chore: cleanup

.mise.toml

@@ -28,7 +28,7 @@ pipx_uvx = true
 helm = ["3.16.3"]
 "aqua:fluxcd/flux2" = ["2.4.0"]
 "aqua:siderolabs/talos" = ["1.9.1"]
-"aqua:budimanjojo/talhelper" = ["3.0.13"]
+talhelper = ["3.0.16"]
 "aqua:go-task/task" = ["3.39.2"]
 "aqua:cilium/cilium-cli"= ["0.16.21"]
 "aqua:1password/cli" = ["2.24.0"]
@@ -41,7 +41,7 @@ soft-serve = ["0.7.4"]
 "ubi:CrunchyData/postgres-operator-client" = ["0.5.1"]
 # experimental backends, use `mise up` to install because `mise install` is currently broken for these https://github.com/jdx/mise/issues/2458
 python = ["3.11"]
-"aqua:astral-sh/uv" = ["0.4.1"] # faster than pipx, and can be installed with mise directly
+"aqua:astral-sh/uv" = ["0.5.27"] # faster than pipx, and can be installed with mise directly
 "pipx:flux-local" = ["6.0.2", "5.5.1"]
 "pipx:robusta-dev/krr" = ["v1.17.0"]
 "pipx:markitdown" = "latest"

.taskfiles/talos/Taskfile.dist.yaml

@@ -16,7 +16,7 @@ vars:
   C: '{{.C | default "biohazard"}}'
 
 tasks:
-  genconfig:
+  run:
     desc: Decrypt cluster vars from .env to .yaml for talhelper to consume.
     dir: "/{{.ROOT_DIR}}/kube/clusters/{{.C}}/talos"
     vars:
@@ -39,9 +39,9 @@ tasks:
       certs_os_crt: "op://{{.C}}/.{{.C}}-talos/Secrets/certs_os_crt"
       certs_os_key: "op://{{.C}}/.{{.C}}-talos/Secrets/certs_os_key"
     cmds:
-      - pwd
-      - op user get --me # check signin status, fail if not signed in
-      - op --cache=false run -- task --taskfile /{{.ROOT_DIR}}/.taskfiles/bootstrap/Taskfile.dist.yaml 1p-vars-env-run C={{.C}} -- talhelper genconfig
+      - pwd 1>&2
+      - op user get --me 1>&2 # check signin status, fail if not signed in
+      - op --cache=false run -- task --taskfile /{{.ROOT_DIR}}/.taskfiles/bootstrap/Taskfile.dist.yaml 1p-vars-env-run C={{.C}} -- talhelper {{.CLI_ARGS}}
 
   bootstrap:
     aliases: [bs]

README.md

@@ -1,6 +1,6 @@
 # Biohazard - JJ's Homelab Monorepo
 
-**<ins>Glorifying jank that works.</ins>**
+**<ins>Glorifying jank that *works*.</ins>**
 
 Powered by Flux, Kubernetes, Cilium, Talos, and jank. Amongst others.
 

dots/nvim/lazy-lock.json

@@ -12,6 +12,7 @@
   "cmp-nvim-lsp-signature-help": { "branch": "main", "commit": "031e6ba70b0ad5eee49fd2120ff7a2e325b17fa7" },
   "cmp-path": { "branch": "main", "commit": "91ff86cd9c29299a64f968ebb45846c485725f23" },
   "gitsigns.nvim": { "branch": "main", "commit": "5f808b5e4fef30bd8aca1b803b4e555da07fc412" },
+  "go.nvim": { "branch": "master", "commit": "c6d5ca26377d01c4de1f7bff1cd62c8b43baa6bc" },
   "headlines.nvim": { "branch": "master", "commit": "bf17c96a836ea27c0a7a2650ba385a7783ed322e" },
   "himalaya-vim": { "branch": "master", "commit": "0e5d3395441301538c1830366f3212ed55b1d315" },
   "indent-blankline.nvim": { "branch": "master", "commit": "7871a88056f7144defca9c931e311a3134c5d509" },
@@ -19,6 +20,7 @@
   "kubernetes.nvim": { "branch": "main", "commit": "101e63f8f92b2ae9cf6a78560bc2b2321d1264af" },
   "lazy.nvim": { "branch": "main", "commit": "56ead98e05bb37a4ec28930a54d836d033cf00f2" },
   "lsp_signature.nvim": { "branch": "master", "commit": "fc38521ea4d9ec8dbd4c2819ba8126cea743943b" },
+  "marks.nvim": { "branch": "master", "commit": "bb25ae3f65f504379e3d08c8a02560b76eaf91e8" },
   "mason-lspconfig.nvim": { "branch": "main", "commit": "8e46de9241d3997927af12196bd8faa0ed08c29a" },
   "mason.nvim": { "branch": "main", "commit": "e2f7f9044ec30067bc11800a9e266664b88cda22" },
   "nui.nvim": { "branch": "main", "commit": "b58e2bfda5cea347c9d58b7f11cf3012c7b3953f" },
@@ -33,6 +35,7 @@
   "org-bullets.nvim": { "branch": "main", "commit": "46ae687e22192fb806b5977d664ec98af9cf74f6" },
   "orgmode": { "branch": "master", "commit": "1d8c9b9417f8c8e9fb146d4f54fb1e90a4f7e534" },
   "plenary.nvim": { "branch": "master", "commit": "2d9b06177a975543726ce5c73fca176cedbffe9d" },
+  "precognition.nvim": { "branch": "main", "commit": "24f2cc51dccecec4cf3de04bfbd14f5b9e79df0b" },
   "promise-async": { "branch": "main", "commit": "119e8961014c9bfaf1487bf3c2a393d254f337e2" },
   "rainbow-delimiters.nvim": { "branch": "master", "commit": "d803ba7668ba390aa4cfd3580183c982cac36fd8" },
   "schemastore.nvim": { "branch": "main", "commit": "80b0243371163258e6eb3f0932f717b2d732b64e" },

dots/vimrc

@@ -63,6 +63,15 @@ set history=500
 filetype plugin on
 filetype indent on
 autocmd BufNewFile,BufRead *.json5 set filetype=jsonc
+function DetectGoHtmlTmpl()
+    if expand('%:e') == "html" && search("{{") != 0
+        setfiletype gohtmltmpl
+    endif
+endfunction
+augroup filetypedetect
+    " gohtmltmpl
+    au BufRead,BufNewFile *.html call DetectGoHtmlTmpl()
+augroup END
 
 " Set to auto read when a file is changed from the outside
 set autoread
@@ -195,16 +204,20 @@ endif
 
 " Set colorscheme based on availability, from Neovim-only, to Vim custom/plugin, to Vim preinstalled
 try
+  colorscheme catppuccin
+  catch
+  try
     colorscheme tokyonight
     catch
     try
-        colorscheme dracula
+      colorscheme dracula
+      catch
+      try
+        colorscheme slate
         catch
-        try
-            colorscheme slate
-            catch
-        endtry
+      endtry
     endtry
+  endtry
 endtry
 
 set background=dark

kube/deploy/apps/actual/app/hr.yaml

@@ -66,7 +66,9 @@ spec:
             env: *env
             envFrom: *envFrom
             securityContext: *sc
-            command: ["npm", "run", "enable-openid", "--prefix", "/app"]
+            # command: ["npm", "run", "enable-openid", "--prefix", "/app"]
+            command: ["tini", "-g", "--", "/bin/sh", "-c"]
+            args: ["npm run enable-openid --prefix /app || true"]
     service:
       actual:
         controller: actual

kube/deploy/apps/gotosocial/app/hr.yaml

@@ -122,7 +122,7 @@ spec:
             appProtocol: http
     ingress:
       main:
-        className: nginx-internal # public traffic goes direct via cloudflared
+        className: nginx-public
         annotations:
           external-dns.alpha.kubernetes.io/target: "${DNS_CF:=cf}"
           external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
@@ -141,6 +141,7 @@ spec:
       tmp:
         type: emptyDir
         medium: Memory
+        sizeLimit: 128Mi
         globalMounts:
           - subPath: tmp
             path: /tmp # ffmpeg WASM stuff

kube/deploy/apps/insurgency-sandstorm/app/hr.yaml

@@ -79,7 +79,7 @@ spec:
                 cpu: "300m"
               limits:
                 cpu: "1"
-                memory: "256Mi"
+                memory: "512Mi"
     service:
       insurgency-sandstorm:
         controller: insurgency-sandstorm
@@ -127,6 +127,7 @@ spec:
         options:
           - name: ndots
             value: "1"
+      # runtimeClassName: gvisor
       hostUsers: false
       securityContext:
         runAsNonRoot: true

kube/deploy/apps/insurgency-sandstorm/app/netpol.yaml

@@ -11,3 +11,4 @@ spec:
     - toFQDNs:
         - matchPattern: "*.mod.io"
         - matchPattern: "*.modapi.io"
+        - matchPattern: "*.modcdn.io"

kube/deploy/apps/radicale/app/es.yaml

@@ -29,15 +29,7 @@ spec:
           stock = utf-8
           [auth]
           type = http_x_remote_user
-          #type = radicale_auth_ldap
-          #realm = Radicale - Password Required
-          #ldap_url = ldaps://{{ .LDAP_SERVER }}:636
-          #ldap_base = {{ .LDAP_BASE }}
-          #ldap_attribute = cn
-          #ldap_filter = {{ .LDAP_FILTER }}
-          #ldap_binddn = {{ .LDAP_BINDDN }}
-          #ldap_password = {{ .LDAP_PASSWORD }}
-          #ldap_scope = SUBTREE
+          realm = Radicale - Password Required
           [rights]
           type = owner_only
           [storage]

kube/deploy/apps/radicale/app/hr.yaml

@@ -22,7 +22,6 @@ spec:
         pod:
           labels:
             ingress.home.arpa/nginx-internal: allow
-            authentik.home.arpa/ldap: allow
         containers:
           main:
             image: &img

kube/deploy/apps/soft-serve/ks.yaml

@@ -12,7 +12,7 @@ spec:
   path: ./kube/deploy/apps/soft-serve/app
   targetNamespace: "soft-serve"
   dependsOn:
-    - name: soft-serve-db
+    #- name: soft-serve-db
     - name: soft-serve-pvc
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
@@ -22,6 +22,7 @@ metadata:
   namespace: flux-system
   labels: &l
     app.kubernetes.io/name: "soft-serve"
+    pvc.home.arpa/volsync: "true"
 spec:
   commonMetadata:
     labels: *l

kube/deploy/core/_networking/cilium/netpols/kubevirt.yaml

@@ -10,6 +10,28 @@ spec:
       - key: app.kubernetes.io/managed-by
         operator: In
         values: [virt-operator]
+  ingress:
+    - fromEntities:
+        - kube-apiserver
+        - host
+        - remote-node
+  egress:
+    # kube-apiserver
+    - toEntities:
+        - kube-apiserver
+        - host
+      toPorts:
+        - ports:
+            - port: "6443"
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumClusterWideNetworkPolicy
+metadata:
+  name: &app kubevirt-operator
+spec:
+  endpointSelector:
+    matchExpressions:
       - key: kubevirt.io
         operator: In
         values: [virt-operator]

kube/deploy/core/dns/external-dns/kustomization.yaml

@@ -3,5 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ns.yaml
-  - crds.yaml
   - ks.yaml

kube/deploy/core/dns/internal/k8s-gateway/ks.yaml

@@ -9,4 +9,5 @@ spec:
   dependsOn: []
   postBuild:
     substitute:
-      UPSTREAM: "${IP_ROUTER_VLAN_K8S} 1.0.0.1 1.0.0.2 1.0.0.3 1.1.1.1 1.1.1.2 1.1.1.3"
+      UPSTREAM: "${IP_ROUTER_VLAN_K8S} 1.0.0.1 1.0.0.2 1.0.0.3 1.1.1.1 1.1.1.2 1.1.1.3"
+      CFDOT: "tls://1.0.0.1 tls://1.0.0.2 tls://1.0.0.3 tls://1.1.1.1 tls://1.1.1.2 tls://1.1.1.3"

kube/deploy/core/monitoring/karma/app/hr.yaml

@@ -34,7 +34,7 @@ spec:
               ALERTMANAGER_URI: "http://alertmanager-local.monitoring.svc:9093"
               ALERTMANAGER_EXTERNAL_URI: "https://${APP_DNS_ALERTMANAGER}"
               ALERTMANAGER_PROXY: "true"
-              FILTERS_DEFAULT: "@state!=suppressed"
+              FILTERS_DEFAULT: "@state!=suppressed,alertname!=Watchdog"
             securityContext: &sc
               readOnlyRootFilesystem: true
               allowPrivilegeEscalation: false
@@ -43,10 +43,9 @@ spec:
             resources:
               requests:
                 cpu: "10m"
-                memory: "128Mi"
               limits:
-                cpu: "3000m"
-                memory: "500Mi"
+                cpu: "1"
+                memory: "128Mi"
     service:
       main:
         ports:

kube/repos/flux/helm/keda.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: keda
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  timeout: 3m0s
+  url: https://kedacore.github.io/charts

kube/repos/flux/helm/spegel.yaml

@@ -8,4 +8,4 @@ spec:
   interval: 10m0s
   timeout: 3m0s
   type: oci
-  url: oci://ghcr.io/spegel-org/helm-charts
+  url: oci://ghcr.io/spegel-org/helm-charts

kube/templates/test/ks.yaml

@@ -7,30 +7,16 @@ metadata:
   labels: &l
     app.kubernetes.io/name: "${APPNAME}"
 spec:
+  targetNamespace: "${APPNAME}"
   commonMetadata:
     labels: *l
   path: ./kube/deploy/apps/${APPNAME}/app
-  targetNamespace: "${APPNAME}"
+  components:
+    - ../../../core/storage/volsync/component/
+    - ../../../core/flux-system/alerts/template/
   dependsOn:
     - name: ${APPNAME}-db
-    - name: ${APPNAME}-pvc
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: ${APPNAME}-pvc
-  namespace: flux-system
-  labels: &l
-    app.kubernetes.io/name: "${APPNAME}"
-    pvc.home.arpa/volsync: "true"
-spec:
-  commonMetadata:
-    labels: *l
-  path: ./kube/deploy/core/storage/volsync/template
-  targetNamespace: "${APPNAME}"
-  dependsOn:
     - name: 1-core-storage-volsync-app
-    - name: 1-core-storage-snapscheduler-app
     - name: 1-core-storage-rook-ceph-cluster
   postBuild:
     substitute:

kube/templates/test/kustomization.yaml

@@ -2,5 +2,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ns.yaml
+  # - ns.yaml
   - ks.yaml