First commit - Pre bootstrap of Flux

.gitignore

@@ -0,0 +1,30 @@
+# Trash
+.DS_Store
+Thumbs.db
+# Binaries
+bin
+/flux
+*.iso
+# Temp folders
+.temp*
+.private/
+.logs/
+.task/
+# Terraform
+.terraform
+.terraform.tfstate*
+terraform.tfstate*
+# Sops
+.secrets*
+.decrypted~*
+*.agekey
+sops-key*
+# Kubernetes
+kubeconfig*
+talosconfig*
+*.pub
+*.key
+# Extras
+config.xml
+*.pid
+kubernetes

LICENSE

@@ -0,0 +1,13 @@
+            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+                    Version 2, December 2004
+
+ Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>
+
+ Everyone is permitted to copy and distribute verbatim or modified
+ copies of this license document, and changing it is allowed as long
+ as the name is changed.
+
+            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. You just DO WHAT THE FUCK YOU WANT TO.

README.md

@@ -0,0 +1,3 @@
+# c0depool-k8s-ops
+
+k3s Cluster GitOps managed by Flux + Sops.

apps/base/babybuddy/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: babybuddy
+resources:
+  - namespace.yaml
+  - release.yaml
+  - secrets-encrypted.yaml

apps/base/babybuddy/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: babybuddy

apps/base/babybuddy/release.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: babybuddy
+  namespace: babybuddy
+spec:
+  releaseName: babybuddy
+  chart:
+    spec:
+      chart: babybuddy
+      sourceRef:
+        kind: HelmRepository
+        name: k8s-at-home
+        namespace: flux-system
+  interval: 5m
+  install:
+    remediation:
+      retries: 3

apps/base/babybuddy/secrets-encrypted.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+data:
+    babybuddy-secrets.yaml: ENC[AES256_GCM,data:XOhBoL3F7nJQmOX26dleidfkMa4950HMPFQ8BQAD2+3R9U087WBznRxL4/L8oH4ngiOnXhoPn9EFbxc4RekjbCMCdP2x1RpS3tx93pQusT5msGxDkbIEGtGsfgXPjdW1Hov5s0/jqnWkv1ntdDFZVyxk0mLTJMjB3oRLnQQA5vHgOvepi0kWJPVcp/WS2vUGGQDiHp87FvZ3g/3jP9PTWktP8tYL9WDQS9uAkyHY5a1iaFJ8CdVFEa+Bhhkl1aO9Kp+HV+3vA15Q2K4lp0hqTa+T3HlD7H519KU67APAKjcAdkqVkX8MeezFrEf7vf1a75iVRGROD8oooc7k51qmFuiPKit9Ncw1VVBsE6DpZZ3Glbs6iuP+k0ZHnFLVBYH5lMbmKYcn3gC/0X1Tm6DpSniJdmw8X9VEQF8eJkckfMO/HRQT4vtXME9MmtUX/gTHUwoAsh+MvbF14PqwsDP7JYqb0TNSzXOGBL9dZSITD/75aul+Ioao5MPTwrf/sDkZBP5oX+a6aYrGXYNJHmyeTmk7zbWJ735dm6J4V5yFi2JLpkvwAXJE63U8eDg9Ou84k3mlZZB7gOE8zJSSDAen1F6B7o3pF9fy5uf7J9iEgd7CCi+58Y7hMw0Eb6XmwcVrhxvj3MkUHmvfPR4ktbwQrJ3ReOlJliUOlTzacbBPicNHsxU0KqipY1VCpf3yGrTNAy7BUaaZ0hCTv4747EExxjeBSmBkZ7O1NbXJtoY0+bCQiqSBjkNwU4396kIkKyEHn949kiXFGNkhxZ7Uu0pOVWMBorLAkHRNkWD+n07vNiWhwAOAkIWiGFAnF0vtvoytqX5WTjEw9KvLQxIHgp6JOBhUr2+gXn0+3GuqMkHFVdMlhf6bZYoX5asbDOMYpiizTvoPu2bNWuYjxXzlL5D0ybo9fxHO2NTU81xLfZN0/G1DChdJK1Ond4zUKnKBNqs38Bobd3feFAdJOOIbfyJ0KmvRs5xwhhYsScL9uJv2BW2yxSwYXd75xiS51T/qNdSVF43pfzLSfUikOLdmREl44F4IVrfe3RB8,iv:mzNrDmmvMW4xkIjDokWRV2uJ6qUcSDn38txXXoCngak=,tag:HqnEGN9DD/loMa0qK41Kzg==,type:str]
+kind: Secret
+metadata:
+    creationTimestamp: null
+    name: babybuddy-secrets
+    namespace: babybuddy
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1697e27xddkfkesylswayhk6ms8pln48e6nem2lrwe97yg8tenyysppqw9t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbTFyTTNXWWNYSEpLanZN
+            UzgrOGZCZ0x1WWhOeEtZd2g4REt0QWpGL2dBCnBJYWx4cGJQR3NsQnpTK3drWWJI
+            bS9HcW4yYmR0Qm5LY0Fwb2tzeUVPVWsKLS0tIGt2dmFiankzYzlTcW16TlNSQVVn
+            M0l4T3BJYldiZnptbTFnRFFyYTZ6T1EKfpXm9MVhIGv0NLemhyrHlD/ALAk9HXJk
+            H/1yfO5ZSs1OzZVbQZVNfxFUf4AKorI3dYT5BLJmUPjxnrnUHAiGpg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-06-27T05:32:40Z"
+    mac: ENC[AES256_GCM,data:/sy59E1hGgLmECCUHp/yj3IsDUGDYFIdJUb6Ju7TgjqiOsWiQ3wnBfDbmqGuQdGaYxXYSdmhNOsvb07kUfe74fE4DpMX8vgiqrX2YMnWzSs2aSUpz6mbVkrnr+LjWoyXjlksX3wu35y4rEn7xUjXydWtXJo1taeOJEeplU2L+4A=,iv:C8xdfyrCXYGAiBTaPJLC89JoZFZFujuIYwbx/vSBmMg=,tag:VqqzMdIE4nsUZYkOgZjVXQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.1

apps/base/filebrowser/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: filebrowser
+resources:
+  - namespace.yaml
+  - release.yaml
+  - secrets-encrypted.yaml

apps/base/filebrowser/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: filebrowser

apps/base/filebrowser/release.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: filebrowser
+  namespace: filebrowser
+spec:
+  releaseName: filebrowser
+  chart:
+    spec:
+      chart: filebrowser
+      sourceRef:
+        kind: HelmRepository
+        name: k8s-at-home
+        namespace: flux-system
+  interval: 5m
+  install:
+    remediation:
+      retries: 3

apps/base/filebrowser/secrets-encrypted.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+data:
+    filebrowser-secrets.yaml: ENC[AES256_GCM,data:ITT/Nc/kqV7CZM5sCxyHDJR0R0uz+DeCaN1wziU6T52bswPIdykjrO4Lq5Qqyi5ZvJYnErmo/ryW3bQpIPpqqZ0pvm6qbEx4L5mVMaQmsY970iUwmfDJVGd3tCxA4hMNXnOoi/Mrd0yNvxf0R+qHujsKZRzSZ62OuzSwYvLR29z4xUAD1O//naUcCyCUJa747JXNnmNQq0iXsEUKIfERkRlQfgx5dj8x3KWHwPVXC1jwjOoy56MEmxOx4ByDqhtNhxmBWdDUxtE4NNjRdHH3LLH/uiZaXR73jJ+Z8xYzYAul27cwZ3TwL8QtohIWLdJWQvXKiJqKcDdAyM0CmGomF1EtdoweAOG/TN3yydx2E7C8MnMvFROdCorQqzaZrr/dN/zeJnMTh+wUWKY8CVRNtq0g4H03NRH39Bke9988TAJWLfIjczL22gxWAj9pZn+BKCdvemkIDeO7GNpylN55rx72buUylxuFCRo7W7c3q+4WrlZnPUD29pZXYaW2z9a8XBywSNEqT1Xn7orhcq9I4mBHd8uOzdU922GF/trtYoCm3Kzy5euR9fmEAKrVZ5ycAiBN/iFVBD3N8P+k38otmgRnkOdnN+atETyHXqP/19n4nIESVUSdE9e68BBDrXh5z8w6zyoKJAL2hoXonvBZb89NNcZVxMs2eeJ26Ba5nA+dnu1hnjdkjmxn98J6FVEL8ZdYIqKlI1oavl7LWi5C8UXh0zE7zbi9aP4N++KCWHgVOnvB8ckNsdWoAHQv+xh2Q2AMFYN0jS80GFZiOMeYbXaQJDqNmfMESTFT9IZKgeJMqO5CPgTU0j7FXLNLZzJ9tlC43fgO0w24z4EwNSGUCW/BMwfcmlXF2gU0i+Pyzt5+d+O8wlJUL5SXg4HIxomLBSdjFqFtIB/vES1/C4KgWL0ZurQtzfwBbvXdLP+v/Ri82JktdOcjy3Ke4hsus6b6XtpbopH59cfFqJq8pw69tUJLgy8jH6kYWQ2TXoK20W7dtH7c9NdwH7swqWVAL03OUqrJOM0uyg3Y6SmGJcfXuUcHs7nCIPocI8yb9zokkmiVSdSID+JHra0LxHg=,iv:Q2W3tPxdsdBGi/kNY1VwrQ2rr1awjxOLk3kl66GDnhM=,tag:ctJ8sQdDDfdQtg2u3RO8Og==,type:str]
+kind: Secret
+metadata:
+    creationTimestamp: null
+    name: filebrowser-secrets
+    namespace: filebrowser
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1697e27xddkfkesylswayhk6ms8pln48e6nem2lrwe97yg8tenyysppqw9t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRK293Rzl3ZXhKZHhnTlJq
+            WldWSmo1dUxjZFh0ZGNMYjVMQ1NiR0w5cXo4CitMMlU3V0VqbjdaSEh0blVic0s3
+            Zy9FYXdsVjVQVVNQVFFYOWlhQXMwaGcKLS0tIGhWQ3lCS0VqMExUL0hMZmtvTW5D
+            a1BEb25WYittRE9waGN5bGw1eE5SN1kKhdQAUL263VsPTsnnbtjgbdYCbIK7OxkF
+            uLUBa8+qSlABxfrH4gf/ohp8BsYYqsxWiyZzd7gSKuBiWKnrLrjuHw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-06-23T09:36:18Z"
+    mac: ENC[AES256_GCM,data:G6wnMqB5VirAGF9lY58fyIGHb9BxzgWyZ6KAwe953w4Crf5XbLglF2BvesxyEVXCcp7AI2zVj4MT6W5hCpyqQg29W3CM1XiTjvjbwK7243PnnfyxoiwYZSNSHvTHOlqwjzoUbMsGgPvLLOSmDWnq+oMvAxN5Egp01oEYrHA7iQg=,iv:Jit7TX/BeLLi0mKTf1ZKcQWFxnMnU79ixQyFCMKDMcc=,tag:YdBMOeMn/S+n0hxhwBHoPQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.1

apps/base/home-assistant/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: ha
+resources:
+  - namespace.yaml
+  - release.yaml
+  - secrets-encrypted.yaml

apps/base/home-assistant/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ha

apps/base/home-assistant/release.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: ha
+  namespace: ha
+spec:
+  releaseName: ha
+  chart:
+    spec:
+      chart: home-assistant
+      sourceRef:
+        kind: HelmRepository
+        name: k8s-at-home
+        namespace: flux-system
+  interval: 5m
+  install:
+    remediation:
+      retries: 3

apps/base/home-assistant/secrets-encrypted.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+data:
+    ha-secrets.yaml: ENC[AES256_GCM,data:UfYcbluXTeLaBI0L5zlUaK2zW62SLuFHqb4/Nh+TM4wTctjYG6iLWb4qoUQ6Hye6wRagyS5Nd1l/YJo/yV9F4zTQlJ/gWvjbZneMXTY/hU28MVIalBts1ffVZkgy+uxq6GycN9ebXLCYdkMRv7t112hBFXi2TDvJ4Wpf8wPg185WpiWO2HZ4Fyh7LVIavvaNAUJJZGi8ajoIpT1xBe3Dp8fn3xICxLMC0e7N8yQ9qLAIS3TmUSGAxXfJM/TpyTmPqLy0eoFcBQw7frYNAOq9ti2YrgMnmvYVYKUv0s5IAjFmgFcl+RtUsxso0Wu7NfbJx9E6ir2tQ5G9W2phxPMGaihE65qslF0Eb3Z4Ac7DZVn+txfFeDKSlsgEiHINPbeYDBnFkEFB79kMnbaRxCp5m7757ufjN+6jylTGfVOH7bqLQkFx2/nYHW59uFHDmrGq17TWUTz0DaaSIbGjuirtyFvRK9NoF36Z7+1XeRr2D2R47XBw7GuETKn9ZRjyKvy7mrMek1S8C4YfwFnr1XdzaXvp4dT3C0Op4RKoxIGHLCXahDmGqHguP1Vzbl4AX+INOm7Wx0bOuJgRobADo0Cx/4dWW8cBsMphphTQC2r3R1tdNulVrguDMHvZEcyKiDHGOJpOL7bd+n3bc25A3mJbC2+mw246kfkdv2zmHeqyEJECJkItErqZbf3x5KRgBXmQxsAdas3aT9xl3OhudakWq3X6CPTsRdnHW6in16ol9nV8XL5s+/0yR/8D6/F7vkOoF4FcDyXI6s7xb8mLVo1WAJNawgWliZj1YUbWzoiNW96OmHrmAaz+DgnPrMH/1566GNNnGgVQaLe0yNYXOXVa7Bn/OzPQ65haWRj6QD5L/14LNcA6Cdaxv2//ii01GCuG7oldZwXiOVCBTr7FN2LqQbK/ReYhsMrkLv4JT8oFI5f2Le1MKSfDBrPd5sMPw6DG06smuZ7mk6SssG2LfXNDkbYGlhk/8Tkkyl8L0yRaH/O8ZODYAc6DIXb6hqWQG9xO+hmmqkcdBikCUpI4KkmxDu3AYqS1EdtcVqK+GOkIO04C2hA++TNOHtbOCQ3nf/p4kH5zLSrs8CvZZ7Cbm00ieDlkZnnMQzzO,iv:B7T4zUeAfKyYqk2dOu3lpkfxcV7DwKHpwUjtW2CbqQw=,tag:ptWYz+33cN0KGeGn4pAUvw==,type:str]
+kind: Secret
+metadata:
+    creationTimestamp: null
+    name: ha-secrets
+    namespace: ha
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1697e27xddkfkesylswayhk6ms8pln48e6nem2lrwe97yg8tenyysppqw9t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWkpIeDRDQ0ljKzVTbGpi
+            cXBUUTJkWHQyYWlIYjJuOUVzdTJkZS9xaWlRClFwdlFyRENRZnBHbnh6akk5T3hx
+            TXlkMjc1UU9wYlN2MC9JM3lRREUxbGcKLS0tIDdMRXhUNnM0QkhIc3NnTjh3WkJK
+            STlYbW84ZUlxRk9BTXZoVHNlc2hnSnMKcRdczm7DEcRPhojnKA1N0XTjGBZgSKGv
+            Y+tQXJJfnRz0bypiHnNJRjlcb2lxyjRVUOZXdR9BFyk3ynO3qoxmgg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-08T13:27:44Z"
+    mac: ENC[AES256_GCM,data:JXDXq+EifcvmAQZ52DV9oIxqMT5WtgoP1IGrWT8wH5X++cKiSqqyVcngMUCSSrDcB6mx6lhNnEGioZFUyWlWcM/sEfXujdefXqDitDVyKyTmQJwVWQ6XrpPeiGyXCZ7kKi1puCFNbOdiKzPBppa82XYSXe9OxnPaccoRGZ+hscc=,iv:OwPP8YanWnRR9DTEQRrP8wNlzUxFASoF0sNmvOUyYEI=,tag:Xw/iE3+mtrIzozkwIW7p9Q==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.1

apps/base/jellyfin/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: jellyfin
+resources:
+  - namespace.yaml
+  - release.yaml
+  #- secrets-encrypted.yaml

apps/base/jellyfin/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: jellyfin

apps/base/jellyfin/release.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: jellyfin
+  namespace: jellyfin
+spec:
+  releaseName: jellyfin
+  chart:
+    spec:
+      chart: app-template
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  interval: 5m
+  install:
+    remediation:
+      retries: 3

apps/base/jellyfin/secrets-encrypted.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+data:
+    jellyfin-secrets.yaml: ENC[AES256_GCM,data:5kBg89m7MfS5DDHRRQqSSYEyLsY+bfaw8aLA21RMMj7UpWiExsOf2i11Xurgr7fMpqwEtSvzDreU+3bxsbm5ToaSgFXuHvJQIPVMZSvEE/P4iZO3thUd1qUfX1j9Mqe6RIR8UcuefFF0a0Pwr1cGa+ksy09wv2khw5gGuAJJmAv90/9CoiIF7/NWLaxlO2qjI4wgFW6xPU39pA8S7j2EqIqSM3I1OAznCycdEBX4gmFh5/0NcGDJsGL5vhkgc4tC6OqgCU2fH7KHy1Pm5WxlvKUkkpMwwk1ujmhSALopy25e9UC3tPel/Gorq+38hciRry4bX3pmhHOmYgBpMlud3LCTmcPdVGFOmDG/j1cb8bTuS9svioyMOgUbAgfUYuOra3KszNh4VcemiGqx2sN9KDV8qaxsiocwHDG99zyQoj05o3p1euU/ouCsC8tuzPENJ/71g6twXdWN9zXay6/eQo1HZOmV9vmEXWCzOq6qz9NeKmYOY+GsxphEk6ajRNBgqKumKD+yGdbcsDeh04utHiXl3Ek0KFmGzYx/CIzr+dXu4V/iJDaUUmpMsdWieYRBtm07uNZpONQp37aOPGKv8Vy1cUaP8u2DHqnx0F6yqDF5BNTDGLP/pq/NUjjElqVFczWjOlcNyR+wToPuXxJwek4b461+RgKLe+EDRWLQt1DV/O+rFIRWZPmjR5gPX1/ghr09r7pF0MeOC89+VyR77wmuJyOdowcY4gr02eFyW0bQIavxfBoahu+1gwGHrp/L7oe3W7fmER9wFQ1jscyARduZzgy+y8Vl87GhrmsgDIGv9zxliU6acHcgR1IQqJ+jk6oQzyu1QaUfHEp5ArcW9LA/vKpjYfrzrANrPzBwaKYRs4fbegq5ig5RJtk/lGv6eV3kMTEzssizOr8faiTAPhJNfO9kFl5Cb2P1YkeFNhuh4hA4Bm7NMB6suxGY4684iLChOR78Gho=,iv:OTlNb320xBpWozuYUQxeoSf6Cr9bUZpFE9e4fysWsh4=,tag:AsoKZUwLBMVHrngSaiZy3w==,type:str]
+kind: Secret
+metadata:
+    creationTimestamp: null
+    name: jellyfin-secrets
+    namespace: jellyfin
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1697e27xddkfkesylswayhk6ms8pln48e6nem2lrwe97yg8tenyysppqw9t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRNk1YQko1Qm9QalorWUMz
+            UFl6RUFlLytyMzVBdW1Fa1VGdUhmUjUzTWpFCm13ZjA4d0ljcDREckVrQnE3d09H
+            dGZmTVRYbVF3aGN5cm5OSGZJRnViekUKLS0tIFlLb3F4M25xYkFOMGtlcWF3RG9W
+            ck9ZR1o3R2xaeGZqUFVtZDVYUlhNTW8KSKBvcZpLqDkO76n/jWEAsOcwGNFftiif
+            /rMDQ9CeIaoKOJderSPyUEG5dcD8+0PCthIzgjrKwGdXTatrnVopbQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-06-22T18:11:00Z"
+    mac: ENC[AES256_GCM,data:ftxouwa8/b0o+BfSyNu0GnvDckTq/Vk/vFpLeL7C0g1+DeVxg1QtNH/Q+Ij18egjtjRGeB7wb3p+zpmaiJgwJVuTTz4tcRH3p4FZn1UPJyLIHsR/Beol2urSThBwfVezwEQer82QJlwp6t9Og5XnbEDBuXQeLbDi/UIpTRz0k0Q=,iv:LXCSuI17H5k9eCtVzb+f8P2oNckAEf/mKCYgbJ1Ij88=,tag:2RjcixRQu5w/MfLIs/be4w==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.1

apps/base/photoprism/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: photoprism
+resources:
+  - namespace.yaml
+  - release.yaml
+  - secrets-encrypted.yaml

apps/base/photoprism/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: photoprism

apps/base/photoprism/release.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: photoprism
+  namespace: photoprism
+spec:
+  releaseName: photoprism
+  chart:
+    spec:
+      chart: photoprism
+      sourceRef:
+        kind: HelmRepository
+        name: k8s-at-home
+        namespace: flux-system
+  interval: 5m
+  install:
+    remediation:
+      retries: 3

apps/base/photoprism/secrets-encrypted.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+data:
+    photoprism-secrets.yaml: ENC[AES256_GCM,data:BbDKeQxjxfoi5ku1D2qUYpEzrpFyuMsMmg0riFMc9I/mn6lP20rK6UWvYMceq6YiMM4QJerJB/1GL3Ld7PRRaiDEQG2WxETbBS7agviRXoh3jMJw+/Ux0KP978/dTI2LSdUk8JgsNKu6LJYwt0EsLpHiIL8IAM0kVV5O0YxhdkWHcPSsvs/ABmfCFaq3ABxgFEEsLTCTw+Eq7IIp2jch7fykewNvVHvPQN1LVUpXOhrTkSBI6nhlOI23dx8ceQWpDJ2QYSpB9PrbDY1WOji2sJmoqL6QvuHliHlK/LekoPLEji+NflrINGavQr/unuo92ZTbUGWvH59YIf6Ek1S0oR5VYJR3tvCTdvFfji9uUM+cnQN/I8gM5S4CgS0xdsFwPv1WV9bk8vO16Xgwsyq84bMnu6+7Lf1gdCPuNa3pmMqnpVUfmyXKjQd7lZVAZfroCDIOxD0laMN+2h9MjTNfcairY8N6WrwfZRYgz/1ZjkPtcWMpVpt6VyQXf3PkHC4HjZrjI4k0nMrzrObpovs0swDTAmF0HWnx86PllDquQGUs89+IKNm7vkyf7s92hl4qFKplhVL1dgWxDI04RShUP23zwdT8F/qTPBiWXgtVssoRpEZp7HG8Ut+Aa4ccntmIz7e8uVVfcU4iZiTIeEBNsxx8+7Hv2asGOkRiyJIa2YyhxKZ85bfxKPGoWbP23UlLr4fX7abVtGC/09LyFDdea9IFSQT2AkgZ8/TOZGKUc1oyzk1Eop0pTa4gHXIiLmpYvTC70FpdzXf9wXXB6othqhmZSQtPx6O2wCrTQ6ByltU+LDIK9eYKX4nSE29N5EmgmggJFYGQdw7kGyR5XUtaukZwYIQGajIY17jYT9ZxcW7R4uxdqn/LyMmGmeVC6EKbtaP+uQwE40s5XdS9nqcGOfrwnxtgD/wOVnWmPky5i4Z/G3EhzJ3ZdTd0Y/EETG+/DiwdA5JXKQTc63Nvz5imxQ8qpqXSI0fLiCOg+O23XYAHX0O9TkHUOWLm9FVQHbWkPPIQxuWWBzmz8u8kmNMgKJmF4pllBQkFGH8UirPI9PFG69Y6dDobXJRADYhiIPEt/IPZzwUr+AgURRcZJzNT+c1XbBwWSX6aRvRUCqY0z/u2jbQGOO3fKyzTvv5XAU+LvpmsONIIBLXZNlZnIhsIDpPX3QEw/r3GrvX7jeMEaJBp/sovm3OBgXZclHEfDpfzTQAb2XnlxKYRhEp5LEeyEHAx0HzebE2LnciRwEVOnQC9PUDuGfaDelXPCJSKV+ZtBrWW44N0lXcTfe42VSXM/ubTZPgaw/Boy0C9Lsd9DSndN1kpwACia7O5zD5pKGD32ytt7Vtmph4eoFwgY0x+2POctKfHOQJZnpb4H7J2RKqbPCK6NdMCeJjQLMw6QyxUXetok1n//5I9LI7BjE2WZLiGudl4fIsTHze01TwKr8+BO855ULmevuA6XkJTR4zgJ09FYqgNF9QkuV89zrf8Pi0bffgertAfJ0DCmc7MBidZGT0qciWtfMlMID8zNLACBqNesmSws9QVTQYAZP+2zx6WhkJgy0SQwK2GzE+gMZUKSrboSF+qTthwvtwaY9P1Guu//88siYbFAquf1qgML0ADl3YVOkyv4Q4DXzjqqRWCDd/DWf4dVq1vLjI=,iv:r+f2YP4SMiZWqJiXCCmxxsE6Fw7SQ7CCfLLWgIHtDEA=,tag:WucmtHvE2DB1ODLwjZwYVQ==,type:str]
+kind: Secret
+metadata:
+    creationTimestamp: null
+    name: photoprism-secrets
+    namespace: photoprism
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1697e27xddkfkesylswayhk6ms8pln48e6nem2lrwe97yg8tenyysppqw9t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZVnhobnZqNklKOW1mM1FG
+            NjFXb1BUeWRzV0ZiRFdpK2hoRExncWlHQ1VBClZFNmx1QzJ6VkFoWHFSc1NMQ01z
+            K1hoWnZxVnJKTWVIR1AvLzEwTG5USmcKLS0tIFNxL2xKMjJ1QXFHdzVsWTVVOXpS
+            RG52cXh0S3dPa0ozMUV6VHdocnI1UUEK+2f5D8GRO+VjBEkbITUgcSpSbcj0+f9/
+            UWXr7lr1gpe6JVqru1wvMc+pnH6u6ICC+Mmsbs7QTZ5Fp+Z7bLEM3w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-15T16:58:05Z"
+    mac: ENC[AES256_GCM,data:c5T5kYhaV2maYuIEFkmxIj2AM3dGs1JXNoLtU7C2T2nSlGrqUa6Wya9thCWzEK6CDedTAImfkNq9uAK+UAC4MG4M1yzD++MaPYM6Z4M4SToKzqYbiWqRhYQtzhqOeD4GpRJH4FmbflbGVrCahyZeMsB8Z+8x+8YZEUTuda/KGO0=,iv:K7XLDHUSOflX1zIGJQHBWQBpVHwe/8xe/bKzQ+IBbgI=,tag:ljn1q1j6E5z1fnVC8NtUpg==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.1

apps/base/plex/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: plex
+resources:
+  - namespace.yaml
+  - release.yaml
+  - secrets-encrypted.yaml

apps/base/plex/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: plex

apps/base/plex/release.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: plex
+  namespace: plex
+spec:
+  releaseName: plex
+  chart:
+    spec:
+      chart: plex
+      sourceRef:
+        kind: HelmRepository
+        name: k8s-at-home
+        namespace: flux-system
+  interval: 5m
+  install:
+    remediation:
+      retries: 3

apps/base/plex/secrets-encrypted.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+data:
+    plex-secrets.yaml: ENC[AES256_GCM,data:Zf3iwoIKDs9osD06Yf0APefxuK9EAhz0ejCp8kRCORAzqDqLKAN4E1fjkyXJrreL5AVJJUb3jawZgWcVFWVgvMC7Id/1ce0eTpUzIR5Sq9HI2n+yK6wNfotxqoiNmiQVOEmjKLutt4V0NwXvS7H+dF6Gi0K9OURThtK4GYI0jZJzJ0D6T22KYFUx4698UtYP3yyTscGcZwEWfnFne3CrfjtLf2bc2iJAhr6XTP+s5Arccwg737555E9fg0aiO3bRbcsgVeW/9uZtARLu5vbMqAvknFZpwZMbzD2OmzXt6ezPuxgfB9EV6l7o/SzqhzYu3WvD23fcgG5fm2Knrh5jYZksxV6R6qfN+juMAsElrhTW/evaKyFrKC/sc/X/XAHJQbsaEyIVQCgSnBFyX2HqXDijV9XN5ckt0TkdWK/w5tjGAydSskGPGn7IcciY0eZJsnPq6bEfCVPsFra1tF5yI/6b5z2Z0SoEt2V6JduYV/y05TcQXqLgIzofBHSFudppVlc5em+5kGnxRnkiW42YBeoIkfUtpWKLLHwY7sWnPgINB0WIMMHAaWavnsdJDtDA3IqfuV35XguyjLblW/NI8bJJr8e7HCrynyoZ0NDqe7BoUHChR3HirW6TW2vj/vyGkjL02hnLQOhU/3grX4rGcafVkw8ugv90kOXUiQsAxHm16Bq+DPWG+Z84qsyz2Pm0qrPusdcmwYVkjVBdFviKs+niiQqrOVnDszH6lkUcIctXxVPuCqCMMFtSoRHEET+STTZCR+sHybJPN7T2GZzxjR3nWS1scg1QLsSAgBtk234/4x9LB934FMccggnA6wfbYCTeepMNf7RP7z3vIc1Yg9gOcnjyoVfDhDTndnp/O+IesF3E22Ws2I0Xta8pa2XOpzxSEe4OQxrPyQFwr6tYy2V8Zep2Wmu61pP9x2woAzlbdmYENDrlg5f2ylEEbHFh0mB9S0ArgD9cev+a3sgbcy9Vh1LVpINhCksUl2rEdUDVIQDgzjuSL/zeNL9TOWx8xc/0ST3ifABItP776OWShagugvcLu8A8/eeJQQXITZ34jssBNZ1WGMScl2fopJUU3TPoaNh1361IJT6ooE/aMwWQSPOf8senQbLvlGtEM164n7tDpA+mQHIbEQe5gDsx,iv:0uXkqUhqQYDcIYt2uec4Dejj841ERM5HQg1K0WPhSTA=,tag:OoX74SugDqWxh04Lpn5bfg==,type:str]
+kind: Secret
+metadata:
+    creationTimestamp: null
+    name: plex-secrets
+    namespace: plex
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1697e27xddkfkesylswayhk6ms8pln48e6nem2lrwe97yg8tenyysppqw9t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDbk5XR1BaT2dnRS9yWGNL
+            enJNS3Z0eU5wTWthblFKZHpzcE00R1dGRlQ4CnhlTkllQkJrbzgwYWRibG9HNTlV
+            QkNjZ1hOSW5yTGE1WGFTa0wzNW8zVG8KLS0tIFY2cFNEUGs3THkxcGZoOHFueTEz
+            WjVkOGIzUktwY0hiMnoyak1RanMzMUUKTAsxwZGbDePCApLhEKW7JzOXDRNMwJ+Y
+            sCYWAbhimWv/8ScObl7U/ozzEaUI4J1mm/Dgd0M6bc6B66LqQfWqjw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-08T14:15:23Z"
+    mac: ENC[AES256_GCM,data:pFM73mWjkq3sBNPw/p7z81Pay1Y/qIisXQwZ96g4GoVo3tbVeW6ExoCKOnwS7IxIF+3+/cEQo0ndsqctumedbj3xRvwAW1eM4lAMkZw8p5DEW+NfByMWJdh5n5UTB+Tyyplgc+PWYSoXFgn6bHKnQWGLw/ghDKu6+AfxZpbLTs0=,iv:fT6gFjGkQQEvvZAW9Q+GGxfn9Gnc3kct42QXBuIgSxs=,tag:DlOwp5OHHrUs12jb3oZJyg==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.1

apps/base/vaultwarden/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: vaultwarden
+resources:
+  - namespace.yaml
+  - release.yaml
+  - secrets-encrypted.yaml

apps/base/vaultwarden/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vaultwarden

apps/base/vaultwarden/release.yaml

@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: vaultwarden
+  namespace: vaultwarden
+spec:
+  releaseName: vaultwarden
+  chart:
+    spec:
+      chart: vaultwarden
+      sourceRef:
+        kind: HelmRepository
+        name: k8s-at-home
+        namespace: flux-system
+  interval: 5m
+  install:
+    remediation:
+      retries: 3

apps/base/vaultwarden/secrets-encrypted.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+data:
+    vaultwarden-secrets.yaml: ENC[AES256_GCM,data:qBi7aCoCKBKg7Q61bLQERwJXUYPMjYiPWRQEONGcxYTyJFlbGfmAgWAc6648EccnLnbAlPgujMswvf1Cpw+mOzwm2+Y7IqLX1Obmd0jAnwBYejd+ZrJ7CgcbOKZKumLhkl6J29by3WhwpDz2pFRnHblogKIqh/NMor8LMI0+sjJzEiUX1ZrEgnKv9rjeRK3kYW3JaRlKXtmocI1RorYntdP+NCbrqshV1+Amc5YTTR6jRoVPXATEy5zTZFRfE3Lz3zKukSnvzHzn1QuGny1PhySJeWLIImUN7ER7ZX6HeNp7xIyiJNOgOVqg/kkRZTyckqaienK1j0N+XRkr4HxxMYz7yRzv2L/W3VgudXnMwiEvq6MJTUfvVV49iKtbFO4bElO8fL4oEp82s+eVkieeK8Et0/POkCvH/wQEmRkCszaod8OsyBeMz5X4Je6IzYD2B6EJMfFCFhdxc7tkvSIQ3491y29ZX/NTSxN3GYYIe2Bd63ySjzr14Oyeh9NqZ1m6Tz81uDdOEchIRpUaWbu0vFsDdpAUZhZEir6Olo5GjP1lqS1dZDDp15HMQuDv2rZ48m4zKOrCENAfTIC5dGe41enff0aRCPoV4um6ksh3FVtN66ep39MiNQ0XiQMswIqyGL0LW1k22fXPTFgtqbskW3liT9QTktF5A/q4xkqVFMGtmEcfQZrqg8m8lIK7/vVQcNCWAXA3UbZqBYg+3R6qCyTbgVTqfodOTC5vZC3+iQg80O/g/XAw9TNjrMnPWgeu1bJ4MErmCPRXwQcVrC4+bLAqlmM5/jGwyfxXRT+8tKssQeVZJQMHKYs6VvYTIA+/2z3mTaLlPbyEuO0IFAk8th9h7ZSI41oLrBQqoPKI9oxN43g4yq7TiHxDmeoruQP8ihGBNnv5q9dO/fRI00pRVhpti2rTW6k5pBo9AX6TrtZ0msH1ztAr9F+TSbaxY2yOByPEw+KwIqsN85RWDzes3JkuW+Mu5JZjx1WFCwwMkGNMjUoURb4xFtDssPydk4X5gL/+WdjwRH2X7qm4Oza/mFMYeMqmJMIhWOZ6SNr/BAhaSkVXuXTVrWly04HVOwFdENP9TTeHYgaZSptXVE7SSmmJ3Y2CGcLjt23YekrDPg5qfZB5h0d9SU0mTP0szUg1Rpu1f4eM3igfAPdnhQ+CUTfgG1BAclqOvg0HvX5GX1IzhJ1BjWMcszPf2ISnbee87hoRV0OVdemFfbZd1NH/nt9LPYJ4NMci5KxDnwWurYQo1YCQa1i/iy02wMbHVUJo5OedbxblrhfpVI8al2u/pUBOu9+AQMn7ydux6vb4KqFxsCFu/Wjymh5Ux9PH4XeeIg3xlA==,iv:01tDxyaYMQE00ysuvvHdlMCfsRtmCV7FKTWvPWWrwa8=,tag:35sXd3KEvPThqlmKJZjtAw==,type:str]
+kind: Secret
+metadata:
+    creationTimestamp: null
+    name: vaultwarden-secrets
+    namespace: vaultwarden
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1697e27xddkfkesylswayhk6ms8pln48e6nem2lrwe97yg8tenyysppqw9t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTdG5SVzhrZHVpKzRjV1FH
+            Z3hqUm54cDhBRzdrMTYyeGdFcmdYc3RBQkJnCk9tWUtteWdZNFo4Z3NVYlBIamtv
+            TWRORXhTVnYvQk1jNzF4N0VNa2dEeDgKLS0tIDN6VVhSM2llbGJoSGt0RTlHMWky
+            aVJNSU5CZ1UwTHMwSTVpY0pSTk42UkEKJJLbWo0V6WVZ2KxJ5eKRgxUp5rpoaA/0
+            hcvEuBFogQPfsv0GRlbzGvkK7i6UO/kYlvZIKb/Qm7MvgoyxW4UYAg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-06-23T11:54:26Z"
+    mac: ENC[AES256_GCM,data:20XejpoiWVuU7vO1ee3Iy63zUB9vlCp3cV9WiLTI5DxzVl2VUE0Ja4bMmVXd0r1Ii9q1pCStnwN+N5u2KygJx2VCovhXIel0xDTUTVDActHk2W8ST8pTiGw7Ol7KT2SPrm1pWvCKaZqOupskPwtoLwGDAASnTSQUizgf8CPBswI=,iv:MalCt8xy+hf7w52/wt+f0Avof+dbhTBNDKEkJtmAX/Q=,tag:IAfJd5olHh4FX7vw5Y44Rg==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.1

apps/production/babybuddy-values.yaml

@@ -0,0 +1,26 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: babybuddy
+  namespace: babybuddy
+spec:
+  chart:
+    spec:
+      version: ">=1.0.0"
+  values:
+    image:
+      repository: linuxserver/babybuddy
+      tag: 1.14.0
+      pullPolicy: IfNotPresent
+    env:
+      TZ: Asia/Kolkata
+    persistence:
+      config:
+        enabled: true
+        mountPath: /config
+        storageClass: longhorn        
+  valuesFrom:
+    - kind: Secret
+      name: babybuddy-secrets
+      valuesKey: babybuddy-secrets.yaml
+      optional: true

apps/production/filebrowser-values.yaml

@@ -0,0 +1,33 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: filebrowser
+  namespace: filebrowser
+spec:
+  chart:
+    spec:
+      version: ">=1.0.0"
+  values:
+    image:
+      repository: filebrowser/filebrowser   
+      tag: v2.23.0      
+      pullPolicy: IfNotPresent
+    env:
+      TZ: Asia/Kolkata 
+    persistence:
+      config:
+        enabled: true
+        mountpath: /config
+        storageClass: longhorn
+      data:
+        enabled: true
+        mountPath: /srv
+        type: nfs
+        server: 192.168.0.120
+        path: /data/media/
+        accessMode: ReadWriteOnce
+  valuesFrom:
+    - kind: Secret
+      name: filebrowser-secrets
+      valuesKey: filebrowser-secrets.yaml
+      optional: true

apps/production/ha-values.yaml

@@ -0,0 +1,25 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: ha
+  namespace: ha
+spec:
+  chart:
+    spec:
+      version: ">=1.0.0"
+  values:
+    image:
+      repository: ghcr.io/home-assistant/home-assistant
+      pullPolicy: IfNotPresent
+      tag: 2023.2.3
+    env:
+      TZ: Asia/Kolkata
+    persistence:
+      config:
+        enabled: true
+        storageClass: longhorn             
+  valuesFrom:
+    - kind: Secret
+      name: ha-secrets
+      valuesKey: ha-secrets.yaml
+      optional: true

apps/production/jellyfin-values.yaml

@@ -0,0 +1,58 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: jellyfin
+  namespace: jellyfin
+spec:
+  chart:
+    spec:
+      version: "1.3.2"
+  values:
+    image:
+      repository: jellyfin/jellyfin
+      tag: 10.8.9
+      pullPolicy: IfNotPresent  
+    env:
+      TZ: Asia/Kolkata  
+    persistence:
+      config:
+        enabled: true
+        storageClass: longhorn
+      cache:
+        enabled: true
+        mountPath: /cache
+        accessMode: ReadWriteOnce
+        size: 1Gi
+        storageClass: longhorn
+      media:
+        enabled: true
+        type: nfs
+        server: 192.168.0.120
+        path: /data/media
+        accessMode: ReadWriteOnce
+    ingress:
+      main:
+        enabled: true
+        annotations: 
+          kubernetes.io/ingress.class: nginx
+          nginx.ingress.kubernetes.io/rewrite-target: /$1 
+        hosts:
+          - 
+            host: &host "jellyfin.${PUBLIC_DOMAIN}"
+            paths:
+              -
+                path: /(.*)
+                pathType: Prefix
+                service:            
+                  name: jellyfin
+                  port: 8096
+        tls: 
+          - secretName: "${CERT_SECRET_NAME}"
+            hosts:
+            - *host       
+  valuesFrom:
+    - kind: Secret
+      name: jellyfin-secrets
+      valuesKey: jellyfin-secrets.yaml
+      optional: true    
+      

apps/production/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - ../base/jellyfin
+  #- ../base/filebrowser
+  #- ../base/vaultwarden
+  #- ../base/babybuddy
+  #- ../base/photoprism
+  #- ../base/home-assistant
+  #- ../base/plex  
+patchesStrategicMerge: 
+  - jellyfin-values.yaml
+  #- filebrowser-values.yaml
+  #- vaultwarden-values.yaml
+  #- babybuddy-values.yaml
+  #- photoprism-values.yaml
+  #- ha-values.yaml
+  #- plex-values.yaml

apps/production/photoprism-values.yaml

@@ -0,0 +1,51 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: photoprism
+  namespace: photoprism
+spec:
+  chart:
+    spec:
+      version: ">=1.0.0"
+  values:
+    image:
+      repository: photoprism/photoprism
+      tag: 221118-arm64
+      pullPolicy: IfNotPresent
+    env:
+      TZ: Asia/Kolkata
+      PHOTOPRISM_STORAGE_PATH: /photoprism/storage
+      PHOTOPRISM_ORIGINALS_PATH: /photoprism/originals
+      PHOTOPRISM_PUBLIC: "false"
+      PHOTOPRISM_DATABASE_DRIVER: mysql
+      PHOTOPRISM_DATABASE_SERVER: mariadb.databases.svc.cluster.local:3306
+      PHOTOPRISM_DATABASE_NAME: photoprism
+    persistence:
+      config:
+        enabled: true
+        mountPath: /photoprism/storage
+        storageClass: longhorn
+        size: 20Gi
+      originals:
+        enabled: true
+        type: nfs
+        server: 192.168.0.120
+        path: /data/media/Photos/
+        accessMode: ReadWriteOnce
+    mariadb:
+      enabled: false
+    nodeSelector:
+      kubernetes.io/role: worker
+    #resources: 
+    #  limits:
+    #    cpu: 700m
+    #    memory: 1.5Gi
+    #  requests:
+    #    cpu: 300m
+    #    memory: 1Gi
+  valuesFrom:
+    - kind: Secret
+      name: photoprism-secrets
+      valuesKey: photoprism-secrets.yaml
+      optional: true    
+      

apps/production/plex-values.yaml

@@ -0,0 +1,37 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: plex
+  namespace: plex
+spec:
+  chart:
+    spec:
+      version: ">=1.0.0"
+  values:
+    image:
+      repository: ghcr.io/k8s-at-home/plex
+      tag: v1.29.2.6364-6d72b0cf6
+      pullPolicy: IfNotPresent
+    env:
+      TZ: Asia/Kolkata 
+    persistence:
+      config:
+        enabled: true
+        mountPath: /config
+        storageClass: longhorn
+        accessMode: ReadWriteOnce
+      data:
+        enabled: true
+        type: nfs
+        server: 192.168.0.120
+        path: /data/media/Movies
+        accessMode: ReadWriteOnce
+    podSecurityContext:
+      runAsUser: 568
+      runAsGroup: 568
+      fsGroup: 568   
+  valuesFrom:
+    - kind: Secret
+      name: plex-secrets
+      valuesKey: plex-secrets.yaml
+      optional: true

apps/production/vaultwarden-values.yaml

@@ -0,0 +1,31 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: vaultwarden
+  namespace: vaultwarden
+spec:
+  chart:
+    spec:
+      version: ">=1.0.0"
+  values:
+    image:
+      repository: vaultwarden/server
+      pullPolicy: IfNotPresent
+      tag: 1.27.0
+    service:
+      main:
+        ports:
+          http:
+            port: 80
+          websocket:
+            enabled: false
+            port: 3012    
+    persistence:
+      config:
+        enabled: true
+        storageClass: longhorn             
+  valuesFrom:
+    - kind: Secret
+      name: vaultwarden-secrets
+      valuesKey: vaultwarden-secrets.yaml
+      optional: true

clusters/c0depool/apps.yaml

@@ -0,0 +1,24 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: apps
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  dependsOn:
+    - name: infrastructure
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./apps/production
+  prune: true
+  wait: true
+  timeout: 5m0s
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: cluster-secrets      

clusters/c0depool/config.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: config
+  namespace: flux-system
+spec:
+  interval: 30m
+  path: ./clusters/config
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age

clusters/c0depool/flux-system/gotk-sync.yaml

@@ -0,0 +1,27 @@
+# This manifest was generated by flux. DO NOT EDIT.
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: GitRepository
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  ref:
+    branch: main
+  secretRef:
+    name: flux-system
+  url: ssh://git@github.com/c0depool/c0depool-k8s-ops
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./clusters/c0depool
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system

clusters/c0depool/flux-system/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- gotk-components.yaml
+- gotk-sync.yaml

clusters/c0depool/infrastructure.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: infrastructure
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./infrastructure
+  prune: true
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+

clusters/config/cluster-secrets-encrypted.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: cluster-secrets
+    namespace: flux-system
+data:
+    PUBLIC_DOMAIN: ENC[AES256_GCM,data:AnZdRIV8MuGokRcVkGJVow==,iv:TKUl2fBiz7QWMwgfbY7Ng56PETSaFVcN6tvdDFIIedU=,tag:2llJBCy6JBkpyUq5eOXtgQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1697e27xddkfkesylswayhk6ms8pln48e6nem2lrwe97yg8tenyysppqw9t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnK3F0czJOb2lCcHgrOFJv
+            UzJBaXV1WlJGSVdRSEsyOXZaZUlTTUs1NzMwCkxTbURIR2JXdTFnMGxnWUs0d1ht
+            cHY3M1FCQ0V2TWZjQU0yS3NVcjhET00KLS0tIDhrakc3OE5CY1o3eFZnOHp2YzBp
+            SW44ODNqU003L2IxbkdlUmJFeDlCcFUKNHFjoClbX82JnjYdmBxkkAxNI0a08bjy
+            PvTa7Btea9oRBDJEMyjJsuaaww9IAz2tdjkjZdNQ6A2BLnkJ7ACTaA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-03-20T09:17:57Z"
+    mac: ENC[AES256_GCM,data:bKiHLhqlSU04AQBSS/hgmD8LWEejW11rrXBk7Xb5QrwZPnWB3CljSdgh0hdI6emUM4WyfqcTDMQfhRfGliOor5A1DV/B79ZrRHZTLn/5Vh1KwYyF2EbFCEBl95PlzeQGJ/RIS9qA8gmQwNtZj3gv4+ulfMJqsNYTdEMDmoBlzWU=,iv:YdH7qYO88WlKVtf09Ya1xnddM6/H+2GUqfv/boUAYqE=,tag:+6tfm0s4TeisyAky57qkLQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3

infrastructure/databases/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: databases
+resources:
+  - namespace.yaml
+  - mariadb-deployment.yaml
+  - mariadb-service.yaml
+  - secrets-encrypted.yaml

infrastructure/databases/mariadb-deployment.yaml

@@ -0,0 +1,56 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    io.codepool.service: mariadb
+  name: mariadb
+  namespace: databases
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      io.codepool.service: mariadb
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        io.codepool.service: mariadb
+    spec:
+      containers:
+        - env:
+            - name: MYSQL_ROOT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: mariadb-secrets
+                  key: root-password
+            - name: PGID
+              value: "1000"
+            - name: PUID
+              value: "1000"
+          image: mariadb:10.10.2
+          name: mariadb
+          args: ["--transaction-isolation=READ-COMMITTED", "--binlog-format=ROW", "--skip-innodb-read-only-compressed"]
+          ports:
+            - containerPort: 3306
+          resources: {}
+          volumeMounts:
+            - mountPath: /var/lib/mysql
+              name: mariadb-storage
+      restartPolicy: Always
+      volumes:
+        - name: mariadb-storage
+          persistentVolumeClaim:
+            claimName: mariadb-pvc
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mariadb-pvc
+spec:
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi

infrastructure/databases/mariadb-service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    io.codepool.service: mariadb
+  name: mariadb
+  namespace: databases
+spec:
+  ports:
+    - name: "3306"
+      port: 3306
+      targetPort: 3306
+  selector:
+    io.codepool.service: mariadb

infrastructure/databases/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: databases

infrastructure/databases/secrets-encrypted.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+data:
+    root-password: ENC[AES256_GCM,data:7xppsbWB3vaEE1OzAN/g5MWERHLQQfgvkrposg==,iv:bN6EOSsPw4rvoZ754FwYsjiadBVhmnysblamXKucPP4=,tag:/LwVdmfCQ9v4k0JEWRZ8Dg==,type:str]
+kind: Secret
+metadata:
+    creationTimestamp: null
+    name: mariadb-secrets
+    namespace: databases
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1697e27xddkfkesylswayhk6ms8pln48e6nem2lrwe97yg8tenyysppqw9t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzM2pJV0hnWkFqQWlvdmFE
+            bkc3MXh4K3pPTHMrVWZoSVRxZnBLb1M2VFdvCmdwcUZWNlR2UE4yRGZ0eERwYlA5
+            TGFkM2d0YnBBUkRtcEJOSFE1UDVxOVkKLS0tIFE0cHFiaG1YandOMkRnbUpQYUZj
+            OFJjYWQ3aEVxaytTdmF5Yk9ZOGdKMjQKzaH2kBRkiII5q3UUV7pF6Iz+95G2U5/E
+            LIFcf7TNxvtJ/J7yQbMw8TfHTnzlcxAFu8SEq80nnL5qO4yK2u94HQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-06-24T13:53:59Z"
+    mac: ENC[AES256_GCM,data:8roVNtjjV4uR4yzQjc6ITwd/SeWAHgOXt+q8AJG3C/Jxox1Ff5N9DnXVKE7Yd+MVAJHd7vy5On++QbXSIRj8Yb0/el6VfYd9Lta8VAoHzCUV6L/jBf+tIkIV0uJardpycgwEsYyktqV7RvjV1D+iw2pRmx2Irij6/PzTOSIRxV8=,iv:tdRJgYyMy/vVv2CWrG2CnTDjvBdoXdiqNyEewzB0x5g=,tag:ZIzgHxCFcpDXDGpvFRmkWg==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.1

infrastructure/ingress-nginx/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: ingress-nginx
+resources:
+  - namespace.yaml
+  - release.yaml

infrastructure/ingress-nginx/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-nginx

infrastructure/ingress-nginx/release.yaml

@@ -0,0 +1,48 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: ingress-nginx
+  namespace: ingress-nginx
+spec:
+  releaseName: ingress-nginx
+  chart:
+    spec:
+      chart: ingress-nginx
+      version: "4.5.2"
+      sourceRef:
+        kind: HelmRepository
+        name: ingress-nginx
+        namespace: flux-system
+  interval: 5m
+  install:
+    remediation:
+      retries: 3
+  values:
+    controller:
+      name: controller
+      image:
+        registry: registry.k8s.io
+        image: ingress-nginx/controller
+        tag: "v1.6.4"
+      config:
+        use-forwarded-headers: 'true'
+        custom-http-errors: >-
+          401,403,404,500,501,502,503
+      externalTrafficPolicy: "Local"
+      kind: DaemonSet
+    defaultBackend:
+      enabled: true
+      image:
+        repository: ghcr.io/tarampampam/error-pages
+        tag: 2.20.0
+      extraEnvs:
+      - name: TEMPLATE_NAME
+        value: ghost
+      - name: SHOW_DETAILS
+        value: 'false'
+    tcp:
+      "53": "adguard-home/adguard-home-dns-tcp:53"
+      "853": "adguard-home/adguard-home-dns-tls:853"
+    udp:
+      "53": "adguard-home/adguard-home-dns-udp:53"
+      "50000": "wireguard/wg-easy-wg:50000"

infrastructure/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - sources
+  #- wg-easy
+  #- databases
+  #- ingress-nginx
+  #- netdata

infrastructure/netdata/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: netdata
+resources:
+  - namespace.yaml
+  - release.yaml
+  - secrets-encrypted.yaml

infrastructure/netdata/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: netdata

infrastructure/netdata/release.yaml

@@ -0,0 +1,88 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: netdata
+  namespace: netdata
+spec:
+  releaseName: netdata
+  chart:
+    spec:
+      chart: netdata
+      sourceRef:
+        kind: HelmRepository
+        name: netdata
+        namespace: flux-system
+  interval: 5m
+  install:
+    remediation:
+      retries: 3
+  values:
+    image:
+      repository: netdata/netdata
+      tag: v1.37.1
+    sd:
+      image:
+        repository: netdata/agent-sd
+        tag: v0.2.7
+    parent:
+      database:
+        persistence: true
+        storageclass: "longhorn"
+        volumesize: 2Gi
+      alarms:
+        persistence: true  
+        storageclass: "longhorn"
+        volumesize: 1Gi
+      configs:
+        netdata:
+          enabled: true
+          path: /etc/netdata/netdata.conf
+          data: |
+            [global]
+              memory mode = dbengine
+              update every = 3
+            [ml]
+              enabled = no
+            [plugins]
+              cgroups = no
+              tc = no
+              enable running new plugins = no
+              check for new plugins every = 72000
+              python.d = no
+              charts.d = no
+              go.d = no
+              node.d = no
+              apps = no
+              proc = no
+              idlejitter = no
+              diskspace = no      
+        temperature:
+          enabled: true
+          path: /etc/netdata/health.d/temperature.conf
+          data: |
+            alarm: temperature_alarm
+               on: sensors.cpu_thermal-virtual-0_temperature
+            lookup: average -3s   
+            units: celsius
+            every: 5s
+            warn: $this > 60
+            crit: $this > 70
+            info: cpu temperature
+              to: sysadmin  
+      env: 
+        DO_NOT_TRACK: 1
+    child:
+      env: 
+        DO_NOT_TRACK: 1
+    k8sState:
+      persistence:
+        enabled: true
+        storageclass: "longhorn"
+        volumesize: 1Gi
+      env: 
+        DO_NOT_TRACK: 1
+  valuesFrom:
+    - kind: Secret
+      name: netdata-secrets
+      valuesKey: netdata-secrets.yaml
+      optional: false  

infrastructure/netdata/secrets-encrypted.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+data:
+    netdata-secrets.yaml: ENC[AES256_GCM,data:ul690+EF6Q0er+Z0Noi5igRGkKKVCIT8MMq6s9ICwo4UM6wUeZP39yLF5Fw7I0t1r5vjsIMrt4+hAvw3PPQIUkP5NM4e2kbj8Qd9LuF4iV8Vf19K5M8quUkdwWdjTdxC1fWjPocGjGXqia7DeDhFcWFckrcVjyCfAKwwqfuhL3g/h+AY/v+r6USXjcN3yDKYrR1cDxhOUQMYUN4Kp5tp+xUhj5F6OQHLvE27ASnT8cZeVFoukTW/edb8LMfUwoW9Rhwgh9MV8Qf7uXwQ98YRIf5nMu+SjB0jHk61xaTjFQwFxicYm7hwE9/nP/MytOSZM/N+7VevijTuAnnCEzcBMuMP6Ha6VO37fLQmHzfm8RdAVlg9nLG0tmNkUo107TjPhdVrXxv4OVPLlMyQVGM34jdVJkuKV2Yj88NjP4Mrkc/DGoIncPlyvWkOm5o6S4tLMwOFpG6awX989KnzMfL0v14K1N0uO1alDUuSw4th/q5Ysn5KisSPYGsf9DkjFo1TD4104Iy5uB9val9kSTVoUJDbtZtp9kQESLiS5XDcEen9WYmY7G14qTsOUmE5TDAg/o/8KtX3nQVWSY+HdsAXc4psWCeFZYD1eu96JEDcZEZvetTTgCQaEG4SMWcn4TM4f0nypsbQ5sQdBQR5wtJLod/k/bpxe/M2uBmTkI+gIcQhoL+pRDW8MAWnluExgHPxDrzpZ0SDWwaPjs4/wt0Av2u3Ko5Ud1SN231GQXf/+kl566U7OLFWpTXEgoFsg4exE+1itIc/xXfxGwOo+UJwNpeOMcru9aqO/gwBcAZ7Qm42P4AEiQf3nXce1MfuSohjSJ2C/GRb/ndCp9EFEW8xMXD1y2h2olU4pFLH5bp/t/8reHXBXffoZh+Dm/Qnc+MLCZQH6FPDh0BtWWpMohdCuPa6q2gUGCQXKSgvyUhHu9Lwa63N/cC4jc7X9RwU+xw4MUElHHLQF8/yScKTrHNRjEsGFJAhlOUEsoBGns/T9vAPl16T9kEFkUV8ivBNuVj1O0ZgyJRmNNNNzDi9GbzmIMXE6pr+WL83yeNc9v4idsvfyKgNHz+t8dch7ER/fb4cVD34DaTa/8ZAcajfEk/sNap0s7mLWaOLgYt+GYWocIS2zRLomXGRUbucl78UATDV9UNhzuAa3LwNLau7dSDN4BWYEeV6FINapOgx2tU1z2P5Xht4hSFJmjmLWxKbGcHR8R0AkW0MqXviLk7h0G0c4aRC83rtfQBjZkHCU2mYhZcmb5lhc2kzBtu/ZGHq1Uhzt6xeUMbewqftMgBoqTUnq/MLj+p/fcvQMUSPfXemg0DZcNq+8cXob4qG0Ba9rogu9ifKOdoyrHwWbBbUTCgMFkBAQi/M/qx6SRMad6LCD4wo62HObadvdPj5FoX+pVuUgf6EaL4fHV0GCyRAi9iNehcreI45WXQU5cf/Jmmnww0hJiGDisWWGRwi19a/wAXLGRJHXiD/F0uegETk2WA455CKHSuT76bZ1fFUASt7APRaUCAP86e3U9A/yYhfgIGYbLOHxoiM1QruVXTLM/zTrZ/cTJ6/yBHEPX31zrG7sHkOqWuqG8i3wk18uUdW6CkkRqzGZZkEfsXu0e1+yTkcRcvWl0BU5isgudYy0Qyfb7dzXqlhmv7zlWBz28vJCAPRzqE/BqJ/hmHk/7+KyUGl4/eNtUoPQPH/xDvLidWRHEjiZHonprfTp+K0S+0cNSaKEyacMhvHXK3L+4wk3+KMyNZzaQliCmeyqbIef5zgsVr3378phoK85QGdAlChSbhrV2zzFzbH+XIHJmICVbNaXFoXbCxIyadheZXCt9a0MSZLZOi1aZ+PgJOggRxreeBf1mBiv7L0lXVO5eK9QDsn+XTDU6s9nrW48FdDRgDJTbEHBXj5ADuxL1wORSgtQLGoyn9qDtEI53Au5Wdy3hBhVWDOPxB2Pzz4ROEFOqNEGEXcNCRSod60MKkjoas7rw/Gi4jvhkDqkt3UqEVUqU4RFCu28P/2cpeGL/86dGlL9RHWcAhHDrZDzKlExkuHKFi1cMrElv5aTS9FtMgEBtkfQhCMA8bCpiKYxeI0SYyrJ/y6jhXZr8xLPuVlyapl2BddaBOzOIc6MwX4H/CUoXVHE4rjhOo9ycgqgG6BSYTMvGeQCophZ8JSXv9d8FJYSVzMDd9Zh6XaL54ILsD71q+wCHiSbw3t5AX5jSo8YuUSnx7m+vTPVZ05TAP0Seaw7auzHqI9SIF7HvYAn5faSF/+Sc1U5hg63K2cJxGJuQI/TgswSztkZvIGqYIZvsCXsvlXpn2d33GX1J83SDAuLgmaaHyfB/0SDCq7rcF33FyA36jqfEqDRNuLpoEtcSYKbVdOyhNYv9M1cV5O+WFNsTTc7a1t2QXPnZxFNBEYGRvEX6wdPkQB6rQUtLrasiCPI8yRQyLH4VkBj9Hd4GeOicrdE4nn5/9ZwgmCEV4OgIrt/82tC6uJ+eVsdsPl+SKz94ofRj9iJuYrWKF9arEghrgeRLZ9IDIr9Lg5YJfpuwTSND6tzg5KYi1+M0WyO8+uNfSe45DZuMKkN/bXu47PMzb5dXQNOR9XAb/aqmNLs+slamns2cSl/YUAKitVkXx7CDWuu0pQQvosRkpe4AuYR695UXLB9GIQ0BH34Q2zzalxqEa4qa1BtGMS+zwqS3LQj1XF84dp2xCCGMzgJYq4Wt/cGGKe0eEJ26KSgdtN7rc2mYv8vVGju48Q1iZiJShRxHeDsot6Pu4hzKfZk+1xcXmeKY4qt8TWdCtvS7yshsRqywP+2EBSYg0Dtj0+abOZYQXzUcJDV827JRgUxokHIa0Dj9dd+gypH6zXCIe+ajI0533rOSH/AxXYMaMO+9JV5pPXKdXH6XOHR0X8KPKOIv7xXV0wgJ4uGqbTtwST+gG3SA1urJdcuV57UZswdTdvlEJi/aP8+MbzEHTj2lPEYN/II9fxQIc5xNFpa7NTcxI3PBgtXQk1VTz5JmOiOvER9OLtU6ukOZm0OmWD2IktfakT1VEeD8gHEVUjBrerKjFaogO4un12bSkIvUnofM/CPnDquDrXXjIL0RfGvG/td8ZOK+tXf4JEzLjMtH5tsCtZjyVHfMrybaDo463TwdA8fUXJFM9Vg/jC8z1MDgLRTAnq1qb6asabFKGhnhSPMjTxmuuGZECTSziviR/jBkmSwQIovjRdC/bz20B9htvRhECBr9jDfxwfXuVvhd0DKFyjQ5BjcWXDRvdg3p25OysCelg9/cB3b42s32adeOUdav054Jjp5YWLo0hdEoK+QUOAhY24NBXki6M7zjxdJa9PieXD31xXZ7lvBMbNMTru+UkP3QNeb5LhEap0QRs9XsYsbu3h8vCpZMsUnTHbhLjyhnMTu8LRf16nYwR6HDbVcbqH5LYvKECnUfAcGzQB8M9tsLv0cT/LQ7dgODLZMs5Rkf/hT13cWZJtL0OTtvwd5p8iIxeBY+Pl3E6b46xeeR7fQpc/WWf8UKICbQrLrw4vGYVgkJh1ZwJYndGtnWWFyc9neRNXRqO1GEGePdla74mazZYlI1KPePzD2nSm6QlTpzpNGh2bOOcxjeIn+K978KUEakOsmnQdRBHH/+8zfjXzMrVlda3ba7N2DzbO+DB2YkAcD3F758NVBJnCn5h/JKlaw0jltTFohDQWxmodf+U7qd8E8YxiluFmLIODcJpSbWrkZeHpHsORA2zPbAkqqzvFYdVCXi8N3tan9qel6Qh3B6/bTCTRgM9W53Xer2vYFsay071okfL+2JR/QRQhEWv5OPu+fdgYxKSNe+5Lynd2Rw67O5hihkOhb0OGPF9efRyKuzlgSOjbc/aurydQiVq5w/P8AXoce8KFcHOcwMM8faR3gjiNZLIIRBdT6rFHZhdnGYhcQ36cXxcaiLw4ED/7LlQOt5yzLutUL/R3YsTm7G6mCRH9,iv:LVkJbGB50gdr4IMjjoik4f158CxPG7lgKP64/JwXtGM=,tag:X019zDmau1yj3kAIH8vn0A==,type:str]
+kind: Secret
+metadata:
+    creationTimestamp: null
+    name: netdata-secrets
+    namespace: netdata
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1697e27xddkfkesylswayhk6ms8pln48e6nem2lrwe97yg8tenyysppqw9t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByTDY3SkU5dDhKdVcrblc0
+            TTRqQzgzQ2RYZDZlYUo2OWdrVmNoeVZxMzBVClUwTTA1NXMxVjMrWHVTKzByMHRM
+            VEZHR0M1NW5HK004ZDZPMVQ3TkYreUkKLS0tIGhMSk8wY0VJZkRKRTdEbm81alRr
+            VHo4blQybU01UDVLdnhGSmFyTjBFbnMKIr2+zwQImShSGiGhFKZ17xxxzROJhQSV
+            qAdi80YMO7ToTButvq6zR8ZzrwEFyJkHbFQPQhOwf6lKbm97e3yMUw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-11-23T07:20:54Z"
+    mac: ENC[AES256_GCM,data:aCCAZLcFXbZ5CKIIbE6Lz5hkoOqienvzfoFkI8D8uGRMAkgcf2MzgBi/v80CTuGnKReDmV3YbzZJLbw1/MlcuwRBj+N58v3QbgkQaS8zb9s/qo9gUDWCfHbUouKgVWM1xDb62X4O7ZKsGhS0uJlGorv+5G0qgMWFSfKqJLBeoek=,iv:V/UdK19hUJewsYqBZuEYWTzjObkuiqhJY7Gt87lq7+g=,tag:fBIAZwNbtPvV37ZMNNLaig==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.1

infrastructure/sources/bjw-s.yaml

@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: bjw-s
+spec:
+  interval: 5m
+  url: https://bjw-s.github.io/helm-charts

infrastructure/sources/ingress-nginx.yaml

@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: ingress-nginx
+spec:
+  interval: 30m
+  url: https://kubernetes.github.io/ingress-nginx

infrastructure/sources/jetstack.yaml

@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: jetstack
+spec:
+  interval: 30m
+  url: https://charts.jetstack.io

infrastructure/sources/k8s-at-home.yaml

@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: k8s-at-home
+spec:
+  interval: 5m
+  url: https://k8s-at-home.com/charts/

infrastructure/sources/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: flux-system
+resources:
+  - longhorn.yaml
+  - podinfo.yaml
+  - k8s-at-home.yaml
+  - netdata.yaml
+  - jetstack.yaml
+  - ingress-nginx.yaml
+  - wg-easy.yaml
+  - bjw-s.yaml

infrastructure/sources/longhorn.yaml

@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: longhorn
+spec:
+  interval: 30m
+  url: https://charts.longhorn.io

infrastructure/sources/netdata.yaml

@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: netdata
+spec:
+  interval: 30m
+  url: https://netdata.github.io/helmchart/

infrastructure/sources/wg-easy.yaml

@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: wg-easy
+spec:
+  interval: 30m
+  url: https://brandon099.github.io/wg-easy-helm-chart

infrastructure/wg-easy/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: wireguard
+resources:
+  - release.yaml
+  - secrets-encrypted.yaml

infrastructure/wg-easy/release.yaml

@@ -0,0 +1,34 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: wg-easy
+  namespace: wireguard
+spec:
+  releaseName: wg-easy
+  chart:
+    spec:
+      chart: wg-easy
+      sourceRef:
+        kind: HelmRepository
+        name: wg-easy
+        namespace: flux-system
+  interval: 5m
+  install:
+    remediation:
+      retries: 3
+  values:
+    image:
+      repository: weejewel/wg-easy
+      tag: 7
+    wireguard:
+      service:
+        port: 50000
+      dns: 192.168.0.120
+    persistence:
+      enabled: true
+      storageClass: longhorn    
+  valuesFrom:
+    - kind: Secret
+      name: wg-easy-secrets
+      valuesKey: wg-easy-secrets.yaml
+      optional: false  

infrastructure/wg-easy/secrets-encrypted.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+data:
+    wg-easy-secrets.yaml: ENC[AES256_GCM,data:RGomnk9GY034Dde8MMNP8Vk1ZMHLqOHRtMnwiFptzZRfnAmpg0/T5O2uAIdDnGv1siBlVbVZbBE9k7ZRfHUjBfUXwswAvN3M2c/F5TyHtviMH9oOWqm4sdeJ8/CjEsFwzM/COYCskjLg0BwZjiPFPKZ3yT057vshW6nduYDNhtF6e9BGJ7k8pktlFe/8E2PN3IWJS9vyynR3UMmddFx0MDSSwhmaVuCSPE/orMR9BjGBU5srhHnltRkcV73TK5rUfz6dCwTQRMqHati6bc5bnPIc15jvaswwbbSJ0iZ7XSaP0ltTNZprVkGTBImip5wPtvjhaimq2qsycA+feOgjnjcZUBGpDcwh0c22pIF3qwoWu2lJsr335l9mjwCJsn/jbOLyGjhYawsFF9Zs0Jd8ZSyGCf6llPlkU8Y/xnP/hxDbcf99c4QDGYUqI596RPWLHc2nAS2Hmv6obN/qwm+FbB6YClNorZv1N6xNVtHbbTQCeoFszaGqQ8WPhDFZ6DQKIpBTFEqNGv/vaX8OSbNvYJ6w9GSegwSqGAllIh1nizCamYi7uCX36b0C9hqb5osQlTun8AT2j2TWJe8DhCkYNGzZZJAWUfG6l7pSnaHbY3hmDn5ywUKt1+GEWNHapLI/P/J/ggSAjN+JkSNs2OiI9yHSotoURkirA7l+9IYY6gqmYskkHJdT1nh5U9e+/NHv2HOQJdwj4dcFTordwBN6Cby+sM/y8Kc5dIfuMPywiXhLrFGH,iv:8aCRjk4AnH6HhJ10LVFoIUhM0LTYDDtRvmaXQGwwOy8=,tag:XeSaN40Gc38BZzV01zQ4xg==,type:str]
+kind: Secret
+metadata:
+    creationTimestamp: null
+    name: wg-easy-secrets
+    namespace: wireguard
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1697e27xddkfkesylswayhk6ms8pln48e6nem2lrwe97yg8tenyysppqw9t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoU29MUkpBK1dDVDV3RWdH
+            TjI2eGFsOVpWTGpBemhHdFlPSkJYTHpXYWtFCllROXhhaWRpYndSWU9QSkdlcmt0
+            Sno0aDRaZWptdFdBOHJ0SWF4YUY2aDQKLS0tIHU4UFk0TFBxaHZIZVlLZURnaDdl
+            UFR2ZFdZTmJOL3JsMyt6eFFLaG1LZU0KPSsdJEF2MWOc2Hv3lz9Vpsepy/fXPDxa
+            Lvr5RUK81D8N2GQk+5C6fTr/UJDLMFzq2TKDh/3HlXq/aVMEGfQtzg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-14T18:16:44Z"
+    mac: ENC[AES256_GCM,data:WJ6Wd/qZtAuzrYfPzrIZnKArZyJ5WJ4CJJGu72RGk2hEgqGo3xXNLjuR60972KJ4LJ4lF4yk5I+mcqGRdkadcE+jhElvFetz/Yrqsa/eOrglevtxffy/ZVC9rPcjrpqCUlWd8VI4SXpK+MR8FhKAbwX7036XPwoiI1vw1WC3lw4=,iv:ZZhAMO2Vz33ubTUgeEex17mWC/zY9oXZPk5x/NM+pKo=,tag:6TnMxhjjH9MdI2TO+OHVpA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.1

renovate.json

@@ -0,0 +1,27 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base"
+  ],
+  "dependencyDashboardTitle": "Renovate Dashboard 🤖",
+  "flux": {
+    "fileMatch": ["cluster/.+\\.ya?ml$"]
+  },
+  "helm-values": {
+    "fileMatch": ["cluster/.+\\.ya?ml$","apps/.+\\.ya?ml$","infrastructure/.+\\.ya?ml$"]
+  },
+  "kubernetes": {
+    "fileMatch": ["cluster/.+\\.ya?ml$","apps/.+\\.ya?ml$","infrastructure/.+\\.ya?ml$"]
+  },
+  "regexManagers": [
+    {
+      "description": "Match Helm values for non-standard yamls",
+      "fileMatch": "infrastructure/.+\\.ya?ml$",
+      "matchStringsStrategy": "any",
+      "matchStrings": [
+        "repository:\\s?\"?(?<depName>[^\\s\"]*)\"?\\s*?tag:\\s?\"?(?<currentValue>[^\\s\"]*)\"?"
+      ],
+      "datasourceTemplate": "docker"
+    }
+  ]
+}