[AES256_GCM,data:rsEEBnH8/txYR3+wjj4cKYooBfpdwO79pt2upFwirjjnsa+qYEar1ROfhzyDfqSOFWFsrUTvt/DW8P1GuNvyRt2gySdQSuxfGEvImZaHkhcmxBn5eNoA7pDL2NMB4ZpZ/SRzyT+1OaMldqSgmUIfgeJMTG+qZXnNqsXpqUQvt/M=,iv:e/1zIGFDepy/vWhhfo5RwSBSRIbz8mAXFleaNgJBMvE=,tag:48gvhjE3b0gbj/EquKFCNw==,type:str]
     encrypted_regex: ^(data|stringData)$
     mac_only_encrypted: true
-    version: 3.10.1
+    version: 3.11.0

kubernetes/apps/longhorn-system/install/resources/storageclasses.yaml

@@ -48,6 +48,21 @@ parameters:
 ---
 kind: StorageClass
 apiVersion: storage.k8s.io/v1
+metadata:
+  name: longhorn-cluster-best-effort
+provisioner: driver.longhorn.io
+allowVolumeExpansion: true
+reclaimPolicy: Delete
+volumeBindingMode: WaitForFirstConsumer
+parameters:
+  numberOfReplicas: "1"
+  fromBackup: ""
+  fsType: "ext4"
+  dataLocality: "best-effort"
+  dataEngine: "v1"
+---
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
 metadata:
   name: longhorn-yolo
 provisioner: driver.longhorn.io

kubernetes/apps/observability/gatus/app/helmrelease.yaml

@@ -28,7 +28,7 @@ spec:
           init-config:
             image:
               repository: ghcr.io/home-operations/k8s-sidecar
-              tag: 1.30.11@sha256:d8a53f834b0fe70030df75f3f956d1c5e56fbb067b09803708b2bc26e26cfc12
+              tag: 2.1.2@sha256:d9e169add4e71fd5931a24e11696853f3d804ebc2022cd81f038e7ef22f4d626
             env:
               FOLDER: &GATUS_CONFIG /config
               LABEL: gatus.io/enabled
@@ -41,7 +41,7 @@ spec:
               requests:
                 cpu: 10m
               limits:
-                memory: 128Mi
+                memory: 256Mi
         containers:
           # app:
           #   image: