♻️ flux kustomizations

2025-12-22 07:26:30 +01:00 · 2022-12-26 15:24:33 +01:00
parent b4572bf19a
commit ca31e11491
730 changed files with 6825 additions and 3766 deletions
--- a/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml
+++ b/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml
@@ -0,0 +1,36 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: cert-manager
+      version: v1.10.1
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack
+        namespace: flux-system
+      interval: 15m
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  values:
+    installCRDs: true
+    webhook:
+      enabled: true
+    extraArgs:
+      - --dns01-recursive-nameservers=ns15.ovh.net:53,dns15.ovh.net:53
+      - --dns01-recursive-nameservers-only
+    cainjector:
+      replicaCount: 1
+    prometheus:
+      enabled: true
+      servicemonitor:
+        enabled: true
+        prometheusInstance: monitoring
--- a/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml
+++ b/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml
@@ -0,0 +1,18 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cert-manager
+resources:
+  - ./helmrelease.yaml
+  - ./prometheusrule.yaml
+configMapGenerator:
+  - name: cert-manager-dashboard
+    files:
+      - cert-manager-dashboard.json=https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/cert-manager/dashboards/cert-manager.json
+generatorOptions:
+  disableNameSuffixHash: true
+  annotations:
+    kustomize.toolkit.fluxcd.io/substitute: disabled
+  labels:
+    grafana_dashboard: "true"
--- a/kubernetes/apps/cert-manager/cert-manager/app/prometheusrule.yaml
+++ b/kubernetes/apps/cert-manager/cert-manager/app/prometheusrule.yaml
@@ -0,0 +1,69 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/prometheusrule_v1.json
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: cert-manager.rules
+  namespace: default
+spec:
+  groups:
+    - name: cert-manager
+      rules:
+        - alert: CertManagerAbsent
+          expr: |
+            absent(up{job="cert-manager"})
+          for: 10m
+          labels:
+            severity: critical
+          annotations:
+            description:
+              "New certificates will not be able to be minted, and existing
+              ones can't be renewed until cert-manager is back."
+            runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerabsent
+            summary: "Cert Manager has dissapeared from Prometheus service discovery."
+    - name: certificates
+      rules:
+        - alert: CertManagerCertExpirySoon
+          expr: |
+            avg by (exported_namespace, namespace, name) (
+            certmanager_certificate_expiration_timestamp_seconds - time())
+              < (21 * 24 * 3600)
+          for: 1h
+          labels:
+            severity: warning
+          annotations:
+            description:
+              "The domain that this cert covers will be unavailable after
+              {{ $value | humanizeDuration }}. Clients using endpoints that this cert
+              protects will start to fail in {{ $value | humanizeDuration }}."
+            runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon
+            summary:
+              "The cert {{ $labels.name }} is {{ $value | humanizeDuration }}
+              from expiry, it should have renewed over a week ago."
+        - alert: CertManagerCertNotReady
+          expr: |
+            max by (name, exported_namespace, namespace, condition) (
+            certmanager_certificate_ready_status{condition!="True"} == 1)
+          for: 10m
+          labels:
+            severity: critical
+          annotations:
+            description:
+              "This certificate has not been ready to serve traffic for at least
+              10m. If the cert is being renewed or there is another valid cert, the ingress
+              controller _may_ be able to serve that instead."
+            runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready
+            summary: "The cert {{ $labels.name }} is not ready to serve traffic."
+        - alert: CertManagerHittingRateLimits
+          expr: |
+            sum by (host) (rate(certmanager_http_acme_client_request_count{status="429"}[5m]))
+              > 0
+          for: 5m
+          labels:
+            severity: critical
+          annotations:
+            description:
+              "Depending on the rate limit, cert-manager may be unable to generate
+              certificates for up to a week."
+            runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerhittingratelimits
+            summary: "Cert manager hitting LetsEncrypt rate limits."
--- a/kubernetes/apps/cert-manager/cert-manager/ks.yaml
+++ b/kubernetes/apps/cert-manager/cert-manager/ks.yaml
@@ -0,0 +1,48 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-cert-manager
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  path: ./kubernetes/apps/cert-manager/cert-manager/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: cert-manager
+      namespace: cert-manager
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-cert-manager-webhook-ovh
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  dependsOn:
+    - name: cluster-apps-cert-manager
+  path: ./kubernetes/apps/cert-manager/cert-manager/webhook-ovh
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: cert-manager-webhook-ovh
+      namespace: cert-manager
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
--- a/kubernetes/apps/cert-manager/cert-manager/webhook-ovh/helmrelease.yaml
+++ b/kubernetes/apps/cert-manager/cert-manager/webhook-ovh/helmrelease.yaml
@@ -0,0 +1,58 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cert-manager-webhook-ovh
+  namespace: cert-manager
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: cert-manager-webhook-ovh
+      version: v0.4.0
+      sourceRef:
+        kind: HelmRepository
+        name: cert-manager-webhook-ovh
+        namespace: flux-system
+  dependsOn:
+    - name: cert-manager
+      namespace: cert-manager
+  values:
+    groupName: "${SECRET_DOMAIN}"
+    certManager:
+      namespace: cert-manager
+      serviceAccountName: cert-manager
+    issuers:
+      - name: letsencrypt-staging
+        create: true
+        kind: ClusterIssuer
+        acmeServerUrl: https://acme-staging-v02.api.letsencrypt.org/directory
+        email: "${SECRET_CLUSTER_DOMAIN_EMAIL}"
+        ovhEndpointName: ovh-eu
+        ovhAuthenticationRef:
+          applicationKeyRef:
+            name: ovh-credentials
+            key: applicationKey
+          applicationSecretRef:
+            name: ovh-credentials
+            key: applicationSecret
+          consumerKeyRef:
+            name: ovh-credentials
+            key: consumerKey
+      - name: letsencrypt-production
+        create: true
+        kind: ClusterIssuer
+        acmeServerUrl: https://acme-v02.api.letsencrypt.org/directory
+        email: "${SECRET_CLUSTER_DOMAIN_EMAIL}"
+        ovhEndpointName: ovh-eu
+        ovhAuthenticationRef:
+          applicationKeyRef:
+            name: ovh-credentials
+            key: applicationKey
+          applicationSecretRef:
+            name: ovh-credentials
+            key: applicationSecret
+          consumerKeyRef:
+            name: ovh-credentials
+            key: consumerKey
--- a/kubernetes/apps/cert-manager/cert-manager/webhook-ovh/kustomization.yaml
+++ b/kubernetes/apps/cert-manager/cert-manager/webhook-ovh/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml
+  - ./secret.sops.yaml
--- a/kubernetes/apps/cert-manager/cert-manager/webhook-ovh/secret.sops.yaml
+++ b/kubernetes/apps/cert-manager/cert-manager/webhook-ovh/secret.sops.yaml
@@ -0,0 +1,30 @@
+kind: Secret
+apiVersion: v1
+metadata:
+    name: ovh-credentials
+    namespace: cert-manager
+stringData:
+    applicationKey: ENC[AES256_GCM,data:UYBGsO4gGWA1iPUqVAYnjw==,iv:/rYA+o/EXOLsbU8WUnp53ejYgi+TFb3DJ/fJS6iUjAM=,tag:hEPzYgcefH5iJWS1bF6R5A==,type:str]
+    applicationSecret: ENC[AES256_GCM,data:QsTdVpgbp/CAqt0mZPRNDINMach/EiM/1+kbgEzxIqE=,iv:/CJVh2tT7wXAdeuxBHN5kM/LidhgGKCTW66hxTcx4QA=,tag:yLw4HpAx7RlZ11LMPMdXtg==,type:str]
+    consumerKey: ENC[AES256_GCM,data:OmI9kc0tNQWCpM+Bg0oQMdYwhZRsqQDZ87NFpkYFpMo=,iv:7elfo7xvxa57du6IjZRJejdpgIQiSjgoRqhWAtMLzXg=,tag:Zk36lNZ+EcZYAye1W+4gwA==,type:str]
+type: Opaque
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByMWQvSUhwYnFyMHJXVWxQ
+            cjllMGlCRnRwdGJZRU9DVGdMUHE5ZUQxUEVjCkJnY3NWeDg5MnZOQjN3RDVtOTN2
+            c1Z0OUNsSm5IZ0k0UGJXRVlVRnRwQzQKLS0tIEtDRGVyN1gyaU9wM3ZLczRVYnBQ
+            czlyZ2lrYk1LNktxTkZiNUdFb0xHblEKlGExd13zMg6MofRAz+GT9wKL/sEBI6XD
+            u+dQAsphIoPpptFY0IeehXTLBV8xK4p1Z1/qu6UgJOnQtb2KGYOOvQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-26T23:59:54Z"
+    mac: ENC[AES256_GCM,data:dnguY6zpQRkj3cV2+CzCdIldBTVGUSIMh5bKoRsJ/cYONp9LjpqGZSmuDfFNRVaWU293M+T12criNH7SndGpquw46YJT48S14g9vi6NeRhK6Rl0z2TbNbtm/7uIUkgmHy1aur8IxfdDdzBScIlq0nfjhcTyYz1RYw/K2bKTwvzA=,iv:TZS0p+IPWqEq9trZxs7FGY7kZ83EaijFH1Kw/IElgjg=,tag:AlIFWcQfDMC9h7sm2WI9zQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/kubernetes/apps/cert-manager/kustomization.yaml
+++ b/kubernetes/apps/cert-manager/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  # Pre Flux-Kustomizations
+  - ./namespace.yaml
+  # Flux-Kustomizations
+  - ./cert-manager/ks.yaml
--- a/kubernetes/apps/cert-manager/namespace.yaml
+++ b/kubernetes/apps/cert-manager/namespace.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
--- a/kubernetes/apps/default/authelia/app/config/configuration.yml
+++ b/kubernetes/apps/default/authelia/app/config/configuration.yml
@@ -0,0 +1,88 @@
+---
+session:
+  redis:
+    high_availability:
+      sentinel_name: redis-master
+      nodes:
+        - host: redis-node-0.redis-headless.default.svc.cluster.local.
+          port: 26379
+        - host: redis-node-1.redis-headless.default.svc.cluster.local.
+          port: 26379
+        - host: redis-node-2.redis-headless.default.svc.cluster.local.
+          port: 26379
+
+access_control:
+  ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
+  ## resource if there is no policy to be applied to the user.
+  default_policy: deny
+  networks:
+    - name: private
+      networks: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+    - name: vpn
+      networks: ["10.10.0.0/16"]
+  rules:
+    # bypass Authelia WAN + LAN
+    - domain:
+        - auth.${SECRET_CLUSTER_DOMAIN}
+      policy: bypass
+    # One factor auth for LAN
+    - domain:
+        - "*.${SECRET_CLUSTER_DOMAIN}"
+      policy: one_factor
+      subject: ["group:admins", "group:users"]
+      networks:
+        - private
+    # Deny public resources
+    - domain: ["navidrome.${SECRET_CLUSTER_DOMAIN}"]
+      resources: ["^/metrics.*$"]
+      policy: deny
+    # Two factors auth for WAN
+    - domain:
+        - "*.${SECRET_CLUSTER_DOMAIN}"
+      subject: ["group:admins", "group:users"]
+      policy: two_factor
+identity_providers:
+  oidc:
+    cors:
+      endpoints: ["authorization", "token", "revocation", "introspection"]
+      allowed_origins_from_client_redirect_uris: true
+    clients:
+      - id: gitea
+        secret: "${SECRET_GITEA_OAUTH_CLIENT_SECRET}"
+        public: false
+        authorization_policy: two_factor
+        scopes: ["openid", "profile", "groups", "email"]
+        redirect_uris:
+          [
+            "https://gitea.${SECRET_CLUSTER_DOMAIN}/user/oauth2/authelia/callback",
+          ]
+        userinfo_signing_algorithm: none
+      - id: grafana
+        description: Grafana
+        secret: "${SECRET_GRAFANA_OAUTH_CLIENT_SECRET}"
+        public: false
+        authorization_policy: two_factor
+        pre_configured_consent_duration: 1y
+        scopes: ["openid", "profile", "groups", "email"]
+        redirect_uris:
+          ["https://grafana.${SECRET_CLUSTER_DOMAIN}/login/generic_oauth"]
+        userinfo_signing_algorithm: none
+      - id: outline
+        description: Outline
+        secret: "${SECRET_OUTLINE_OAUTH_CLIENT_SECRET}"
+        public: false
+        authorization_policy: two_factor
+        pre_configured_consent_duration: 1y
+        scopes: ["openid", "profile", "email", "offline_access"]
+        redirect_uris:
+          ["https://docs.${SECRET_CLUSTER_DOMAIN}/auth/oidc.callback"]
+        userinfo_signing_algorithm: none
+      # - id: minio
+      #   description: Minio
+      #   secret: "${SECRET_MINIO_OAUTH_CLIENT_SECRET}"
+      #   public: false
+      #   authorization_policy: two_factor
+      #   pre_configured_consent_duration: 1y
+      #   scopes: ["openid", "profile", "groups", "email"]
+      #   redirect_uris: ["https://minio.${SECRET_CLUSTER_DOMAIN}/oauth_callback"]
+      #   userinfo_signing_algorithm: none
--- a/kubernetes/apps/default/authelia/app/helmrelease.yaml
+++ b/kubernetes/apps/default/authelia/app/helmrelease.yaml
@@ -0,0 +1,103 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app authelia
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.2.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  dependsOn:
+    - name: cloudnative-pg
+    - name: glauth
+    - name: redis
+  values:
+    controller:
+      replicas: 2
+      strategy: RollingUpdate
+      annotations:
+        reloader.stakater.com/auto: "true"
+    image:
+      repository: ghcr.io/authelia/authelia
+      tag: 4.37.5
+    envFrom:
+      - secretRef:
+          name: authelia-secret
+    enableServiceLinks: false
+    service:
+      main:
+        ports:
+          http:
+            port: 8888
+          metrics:
+            enabled: true
+            port: 8080
+    serviceMonitor:
+      main:
+        enabled: true
+        endpoints:
+          - port: metrics
+            scheme: http
+            path: /metrics
+            interval: 1m
+            scrapeTimeout: 10s
+    ingress:
+      main:
+        enabled: true
+        ingressClassName: "nginx"
+        annotations:
+          external-dns.home.arpa/enabled: "true"
+          nginx.ingress.kubernetes.io/configuration-snippet: |
+            add_header Cache-Control "no-store";
+            add_header Pragma "no-cache";
+            add_header X-Frame-Options "SAMEORIGIN";
+            add_header X-XSS-Protection "1; mode=block";
+        hosts:
+          - host: &host "auth.${SECRET_CLUSTER_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+    podSecurityContext:
+      runAsUser: 568
+      runAsGroup: 568
+      fsGroup: 568
+      fsGroupChangePolicy: "OnRootMismatch"
+    persistence:
+      config:
+        enabled: true
+        type: configMap
+        name: authelia-configmap
+        subPath: configuration.yml
+        mountPath: /config/configuration.yml
+        readOnly: false
+    topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: DoNotSchedule
+        labelSelector:
+          matchLabels:
+            app.kubernetes.io/name: *app
+    resources:
+      requests:
+        cpu: 5m
+        memory: 10Mi
+      limits:
+        memory: 100Mi
--- a/kubernetes/apps/default/authelia/app/kustomization.yaml
+++ b/kubernetes/apps/default/authelia/app/kustomization.yaml
@@ -0,0 +1,17 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./secret.sops.yaml
+  - ./helmrelease.yaml
+patchesStrategicMerge:
+  - ./patches/env.yaml
+  - ./patches/postgres.yaml
+configMapGenerator:
+  - name: authelia-configmap
+    files:
+      - ./config/configuration.yml
+generatorOptions:
+  disableNameSuffixHash: true
--- a/kubernetes/apps/default/authelia/app/patches/env.yaml
+++ b/kubernetes/apps/default/authelia/app/patches/env.yaml
@@ -0,0 +1,40 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: authelia
+  namespace: default
+spec:
+  values:
+    env:
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN: ou=users
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN: dc=home,dc=arpa
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_DISPLAY_NAME_ATTRIBUTE: givenName
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUPS_FILTER: "(&(memberUid={username})(objectClass=posixGroup))"
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUP_NAME_ATTRIBUTE: cn
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_MAIL_ATTRIBUTE: mail
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_URL: "ldap://glauth.default.svc.cluster.local.:8389"
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER: cn=search,ou=svcaccts,dc=home,dc=arpa
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERNAME_ATTRIBUTE: uid
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERS_FILTER: "(&({username_attribute}={input})(objectClass=posixAccount))"
+      AUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_DISABLE: "true"
+      AUTHELIA_DEFAULT_REDIRECTION_URL: "https://auth.${SECRET_CLUSTER_DOMAIN}"
+      AUTHELIA_DUO_API_DISABLE: "true"
+      AUTHELIA_LOG_LEVEL: trace
+      AUTHELIA_NOTIFIER_SMTP_DISABLE_REQUIRE_TLS: "true"
+      AUTHELIA_NOTIFIER_SMTP_HOST: smtp-relay.default.svc.cluster.local.
+      AUTHELIA_NOTIFIER_SMTP_PORT: "2525"
+      AUTHELIA_NOTIFIER_SMTP_SENDER: "Authelia <authelia@${SECRET_DOMAIN}>"
+      AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true"
+      AUTHELIA_SERVER_PORT: 8888
+      AUTHELIA_SESSION_DOMAIN: "${SECRET_CLUSTER_DOMAIN}"
+      AUTHELIA_SESSION_REDIS_DATABASE_INDEX: 14
+      AUTHELIA_SESSION_REDIS_HOST: redis.default.svc.cluster.local.
+      AUTHELIA_STORAGE_POSTGRES_DATABASE: authelia
+      AUTHELIA_STORAGE_POSTGRES_HOST: ${POSTGRES_HOST}
+      AUTHELIA_TELEMETRY_METRICS_ADDRESS: "tcp://0.0.0.0:8080"
+      AUTHELIA_TELEMETRY_METRICS_ENABLED: "true"
+      AUTHELIA_THEME: grey
+      AUTHELIA_TOTP_ISSUER: authelia.com
+      AUTHELIA_WEBAUTHN_DISABLE: "true"
--- a/kubernetes/apps/default/authelia/app/patches/postgres.yaml
+++ b/kubernetes/apps/default/authelia/app/patches/postgres.yaml
@@ -0,0 +1,32 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: authelia
+  namespace: default
+spec:
+  values:
+    initContainers:
+      init-db:
+        image: ghcr.io/onedr0p/postgres-initdb:14.6
+        env:
+          - name: POSTGRES_HOST
+            value: ${POSTGRES_HOST}
+          - name: POSTGRES_DB
+            value: authelia
+          - name: POSTGRES_SUPER_PASS
+            valueFrom:
+              secretKeyRef:
+                name: postgres-superuser
+                key: password
+          - name: POSTGRES_USER
+            valueFrom:
+              secretKeyRef:
+                name: authelia-secret
+                key: AUTHELIA_STORAGE_POSTGRES_USERNAME
+          - name: POSTGRES_PASS
+            valueFrom:
+              secretKeyRef:
+                name: authelia-secret
+                key: AUTHELIA_STORAGE_POSTGRES_PASSWORD
--- a/kubernetes/apps/default/authelia/app/secret.sops.yaml
+++ b/kubernetes/apps/default/authelia/app/secret.sops.yaml
@@ -0,0 +1,36 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+metadata:
+    name: authelia-secret
+    namespace: default
+type: Opaque
+stringData:
+    AUTHELIA_STORAGE_POSTGRES_USERNAME: ENC[AES256_GCM,data:popD58odXyQ=,iv:gw+Y2n/ZRRAudSZy6T6aYdLq504xEH6Ntk+nWY39zjE=,tag:okpCZIGgCzeooa+eSWhAbA==,type:str]
+    AUTHELIA_STORAGE_POSTGRES_PASSWORD: ENC[AES256_GCM,data:j/VlSpeqwTVKCDN+Law=,iv:k+PKPq1iF/bl0acff1DrbQzRKOb3cy37Sq5R+wuKOQc=,tag:ouhjcJuZJQ0Gc/T396WDrg==,type:str]
+    AUTHELIA_JWT_SECRET: ENC[AES256_GCM,data:/FH8Yi4olsLQgbAbTGh23wvZ+0bY5XZMxyXUcQ==,iv:BB18NV8++Uqh3TS9KeDAOV3WH8gvBa/vKRAoV48ddMU=,tag:jbNMXobzUIIEd/fQKrD17Q==,type:str]
+    AUTHELIA_SESSION_SECRET: ENC[AES256_GCM,data:oKlY7wYdJWyVyS9L0kEyE/FBaX8QguU7ZwN4wg==,iv:qn3DBkozHECvEvjfJaGwogGdNcEYfL9Mr4sZhkmRvUs=,tag:tmvKCTehK5APrJG/xRzdtg==,type:str]
+    AUTHELIA_STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:dhPWtO+l7X+9chnJczfL1qE0ckO58kRAvzjTiA==,iv:ac8mMxYENkUv7llxkHHdTiCxMaqP0/joJeAxDkc7vNE=,tag:HUZudNImGCxzlGXeYJZGtA==,type:str]
+    AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: ENC[AES256_GCM,data:iF/190/mZpbDwCd5Q+VOTQVyRbs=,iv:xKhvy4ufkiPqmiWUPKQjxRqUA3VH1Y/PTc8BVnLIaDA=,tag:KB3Bs71cARnYo3noOZs+Fw==,type:str]
+    AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: ENC[AES256_GCM,data:GQ5FI3GP+dNfWapUXbkWRoUi4N8oHLn6Kotmmfaqxd0=,iv:iZMUl9vBZUdWElVV1iqPNhdTy0aQKw3H318UT/rTpWs=,tag:iuKMZal34P0zFy6v+Dvj7g==,type:str]
+    AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: ENC[AES256_GCM,data:IeAA9iN8w6vU5ZsJVAmLyaH4xuADYg0ESKdqIWSCQ6OJKd60E0UNhIQOIH25JCQnRo3cpAflkqDHRdMNnoUY4apsA5GBZtO9+kDnswMHFfMwhgP15V6RBLObvIFVFfjH5n2k7hObMeS2qm8+rVIaUpyNDu3elD8KrKHOiqN0dxbd4PVx1CmN3c9kJGqSWrYFhBo44fULjUzWYSaQbfMqxotkxodtfRDKYlwvXBh9fg1hWblBj2LEl8yPd2V3QiKDH2o6um8VWw33ryUzAeefJOelUUU/s8EynbGwTZwuPVy8LATSSiDtvramFpsk7XXshDLrwEir7hujaieP3P0T7XspF9i85wFVZrTqZDtlysYgziwTEqSbd2vL737p6S5l3QpAn5De+QkZyYDbPYJ2X/PTESeY1X4hJ8TI0OK15DXX5+YYkh3Vnvl21xseaAoT9QvTcXM9jjUug8cwt56UhG/grNFrYLjngq4cLPHI4vzE9JXLfXlax+Y+jj0t1Bv8EPA66RzXxJWYgbLP/SdHPFDpyMwRjSzm5zJ9ldG+ajJ1B6pVuWb53USVxtRu6aRnZsxWpJfkn7HqGkXjRPT0mSiU2tFpwaM/NDxMB66DiIZjCwjeTfbFSngDQc88fcwv8V6klASM0iCbsQCtXDGoAt1mG6wmA5UhMmoKkqdRVj+qov+ZeMz+dlafdoXJNXT8ncTo06RDQAZX/3kW+7uK5EbfSRUmDUdPnHHBL/fhEYEasZoF5nwegp9gGPOX6N+mHyYoB3tJNrATJkBa7bTDcPcKpRL5a472ApXva6WYyDgnO4FrvxlkC0wt9Dt8Tw/YakwxY+UtatmdEyYRprxRWQDPYHCqe+lK8S0LGHq+2HEcf109lzAszhkEHj4AKXVuwc2ooWlqVFoCMB4+1sJzawA4Ry5mXNFLN9eb+6xO8fg6DMxRZFbZTL+mdOUfIQxz+nCbEm48xakSj3NJzQ4Rd+31kuapmcnjCLoWdDItXfPrIV160v0GGGMQmrzL7PJVmBaFwmRfJ5YJz5UE0qi8z5RC1d//0ywEyb0EBNCouuWh47XHo2EDKTbhy3o0qpkQBHIQuxUZcIPM+3veF/SOT7pFYPGHMFPbif/71j1HgxuE/E1p+How0XfelOfP4Z8rUWZcDWLJp0wDrD7WRe9564/cqCTvqBRusPKYlCG/xJreqn42LV0bVN4JxJAiBXM68lasZJHunMJcd1E1DB/p1S0Wooezc7J67sPMiLAfiq4GdBSq8Z+8OJKcv88KDXu/PPCh8Ke4xVLdovK1KUncP/T8cppFhyE61CkDjcGvahGbuLkZl2mkR5oHoNerOXqFQ/tvIR34vXRRbb6Qo92r/yJmi6lsXGEu1dxMKBPKkOdCqWYXcSgGtDgyETm1+keoNjh67f7M0rl7eztHpFDl9CX9b4lYEBTiaaozWN+LYdPQps5IZfZDzTN4NScfx2CDve46xVLxNc/DpLhUih/a9i3/kHUB6aPNN/IxA6mhZqrya3gAUfAstxlkiBme8Wa902DFOh10YTn0VP9H+yRihK/OECDMhDDwrqSC1dn7BOF5iWFg9CMB6OzABstucmFDAgRxkqkaIPTSYF0mbZnD5KeZYRjeUV43m7BstHFXGSmb4R2CI9popqvDV1y/7ANpiepXlN2JFGCeCgW/SyyPAZw/xnQUH3ZGjK4lon1l45YA2YRvWnfurGZemaAtir499dbKNa1JK+1POmpAHvMw7tm7Jj2LjaHNKD40jGY782ucZkLFGwBm8P0KU44vjKinQNvjhNrct/USTEMxU+sHtuE9jFDsufKlNeOK/LkjCKfbOu6PNKF8MXoXw8bUsHSqMYHXRvBDiYNmuHp0zitet8JLvdKW1LVLTpuFR7/13y5L//9RvpvD66gjbO9LawIm4oX/RrkzzCEf/eMC4jCPvAe5KhcDGxW53LRYAowGLHmNlKDzWMWMAwe86dT9Y49cQYuznLYifu2ApeQ4nEFW4b0bktrzxSuZCVhWXPs+e0OnEWTUC3lzTd0MSfUgI1pSW+HmKs9+nr+YcEOBTmGd35oyjKGLq4SE4SecckslWnvYpXnHj2QOTqVD/Mn36B3NQgPIQOeh3uOiKhfOw4T0TiBc8ElBGbM0bsp5Cp2q41xByITXaVsgPo6IksI+dnoaqaDwzXVW2RABuuEDNAhC64gJW+t94obETP8X/ulGzxqibLVmOJgcdQ31TuEoE1z17TALTjm6GwZj8Jz80CfM2gHivh41xHjw23yHev3tJ4y5iOQ2fJRE9nM+Lwx3YjN0311PQ63ZfF453flkw7tzvHT+WMUyMHJBCwlQyrYVSVAd1NPdov4i/Ru/OSGGRQ2W3gdkDpTTbxB3rHzWaXS47mQHT9m60SfXDccT7JrZeDb6R8KhpS3aBL8k9paarynaFPrvjwRgJyjZAXzk38StzSRoRIUdS4teWlOm0aLjWA2N+FNxTnHif7fXLXQGnlHIhAU2U3KJ9mlqCq+pxqy2nmnDoXwBh0MjWYvEXwJhEQXv7PdXN6+74jlgx5xrmvyCqOJFuVIvIcRzj74mFIqMTMzXLL6eAjg9xLleTtCbY8jxjBrzfENYpYMQHPVRM1fwipu973WV33sEGmmtk6K79sQyI9Re2J5vneBJ5nT0/xqzA3EWQVEgXMXuOSthjO3PICYrPaH0ohlhiFEwlKpFWBAFKDwxilXeYMBN8epnm3tQjsnUoDyW4TTO/5j4e0Yb/k2z3T7IMYSme4AJq/ulf1Og+aIxHPfJ+QPfTqDnaF/zhkhYHh1iDEa9Dp4UEXyhgytbpr5f+tmcVuvGmtK4k6aOi1XkaLg6/CUa2O00MVqyLmqOeGDAw8z+UJcyFTk86kvNk8PMMrXsEzt6xDGkpSEjiPXL2vf1PrJIYi/99rcWrXR82zMCZg0EaM3zxhZvWzOFrWqHuE9u2ErgzgRt1GQ8iA3gFPw8uP7o8SCjE1Ig9kf56+OncA1fyJRFCPBe9Y36izZtEt901k9aMhZVmiuuCQAtptGFYslKFkLTeaQesnaSgSO2jq1wDEUtRHLHaTeBVWupB1AWvM9u661iC1dk32eVsclftyH5Auf0R58TohDLzhGT8e8NkOii9IJ2+N+ua8nPPiQqxfjbdXrKJFLFeyYimb/h6yfugQpxiDXWOfZFFkdKSZJqONaQ+aURqK3gyavzJeYUdRoiattdNNgGl+jTI/OEe3lt69oimYYExFQRzJ2R3uYYVbVyvaptW7+ppGxOxk4yfoQAcMZnOTGu9DKgBDClGOcdI2LeluieJrfXwoMq3o5wcoM6yvTmgfxzUMZ3DELWwP7Fqv0IJyRD0tXbIcQxGGyd1U3aGq6u0sGJaQy6+sb+s8hFPglL0CrzvCJPJERm8PHiJtiLHDa6WG1+b3V9fPnmJFD0AJEggE7fPolq5/j1dm1SRNmWNffHXcqGrCDcZ0qx6BE2pEzTY2VtyinsaNuigULK6kL55srFHh9xjwdgTD5F7czuqoIo2Phm8PoRW5X8I7dQZ0Psiur2d9tMAT+ChDWoytqmZH3edCN0a1kjWKN8+hDzIptbW68j+JuNLCtBc2ENtCo2mne4Kz15oYgbR7urht+CvagdKxauBiDGcp/KXuRUQKz7onCgnMmMkLP3lHXeyRqi2maG58K0Vngdsi2nFn7IzbeM8ieF2D7mo7FK5lyRlyIy3X2GwTQvEUTUyTUkv/cNCSet4O3zVeMY+hgegZzU1h8Cpzp+GF7v8wEVAe6DZTu+0aubwb27lqiweBUBBNJf9GuAMnuYGHODMsn1CNe3wNtgRlp0liGyT4YmoZlgO6rPcpUpjtxAdw+legYXdylGMwX/Cer2OLxe/VOsd1wjmMcZL1009guK7t6BjwGY9/g85y8MMPiHpWwo1MUOuKPQZFK2c2iu3IiQJtawqocNvmBeZ4/h9978Rod2aUbYXvTRFJbDbRqfqojEDgZv0JgIpBQKT/cIqQLPXoigyab45tMoKWKm2D7lSdwQIWpc2tx4qkECbLy5KEmd0UbCmCC8RDUk3I/Nkycwf1XrlZVYwNpKhQMIytDUyIf9TqTrU/XIJ/Q6Ib7kSyjZeK46GldMNuGnc05mPlJQoj75ZxxtWibfPG9kH7ImR4K1PgHoY2gHleca/paVyC9jNKpKiyB3m4WDnrxK5N+NpO+wlbNXAtGeqZJd6H/V8URnBuIv0NxFRhQ1seVZQKElkol1KCe9H/+n0Hs/fz5RdBwa/Oh9/lVNrJiVcnH1/5JGpR5/p/RLElE9Nl+GJGS2uWasvREyXjoLrB0aSwQK,iv:+H0Qz07NHU6fs7mJk9VnLZlYSoxTCnW59oPSHOmGr+s=,tag:w7NtwB7ks/Tb3eky5e/P/A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWU5YTlFY3FPQWhnZ2I2
+            akxnZ2xIRVNFZTdOWmg0dFhxTUNoZEFIM1cwCit5WnduNlQ1MkF2aytCVldMeVlC
+            Yk5QNWRQRllOT3ZTL3VGcjJNK1VqeUkKLS0tIFMyWHNFd29nc2tMektxclJkK0pT
+            Ny9OQ0l4ZXMrdW40NmRsbzgvZ0w5V3cKqTGvN5zk2TPgtxoVfwI7Wsz4N+lC9+Kq
+            DCXTgTU/QXm9dvo4ErPPzeWFqdk4JchExhvSJV2JfM32O+3z+EGhNg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-01T22:11:20Z"
+    mac: ENC[AES256_GCM,data:XESKuMlJEXGzkbW1CnAoXxRONq3BqQT/Y9fi7Los+ILtHjo1lEHmj3yCSDhn7uVDQJALLu9pz/Ra36/gine7VUqJwooDV2OeWs7VvBmGTxLOxeH/24AipiAPnRYjXWQY0Zfh0/h0H88jJSB3D+bCMW+WpEWfdmHWMQ/Y54pQ3mQ=,iv:q0ALv44alplmtt2NKbRyVzy/yxoIQ9FUN1zLjEMViCU=,tag:Zq9r4Eo2UsGYTIscEdAMVQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/kubernetes/apps/default/authelia/ks.yaml
+++ b/kubernetes/apps/default/authelia/ks.yaml
@@ -0,0 +1,28 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-authelia-app
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  dependsOn:
+    - name: cluster-apps-cloudnative-pg-app
+    - name: cluster-apps-glauth
+    - name: cluster-apps-redis-app
+    - name: cluster-apps-smtp-relay
+  path: ./kubernetes/apps/default/authelia/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: authelia
+      namespace: default
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
--- a/kubernetes/apps/default/bazarr/app/helmrelease.yaml
+++ b/kubernetes/apps/default/bazarr/app/helmrelease.yaml
@@ -0,0 +1,88 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app bazarr
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.2.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  dependsOn:
+    - name: rook-ceph-cluster
+      namespace: rook-ceph
+  values:
+    image:
+      repository: ghcr.io/onedr0p/bazarr
+      tag: 1.1.3@sha256:e103cee293f01a6b40d3d820f0c63eec05f244cdcb89b26c7069c81ba65fddb3
+    env:
+      TZ: "${TIMEZONE}"
+    envFrom:
+      - secretRef:
+          name: *app
+    service:
+      main:
+        ports:
+          http:
+            port: 6767
+    ingress:
+      main:
+        enabled: true
+        ingressClassName: "nginx"
+        annotations:
+          auth.home.arpa/enabled: "true"
+          nginx.ingress.kubernetes.io/configuration-snippet: |
+            proxy_set_header Accept-Encoding "";
+            sub_filter '</head>' '<link rel="stylesheet" type="text/css" href="https://theme-park.${SECRET_CLUSTER_DOMAIN}/css/base/bazarr/nord.css"></head>';
+            sub_filter_once on;
+        hosts:
+          - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+    podSecurityContext:
+      runAsUser: 568
+      runAsGroup: 568
+      fsGroup: 568
+      fsGroupChangePolicy: "OnRootMismatch"
+      supplementalGroups:
+        - 100
+    persistence:
+      config:
+        enabled: true
+        existingClaim: bazarr-config
+      add-ons:
+        enabled: true
+        type: emptyDir
+        mountPath: /add-ons
+      video:
+        enabled: true
+        type: nfs
+        server: "${LOCAL_LAN_TRUENAS}"
+        path: /mnt/storage/video
+        mountPath: /mnt/storage/video
+    podAnnotations:
+      secret.reloader.stakater.com/reload: *app
+    resources:
+      requests:
+        cpu: 23m
+        memory: 204M
+      limits:
+        memory: 1Gi
--- a/kubernetes/apps/default/bazarr/app/kustomization.yaml
+++ b/kubernetes/apps/default/bazarr/app/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./helmrelease.yaml
+  - ./replicationsource.yaml
+  - ./restic.sops.yaml
+  - ./secret.sops.yaml
+  - ./volume.yaml
+patchesStrategicMerge:
+  - ./patches/subcleaner.yaml
--- a/kubernetes/apps/default/bazarr/app/patches/subcleaner.yaml
+++ b/kubernetes/apps/default/bazarr/app/patches/subcleaner.yaml
@@ -0,0 +1,21 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: bazarr
+  namespace: default
+spec:
+  values:
+    additionalContainers:
+      subcleaner:
+        name: subcleaner
+        image: k8s.gcr.io/git-sync/git-sync:v3.6.2
+        args:
+          - --repo=https://github.com/KBlixt/subcleaner.git
+          - --branch=master
+          - --depth=1
+          - --root=/add-ons/subcleaner
+        volumeMounts:
+          - name: add-ons
+            mountPath: /add-ons
--- a/kubernetes/apps/default/bazarr/app/replicationsource.yaml
+++ b/kubernetes/apps/default/bazarr/app/replicationsource.yaml
@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: bazarr
+  namespace: default
+spec:
+  sourcePVC: bazarr-config
+  trigger:
+    schedule: "0 0 * * *"
+  restic:
+    copyMethod: Snapshot
+    pruneIntervalDays: 10
+    repository: bazarr-restic
+    cacheCapacity: 2Gi
+    volumeSnapshotClassName: csi-ceph-blockpool
+    storageClassName: rook-ceph-block
+    retain:
+      hourly: 0
+      daily: 10
+      weekly: 0
+      monthly: 0
--- a/kubernetes/apps/default/bazarr/app/restic.sops.yaml
+++ b/kubernetes/apps/default/bazarr/app/restic.sops.yaml
@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: bazarr-restic
+    namespace: default
+type: Opaque
+stringData:
+    #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
+    RESTIC_REPOSITORY: ENC[AES256_GCM,data:nv139ZEGpIFxa3DdsGMpSPlZmW/TcMLeUYjhkbQso9Cs9lxcgUh3V+vXWW+WJEDATT2jSZkcxy4=,iv:R+zvTMTBa0evMizp+04Zs2y4FKmfo1CReMzDyVmA36g=,tag:6gb15igwzatq6vhr5Ym8Fg==,type:str]
+    #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
+    RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
+    #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
+    #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
+    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
+    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
+            THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
+            TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
+            dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
+            3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-28T15:28:16Z"
+    mac: ENC[AES256_GCM,data:GU6+JsaZFIdyRlf0VS/+rYPdZxTmZ+rhVSR6EqLrJNW/zk7Y55vB/WTMKTGJRS7FwZzwYxCnKtC9bo4kmNyNVmtMaRrLlUrzqrAbGlawIAtPEl0oohKKQxvVrwRpymCoyDvryKool2Css6P6qzXVs1iWUMsZixswjtBhpso44DU=,iv:uDoQXjkQ8ZD/vARU4g6Cslza+yGPzs+lviBslXHdmK8=,tag:RQTXfuAhPhegV+6bWrLKWQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/kubernetes/apps/default/bazarr/app/secret.sops.yaml
+++ b/kubernetes/apps/default/bazarr/app/secret.sops.yaml
@@ -0,0 +1,29 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+metadata:
+    name: bazarr
+    namespace: default
+type: Opaque
+stringData:
+    BAZARR__API_KEY: ENC[AES256_GCM,data:JP0q+GSWGKQsAWAL+vOpJUzWVNcG6ncjHxiZ8vplk1o=,iv:rUxiwvF1kyTX9SHrAMmml9lmbKhRqXYYFZ2djWlUsaU=,tag:xSPaQCULmLvFy08QgCV1kQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
+            bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
+            VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
+            OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
+            LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-09-15T04:37:34Z"
+    mac: ENC[AES256_GCM,data:8NbT9oTRIKRY/GlyeasQGaQpypHoa7HJtzTf7QX3sn8sN0eQoH9H8nZMcwGm9yS1YzOti8MugQVfkkQiwp6nknY7Xk93tyZ8UO9IOo1SybI12WnaYuXf0CUfGVpv9Fsisc0DHonnxTgsymkJDYqXZgJP9L8JwiNeZx6jtCoaO0I=,iv:AfNP3QP5iK9Jx0Juey/EpIdQNZL2VNyjJLmQxO4AV7w=,tag:3dfYfYElHQk/KTQ6AwUB8A==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/kubernetes/apps/default/bazarr/app/volume.yaml
+++ b/kubernetes/apps/default/bazarr/app/volume.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: bazarr-config
+  namespace: default
+  labels:
+    app.kubernetes.io/name: &name bazarr
+    app.kubernetes.io/instance: *name
+    snapshot.home.arpa/enabled: "true"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: rook-ceph-block
--- a/kubernetes/apps/default/bazarr/ks.yaml
+++ b/kubernetes/apps/default/bazarr/ks.yaml
@@ -0,0 +1,26 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-bazarr-app
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  dependsOn:
+    - name: cluster-apps-rook-ceph-cluster
+    - name: cluster-apps-volsync-app
+  path: ./kubernetes/apps/default/bazarr/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: bazarr
+      namespace: default
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
--- a/kubernetes/apps/default/calibre-web/app/helmrelease.yaml
+++ b/kubernetes/apps/default/calibre-web/app/helmrelease.yaml
@@ -0,0 +1,71 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app calibre-web
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.2.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  dependsOn:
+    - name: rook-ceph-cluster
+      namespace: rook-ceph
+  values:
+    image:
+      repository: ghcr.io/auricom/calibre-web
+      tag: 0.6.19
+    env:
+      TZ: "${TIMEZONE}"
+    service:
+      main:
+        ports:
+          http:
+            port: 8083
+    ingress:
+      main:
+        enabled: true
+        ingressClassName: "nginx"
+        hosts:
+          - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+    podSecurityContext:
+      runAsUser: 568
+      runAsGroup: 568
+      fsGroup: 568
+      fsGroupChangePolicy: "OnRootMismatch"
+    persistence:
+      config:
+        enabled: true
+        existingClaim: calibre-web-config
+      books:
+        enabled: true
+        type: nfs
+        server: "${LOCAL_LAN_TRUENAS}"
+        path: /mnt/storage/home/claude/books
+        mountPath: /mnt/storage/home/claude/books
+    resources:
+      requests:
+        cpu: 15m
+        memory: 204M
+      limits:
+        memory: 380M
--- a/kubernetes/apps/default/calibre-web/app/kustomization.yaml
+++ b/kubernetes/apps/default/calibre-web/app/kustomization.yaml
@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./helmrelease.yaml
+  - ./replicationsource.yaml
+  - ./restic.sops.yaml
+  - ./volume.yaml
--- a/kubernetes/apps/default/calibre-web/app/replicationsource.yaml
+++ b/kubernetes/apps/default/calibre-web/app/replicationsource.yaml
@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: calibre-web
+  namespace: default
+spec:
+  sourcePVC: calibre-web-config
+  trigger:
+    schedule: "0 0 * * *"
+  restic:
+    copyMethod: Snapshot
+    pruneIntervalDays: 10
+    repository: calibre-web-restic
+    cacheCapacity: 2Gi
+    volumeSnapshotClassName: csi-ceph-blockpool
+    storageClassName: rook-ceph-block
+    retain:
+      hourly: 0
+      daily: 10
+      weekly: 0
+      monthly: 0
--- a/kubernetes/apps/default/calibre-web/app/restic.sops.yaml
+++ b/kubernetes/apps/default/calibre-web/app/restic.sops.yaml
@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: calibre-web-restic
+type: Opaque
+stringData:
+    #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
+    RESTIC_REPOSITORY: ENC[AES256_GCM,data:bEsDAvrGLpXOhGV4M/bwVDjxroaLKG3vF4OqLy9ChHti4ateAQKOqzsT/9wwejZwmnWB8jBWPuzx2e876g==,iv:/MucYIH5cQNE6m+ceNDWEhKu122iMCUI6te9awbXRO8=,tag:+fkEJP2PWCz/vEOohVgCWw==,type:str]
+    #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
+    RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
+    #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
+    #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
+    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
+    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
+            THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
+            TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
+            dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
+            3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-28T14:53:29Z"
+    mac: ENC[AES256_GCM,data:rTyH2sHO4+/P7S4XLfW4dEyRDi1h044LlXCdlQmk1XdqDH8/5d93UYGSSfW3S6JjIqrOS1ETsRQS2Am8gSVmqZjBi+eXui4kNp7zURcOa8RiuMyySJZLap+KnV2Tu9aZYaaiOms/oy7ABk/+5X4SyJHPtOv51uw+gvfDWaU93Uo=,iv:r919TYG3cfPsjYDRrYdAgUGBwzdVVpMu2pmaJdLSd9Q=,tag:e0JmALQgOu5wXCb35PhGFQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/kubernetes/apps/default/calibre-web/app/volume.yaml
+++ b/kubernetes/apps/default/calibre-web/app/volume.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: calibre-web-config
+  namespace: default
+  labels:
+    app.kubernetes.io/name: &name calibre-web
+    app.kubernetes.io/instance: *name
+    snapshot.home.arpa/enabled: "true"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: rook-ceph-block
--- a/kubernetes/apps/default/calibre-web/ks.yaml
+++ b/kubernetes/apps/default/calibre-web/ks.yaml
@@ -0,0 +1,26 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-calibre-web
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  dependsOn:
+    - name: cluster-apps-rook-ceph-cluster
+    - name: cluster-apps-volsync-app
+  path: ./kubernetes/apps/default/calibre-web/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: calibre-web
+      namespace: default
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
--- a/kubernetes/apps/default/calibre/app/helmrelease.yaml
+++ b/kubernetes/apps/default/calibre/app/helmrelease.yaml
@@ -0,0 +1,79 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app calibre
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.2.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  dependsOn:
+    - name: rook-ceph-cluster
+      namespace: rook-ceph
+  values:
+    image:
+      repository: ghcr.io/linuxserver/calibre
+      tag: version-v6.10.0
+    env:
+      TZ: "${TIMEZONE}"
+      PUID: "1026"
+      PGID: "1000"
+    persistence:
+      config:
+        enabled: true
+        existingClaim: calibre-config
+      books:
+        enabled: true
+        type: nfs
+        server: "${LOCAL_LAN_TRUENAS}"
+        path: /mnt/storage/home/claude/books
+        mountPath: /mnt/storage/home/claude/books
+    service:
+      main:
+        ports:
+          http:
+            port: 8080
+      webserver:
+        enabled: true
+        ports:
+          webserver:
+            enabled: true
+            port: 8081
+            protocol: TCP
+            targetPort: 8081
+        type: ClusterIP
+    ingress:
+      main:
+        enabled: true
+        ingressClassName: "nginx"
+        annotations:
+          auth.home.arpa/enabled: "true"
+        hosts:
+          - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+    resources:
+      requests:
+        cpu: 15m
+        memory: 324M
+      limits:
+        memory: 604M
--- a/kubernetes/apps/default/calibre/app/kustomization.yaml
+++ b/kubernetes/apps/default/calibre/app/kustomization.yaml
@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./helmrelease.yaml
+  - ./replicationsource.yaml
+  - ./restic.sops.yaml
+  - ./volume.yaml
--- a/kubernetes/apps/default/calibre/app/replicationsource.yaml
+++ b/kubernetes/apps/default/calibre/app/replicationsource.yaml
@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: calibre
+  namespace: default
+spec:
+  sourcePVC: calibre-config
+  trigger:
+    schedule: "0 0 * * *"
+  restic:
+    copyMethod: Snapshot
+    pruneIntervalDays: 10
+    repository: calibre-restic
+    cacheCapacity: 2Gi
+    volumeSnapshotClassName: csi-ceph-blockpool
+    storageClassName: rook-ceph-block
+    retain:
+      hourly: 0
+      daily: 10
+      weekly: 0
+      monthly: 0
--- a/kubernetes/apps/default/calibre/app/restic.sops.yaml
+++ b/kubernetes/apps/default/calibre/app/restic.sops.yaml
@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: calibre-restic
+type: Opaque
+stringData:
+    #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
+    RESTIC_REPOSITORY: ENC[AES256_GCM,data:NCy35YYxOndjxHADaEqPRQQ0nRT8MPxUex80YNjEEL0GCSpvN+exASZefQjRxtkXz84cGgj9gANx,iv:gBwqlwFn1D97913ZxwG1E3WeYi7wXKVk8Mdspa/Tx8o=,tag:dojF0a2jaTcYzz3YMxUmTA==,type:str]
+    #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
+    RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
+    #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
+    #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
+    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
+    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
+            THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
+            TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
+            dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
+            3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-28T14:51:21Z"
+    mac: ENC[AES256_GCM,data:fdP1tAzBaWHagD6DpVtjRuwfs1KLg0ji0IoLArCXiBiXQ9VYlc4cWhgdmzLFzoqu1dNpCUyHsl9dHGgDaoxLEtZDq8bJ9n47Z6h+gP31TRuSgnb1sOAfqxOswLYabzZRfMGIJmaGI8zeWC3Og0xZj0TUbsyc8CBA5rMLj/iHZNE=,iv:NR7VP08kRRcrnbRzBWXlMqB8849jOsEVqt79iLT9Mik=,tag:FvBWbDR3zmKVKxTPiVzASw==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/kubernetes/apps/default/calibre/app/volume.yaml
+++ b/kubernetes/apps/default/calibre/app/volume.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: calibre-config
+  namespace: default
+  labels:
+    app.kubernetes.io/name: &name calibre
+    app.kubernetes.io/instance: *name
+    snapshot.home.arpa/enabled: "true"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: rook-ceph-block
--- a/kubernetes/apps/default/calibre/ks.yaml
+++ b/kubernetes/apps/default/calibre/ks.yaml
@@ -0,0 +1,26 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-calibre
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  dependsOn:
+    - name: cluster-apps-rook-ceph-cluster
+    - name: cluster-apps-volsync-app
+  path: ./kubernetes/apps/default/calibre/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: calibre
+      namespace: default
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
--- a/kubernetes/apps/default/cloudnative-pg/app/helmrelease.yaml
+++ b/kubernetes/apps/default/cloudnative-pg/app/helmrelease.yaml
@@ -0,0 +1,30 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cloudnative-pg
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: cloudnative-pg
+      version: 0.16.1
+      sourceRef:
+        kind: HelmRepository
+        name: cloudnative-pg
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    crds:
+      create: true
+    config:
+      data:
+        INHERITED_ANNOTATIONS: kyverno.io/ignore
--- a/kubernetes/apps/default/cloudnative-pg/app/kustomization.yaml
+++ b/kubernetes/apps/default/cloudnative-pg/app/kustomization.yaml
@@ -0,0 +1,18 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./helmrelease.yaml
+  - ./secret.sops.yaml
+configMapGenerator:
+  - name: cloudnative-pg-dashboard
+    files:
+      - cloudnative-pg-dashboard.json=https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/main/docs/src/samples/monitoring/grafana-dashboard.json
+generatorOptions:
+  disableNameSuffixHash: true
+  annotations:
+    kustomize.toolkit.fluxcd.io/substitute: disabled
+  labels:
+    grafana_dashboard: "true"
--- a/kubernetes/apps/default/cloudnative-pg/app/secret.sops.yaml
+++ b/kubernetes/apps/default/cloudnative-pg/app/secret.sops.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/basic-auth
+metadata:
+    name: postgres-superuser
+    namespace: default
+stringData:
+    username: ENC[AES256_GCM,data:oMwUm7mTJ3U=,iv:hfa6GmA8uFC1gPs7Z0wAaddOhVeHu8FmANOd9n/fLok=,tag:FIv7VhkHlVLq4Q+k7N2DDw==,type:str]
+    password: ENC[AES256_GCM,data:LCUuhRW3wjkeVQgefTuh9Q==,iv:07R0ZUrLQe8jPZo3wFn/15fXg8yc/pa+a03tWkSrjjM=,tag:0YoG2EZ3JbihlY98ay/5eg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQand1M1U2SytHclJSN1I3
+            NzdvdjZMQnJPSW9GUXo1SkZ1elRVY1NvK0FJClpiVk9JVWxHSlIwSXZDSWRoOXI4
+            YkxVeDR5V09OTS92YmpMeUl2a1QyRlUKLS0tIG9iNGJlaDQ3UW1uelFla0cySXRC
+            SzhQOGRzNnYzcEVjVG0rOUt1T1ZJQkkKtbXybUgBFr69GvBmo8+7J1xrtxJ7y1wo
+            ZhV6dzuxc2QSd3o9A6f9J/wg9DHtBHviK5nP0K/edHth9darJw/3Eg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-10-25T23:37:50Z"
+    mac: ENC[AES256_GCM,data:aU5GLUX3Tml3tRZUzRP451X5oeUSEpB2QFp7ys8pnKlskDidWwwy3gCCTeG0gjsmJbYiZqZFS0qnYe5brT1b9gJgQVLTgVA8xcoXMFJnGQfHm+kmqBxfYR2wPyCzE3T/J4/2e01oITuVS5RKtc3/w1L2en8DwttcBBaezh3vRRM=,iv:a11Hm95soVPiALzZSHMkKx+XEdq7PPmVysfhXHY0+pw=,tag:ITVZQw2WSmD9rmU/cSto4w==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/kubernetes/apps/default/cloudnative-pg/cluster/cluster.yaml
+++ b/kubernetes/apps/default/cloudnative-pg/cluster/cluster.yaml
@@ -0,0 +1,51 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: postgres
+  namespace: default
+  annotations:
+    kyverno.io/ignore: "true"
+spec:
+  instances: 3
+  primaryUpdateStrategy: unsupervised
+  storage:
+    size: 20Gi
+    storageClass: rook-ceph-block
+  superuserSecret:
+    name: postgres-superuser
+  monitoring:
+    enablePodMonitor: true
+  backup:
+    retentionPolicy: 30d
+    barmanObjectStore:
+      wal:
+        compression: bzip2
+        maxParallel: 8
+      destinationPath: s3://postgresql/
+      endpointURL: https://truenas.${SECRET_DOMAIN}:51515
+      serverName: postgres-v4
+      s3Credentials:
+        accessKeyId:
+          name: postgres-minio
+          key: MINIO_ACCESS_KEY
+        secretAccessKey:
+          name: postgres-minio
+          key: MINIO_SECRET_KEY
+  # bootstrap:
+  #   recovery:
+  #     source: postgres
+  # externalClusters:
+  #   - name: postgres
+  #     barmanObjectStore:
+  #       destinationPath: s3://postgresql/
+  #       endpointURL: https://truenas.${SECRET_DOMAIN}:51515
+  #       s3Credentials:
+  #         accessKeyId:
+  #           name: postgres-minio
+  #           key: MINIO_ACCESS_KEY
+  #         secretAccessKey:
+  #           name: postgres-minio
+  #           key: MINIO_SECRET_KEY
+  #       wal:
+  #         maxParallel: 8
--- a/kubernetes/apps/default/cloudnative-pg/cluster/external-backup/00-webhook
+++ b/kubernetes/apps/default/cloudnative-pg/cluster/external-backup/00-webhook
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+set -e
+
+# Possible actions: error, pre-backup, post-backup
+ACTION="$1"
+
+if [ "$WEBHOOK_URL" != "**None**" ]; then
+  case "$ACTION" in
+    "error")
+      echo "Execute error webhook call to $WEBHOOK_URL"
+      curl --url "$WEBHOOK_URL" \
+        --header 'Content-Type: application/json' \
+        --max-time 10 \
+        --retry 5 \
+        $WEBHOOK_EXTRA_ARGS
+      ;;
+#   "pre-backup")
+#     echo "Nothing to do"
+#     ;;
+    "post-backup")
+      echo "Execute post-backup webhook call to $WEBHOOK_URL"
+      curl --url "$WEBHOOK_URL" \
+        --header 'Content-Type: application/json' \
+        --max-time 10 \
+        --retry 5 \
+        $WEBHOOK_EXTRA_ARGS
+      ;;
+  esac
+fi
--- a/kubernetes/apps/default/cloudnative-pg/cluster/external-backup/cronjob.yaml
+++ b/kubernetes/apps/default/cloudnative-pg/cluster/external-backup/cronjob.yaml
@@ -0,0 +1,62 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: &app cloudnative-pg-external-backup
+  namespace: default
+spec:
+  schedule: "@daily"
+  jobTemplate:
+    spec:
+      ttlSecondsAfterFinished: 86400
+      template:
+        spec:
+          automountServiceAccountToken: false
+          restartPolicy: OnFailure
+          containers:
+            - name: *app
+              image: prodrigestivill/postgres-backup-local:15-alpine@sha256:1209779d7b39a9f73d498091452051fedfe140252bff59ea1c42e0a9a8a9b8e0
+              env:
+                - name: POSTGRES_HOST
+                  value: ${POSTGRES_HOST}
+                - name: POSTGRES_DB
+                  value: "authelia,drone,freshrss,gitea,invidious,joplin,lychee,paperless,recipes,sharry,outline,vaultwarden,vikunja,wallabag"
+                - name: POSTGRES_USER
+                  valueFrom:
+                    secretKeyRef:
+                      name: postgres-superuser
+                      key: username
+                - name: POSTGRES_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: postgres-superuser
+                      key: password
+                - name: POSTGRES_EXTRA_OPTS
+                  value: "-Z9 --schema=public --blobs"
+                - name: BACKUP_KEEP_DAYS
+                  value: "7"
+                - name: BACKUP_KEEP_WEEKS
+                  value: "4"
+                - name: BACKUP_KEEP_MONTHS
+                  value: "3"
+                - name: HEALTHCHECK_PORT
+                  value: "8080"
+                - name: WEBHOOK_URL
+                  value: https://uptime-kuma.${SECRET_CLUSTER_DOMAIN}/api/push/45cHKtahUg?status=up&msg=OK&ping=
+              command:
+                - "/backup.sh"
+              volumeMounts:
+                - name: backups
+                  mountPath: /backups
+                - name: files
+                  subPath: 00-webhook
+                  mountPath: /hooks/00-webhook
+          volumes:
+            - name: backups
+              nfs:
+                server: "${LOCAL_LAN_TRUENAS}"
+                path: /mnt/storage/backups/postgresql
+            - name: files
+              configMap:
+                name: postgres-external-backup
+                defaultMode: 0555
--- a/kubernetes/apps/default/cloudnative-pg/cluster/external-backup/kustomization.yaml
+++ b/kubernetes/apps/default/cloudnative-pg/cluster/external-backup/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./cronjob.yaml
+configMapGenerator:
+  - name: postgres-external-backup
+    files:
+      - ./00-webhook
+generatorOptions:
+  disableNameSuffixHash: true
--- a/kubernetes/apps/default/cloudnative-pg/cluster/kustomization.yaml
+++ b/kubernetes/apps/default/cloudnative-pg/cluster/kustomization.yaml
@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./cluster.yaml
+  - ./external-backup
+  - ./secret.sops.yaml
+  - ./scheduledbackup.yaml
--- a/kubernetes/apps/default/cloudnative-pg/cluster/scheduledbackup.yaml
+++ b/kubernetes/apps/default/cloudnative-pg/cluster/scheduledbackup.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: postgres
+  namespace: default
+spec:
+  schedule: "@daily"
+  immediate: true
+  backupOwnerReference: self
+  cluster:
+    name: postgres
--- a/kubernetes/apps/default/cloudnative-pg/cluster/secret.sops.yaml
+++ b/kubernetes/apps/default/cloudnative-pg/cluster/secret.sops.yaml
@@ -0,0 +1,31 @@
+kind: Secret
+apiVersion: v1
+type: Opaque
+metadata:
+    name: postgres-minio
+    namespace: default
+    labels:
+        k8s.enterprisedb.io/reload: "true"
+stringData:
+    MINIO_ACCESS_KEY: ENC[AES256_GCM,data:lEOKspQaoN5FxOGSnpQuTAzzHrI=,iv:VJQAWK8Sia/wL4iAdpir5fJxBLP1fDQWqj5pBDO6x/g=,tag:5Jf612CStm7NcW1YdrOq1A==,type:str]
+    MINIO_SECRET_KEY: ENC[AES256_GCM,data:Saad8zdhNfJdCDM/3cwVAtp/Cx8F0R4AFERJA3xT7ZC7M0GptDVaGg==,iv:DnmbB6VCRa2itDLAYwGL3LkTBQlf4sVwu1O5+ZmuukQ=,tag:fG6XMj/rC3moGKVZJn9PBA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQand1M1U2SytHclJSN1I3
+            NzdvdjZMQnJPSW9GUXo1SkZ1elRVY1NvK0FJClpiVk9JVWxHSlIwSXZDSWRoOXI4
+            YkxVeDR5V09OTS92YmpMeUl2a1QyRlUKLS0tIG9iNGJlaDQ3UW1uelFla0cySXRC
+            SzhQOGRzNnYzcEVjVG0rOUt1T1ZJQkkKtbXybUgBFr69GvBmo8+7J1xrtxJ7y1wo
+            ZhV6dzuxc2QSd3o9A6f9J/wg9DHtBHviK5nP0K/edHth9darJw/3Eg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-10-25T23:37:42Z"
+    mac: ENC[AES256_GCM,data:VZ5+kUZsCJxiWV7JS+Enhi0yNJ6m+Oi5IurYNxI0gb2+CqENqn4uvOSNMgKTZAc3d/stuI5OGdBbRJo0aBu0hZ950cgbGV6gfEbzzTO9HRstgAwqnEZHj6DPRLcXkCs0jP1p2p0WICe2HZ113C2aN3MjP47J1Jau3yaJlGOsOuU=,iv:EaxUx+ivqYgBm1wUXsCscoJt7x6+3pSM0QZY8h9eI6U=,tag:Q5ix3VW7C2rgm2R3AMDuDA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/kubernetes/apps/default/cloudnative-pg/ks.yaml
+++ b/kubernetes/apps/default/cloudnative-pg/ks.yaml
@@ -0,0 +1,45 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-cloudnative-pg-app
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  path: ./kubernetes/apps/default/cloudnative-pg/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: cloudnative-pg
+      namespace: default
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-cloudnative-pg-cluster
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  dependsOn:
+    - name: cluster-apps-cloudnative-pg-app
+    - name: cluster-apps-kyverno
+  path: ./kubernetes/apps/default/cloudnative-pg/cluster
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
--- a/kubernetes/apps/default/cloudnative-pg/readme.md
+++ b/kubernetes/apps/default/cloudnative-pg/readme.md
@@ -0,0 +1,65 @@
+# cloudnative-pg
+
+## S3 Configuration
+
+1. Create `~/.mc/config.json`
+
+    ```json
+    {
+        "version": "10",
+        "aliases": {
+            "minio": {
+                "url": "https://s3.<domain>",
+                "accessKey": "<access-key>",
+                "secretKey": "<secret-key>",
+                "api": "S3v4",
+                "path": "auto"
+            }
+        }
+    }
+    ```
+
+2. Create the outline user and password
+
+    ```sh
+    mc admin user add minio postgresql <super-secret-password>
+    ```
+
+3. Create the outline bucket
+
+    ```sh
+    mc mb minio/postgresql
+    ```
+
+4. Create `postgresql-user-policy.json`
+
+    ```json
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Action": [
+                    "s3:ListBucket",
+                    "s3:PutObject",
+                    "s3:GetObject",
+                    "s3:DeleteObject"
+                ],
+                "Effect": "Allow",
+                "Resource": ["arn:aws:s3:::postgresql/*", "arn:aws:s3:::postgresql"],
+                "Sid": ""
+            }
+        ]
+    }
+    ```
+
+5. Apply the bucket policies
+
+    ```sh
+    mc admin policy add minio postgresql-private postgresql-user-policy.json
+    ```
+
+6. Associate private policy with the user
+
+    ```sh
+    mc admin policy set minio postgresql-private user=postgresql
+    ```
--- a/kubernetes/apps/default/drone/app/helmrelease.yaml
+++ b/kubernetes/apps/default/drone/app/helmrelease.yaml
@@ -0,0 +1,90 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: drone
+  namespace: default
+spec:
+  interval: 1h
+  chart:
+    spec:
+      chart: drone
+      version: 0.6.4
+      sourceRef:
+        kind: HelmRepository
+        name: drone
+        namespace: flux-system
+  dependsOn:
+    - name: drone-runner-kube
+    - name: gitea
+    - name: cloudnative-pg
+  values:
+    image:
+      repository: drone/drone
+      tag: 2.16.0
+    persistentVolume:
+      enabled: false
+    env:
+      DRONE_DATABASE_DRIVER: postgres
+      DRONE_GIT_ALWAYS_AUTH: true
+      DRONE_GITEA_SERVER: https://gitea.${SECRET_CLUSTER_DOMAIN}
+      DRONE_SERVER_HOST: &host drone.${SECRET_CLUSTER_DOMAIN}
+      DRONE_SERVER_PROTO: https
+      DRONE_SERVER_PROXY_HOST: drone.default.svc:8080
+      DRONE_SERVER_PROXY_PROTO: http
+      DRONE_USER_CREATE: username:context,admin:true
+    ingress:
+      enabled: true
+      className: nginx
+      hosts:
+        - host: *host
+          paths:
+            - path: /
+              pathType: Prefix
+      tls:
+        - hosts:
+            - *host
+  valuesFrom:
+    - targetPath: env.DRONE_DATABASE_DATASOURCE
+      kind: Secret
+      name: drone
+      valuesKey: DRONE_DATABASE_DATASOURCE
+    - targetPath: env.DRONE_GITEA_CLIENT_ID
+      kind: Secret
+      name: drone
+      valuesKey: DRONE_GITEA_CLIENT_ID
+    - targetPath: env.DRONE_GITEA_CLIENT_SECRET
+      kind: Secret
+      name: drone
+      valuesKey: DRONE_GITEA_CLIENT_SECRET
+    - targetPath: env.DRONE_RPC_SECRET
+      kind: Secret
+      name: drone
+      valuesKey: DRONE_RPC_SECRET
+  postRenderers:
+    - kustomize:
+        patchesStrategicMerge:
+          - kind: Deployment
+            apiVersion: apps/v1
+            metadata:
+              name: drone
+            spec:
+              template:
+                spec:
+                  initContainers:
+                    - name: init-db
+                      image: ghcr.io/onedr0p/postgres-initdb:14.6
+                      env:
+                        - name: POSTGRES_HOST
+                          value: ${POSTGRES_HOST}
+                        - name: POSTGRES_DB
+                          value: drone
+                        - name: POSTGRES_SUPER_PASS
+                          valueFrom:
+                            secretKeyRef:
+                              name: postgres-superuser
+                              key: password
+                      envFrom:
+                        - secretRef:
+                            name: drone
--- a/kubernetes/apps/default/drone/app/kustomization.yaml
+++ b/kubernetes/apps/default/drone/app/kustomization.yaml
@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./helmrelease.yaml
+  - ./secret.sops.yaml
--- a/kubernetes/apps/default/drone/app/secret.sops.yaml
+++ b/kubernetes/apps/default/drone/app/secret.sops.yaml
@@ -0,0 +1,35 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+metadata:
+    name: drone
+    namespace: default
+type: Opaque
+stringData:
+    DRONE_DATABASE_DATASOURCE: ENC[AES256_GCM,data:+9NZ76uh+GIJCyXz/4KT9TUhnHRkZ7OCHPEJ9w3zwgxqFhbtf6qRoTbPszumvFkn71xgmBhkul8ZWx6A5/gIhbwfTi3+829VLzBivXdFv0nC9/KYPcEGmsXVMFQ=,iv:NhUdL1/fVhfpsIQYgYGxqhO1zt/4QvgooNb9VVbXrWM=,tag:yWWvV7IwwtlcMYefty3ytw==,type:str]
+    DRONE_GITEA_CLIENT_ID: ENC[AES256_GCM,data:hdXlmw5xNXx+ejn73qt0FFyOzTuA3IP4ktVv/Y8SpDBxgHiA,iv:VYSzQYRp+z7RaYpXFNQ5x6WXuMCiN4s8HiKA5KIyzzc=,tag:/PYkbjoq3YLVf9zct7QiOQ==,type:str]
+    DRONE_GITEA_CLIENT_SECRET: ENC[AES256_GCM,data:c++RGOWPOY6lifgFJC1zqm/M2+vo7aM7Wo6woO5MJUTwa+lBm59+uPnwBpgqOOkJKSntFBcMVDY=,iv:ZRazYwK6jfFvkMwpBotqp1Ol/018ZBNf7apidx0lMdY=,tag:53kf/zdjGjtv0ImLsI5oQA==,type:str]
+    DRONE_RPC_SECRET: ENC[AES256_GCM,data:O+YljkHzgFe4HSgSRkosuTTFpaOPSyAjeVpC39BKSIU=,iv:H8SO0S8TL060mnKCOBPWexUNdYwUmyVPdetuoto6uck=,tag:XU8JCsippp0Gadptpuwuog==,type:str]
+    DRONE_SECRET_PLUGIN_TOKEN: ENC[AES256_GCM,data:rRP1/jdkyHkwTmB8j5svo0xg6YFw64f9EVcoMzyzHbk=,iv:LYMgl50+edTnk0Im7uzLZW0THemraadOpOLkyvL/5Og=,tag:nIkuWVAK1NvawHksQar0tQ==,type:str]
+    POSTGRES_USER: ENC[AES256_GCM,data:IG2irMs=,iv:JouooVVdstNAmb4FberAJyiztIgvzL1hmLtnEk9U/FU=,tag:YTOuutIco2NohhvCDhn0Gw==,type:str]
+    POSTGRES_PASS: ENC[AES256_GCM,data:qiHiSB+YLlgLCVvY5Vs=,iv:jDOqLd0lRYZCBJrAsnyz/QAu8F/zgTQRfX5lkcNzQO8=,tag:+VCCujZOsTOrxZda4TLcLA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVWZVaFFvMVJRRWR1eUU3
+            QzI5cjNscE83czk0TG9Ra1JvVmExa0hWbWt3Ck1YY1htcXhDamwxY1pVcE0wS2U3
+            WWNQbTJFK1dFdEhkMk8vbG9pQlJzN1kKLS0tIDBUTUZhMUF2VVJhbFNpQ1FTNWZC
+            ZUZsSDdUYXFVb3JROEFnaC8yRU1zZ0UK1klzjeo3oaS6n1Apy0nY746ax2Uxxddg
+            Mn61QDtkPf8FLNBC3tFTe3pWzhWseD/89WaW3f3GScJxy34SFUZxLQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-11-27T13:34:21Z"
+    mac: ENC[AES256_GCM,data:dWcCWWjAhu3y8uxJ/CXFrq549v3QwOJ8KW0PVzKYzCJPBebAlTl707ItPEivbr0Hv8oZBKdMdprxAW1GGPX+GcpWMp55F9Q5AVXPMDacNciu0RCx29lcHu7XoR2kYZRcHX9SceV+Pr7JD0Ms7CbvFc/dXpq7o2SpnnUfI2vCYCk=,iv:avYarYn6G7nHsSkfV4rg2TM2AXR2qjjhou+Bk/vGWCE=,tag:YY85MDuCvFUUCW2JitbpiA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/kubernetes/apps/default/drone/ks.yaml
+++ b/kubernetes/apps/default/drone/ks.yaml
@@ -0,0 +1,74 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-drone
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  path: ./kubernetes/apps/default/drone/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  dependsOn:
+    - name: cluster-apps-cloudnative-pg-cluster
+    - name: cluster-apps-drone-runner-kube
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: drone
+      namespace: default
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-drone-kubernetes-secrets
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  path: ./kubernetes/apps/default/drone/kubernetes-secrets
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: drone-kubernetes-secrets
+      namespace: default
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-drone-runner-kube
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  path: ./kubernetes/apps/default/drone/runner-kube
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  dependsOn:
+    - name: cluster-apps-drone-kubernetes-secrets
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: drone-runner-kube
+      namespace: default
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
--- a/kubernetes/apps/default/drone/kubernetes-secrets/helmrelease.yaml
+++ b/kubernetes/apps/default/drone/kubernetes-secrets/helmrelease.yaml
@@ -0,0 +1,25 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: drone-kubernetes-secrets
+  namespace: default
+spec:
+  interval: 1h
+  chart:
+    spec:
+      chart: drone-kubernetes-secrets
+      version: 0.1.4
+      sourceRef:
+        kind: HelmRepository
+        name: drone
+        namespace: flux-system
+  values:
+    env:
+      KUBERNETES_NAMESPACE: default
+  valuesFrom:
+    - targetPath: env.SECRET_KEY
+      kind: Secret
+      name: drone
+      valuesKey: DRONE_SECRET_PLUGIN_TOKEN
--- a/kubernetes/apps/default/drone/kubernetes-secrets/kustomization.yaml
+++ b/kubernetes/apps/default/drone/kubernetes-secrets/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./helmrelease.yaml
--- a/kubernetes/apps/default/drone/runner-kube/helmrelease.yaml
+++ b/kubernetes/apps/default/drone/runner-kube/helmrelease.yaml
@@ -0,0 +1,36 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: drone-runner-kube
+  namespace: default
+spec:
+  interval: 1h
+  chart:
+    spec:
+      chart: drone-runner-kube
+      version: 0.1.10
+      sourceRef:
+        kind: HelmRepository
+        name: drone
+        namespace: flux-system
+  dependsOn:
+    - name: drone-kubernetes-secrets
+  values:
+    image:
+      repository: drone/drone-runner-kube
+      tag: 1.0.0-beta.5
+    env:
+      DRONE_NAMESPACE_DEFAULT: default
+      DRONE_RPC_HOST: drone.default.svc:8080
+      DRONE_SECRET_PLUGIN_ENDPOINT: http://drone-kubernetes-secrets.default.svc:3000
+  valuesFrom:
+    - targetPath: env.DRONE_RPC_SECRET
+      kind: Secret
+      name: drone
+      valuesKey: DRONE_RPC_SECRET
+    - targetPath: env.DRONE_SECRET_PLUGIN_TOKEN
+      kind: Secret
+      name: drone
+      valuesKey: DRONE_SECRET_PLUGIN_TOKEN
--- a/kubernetes/apps/default/drone/runner-kube/kustomization.yaml
+++ b/kubernetes/apps/default/drone/runner-kube/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./helmrelease.yaml
--- a/kubernetes/apps/default/emqx/app/emqx/helmrelease.yaml
+++ b/kubernetes/apps/default/emqx/app/emqx/helmrelease.yaml
@@ -0,0 +1,77 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: emqx
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: emqx
+      version: 5.0.12
+      sourceRef:
+        kind: HelmRepository
+        name: emqx
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    image:
+      repository: public.ecr.aws/emqx/emqx
+    replicaCount: 3
+    recreatePods: true
+    emqxConfig:
+      EMQX_ALLOW_ANONYMOUS: "false"
+      EMQX_AUTH__MNESIA__PASSWORD_HASH: plain
+      EMQX_AUTH__USER__1__USERNAME: ${SECRET_MQTT_USER}
+      EMQX_AUTH__USER__1__PASSWORD: ${SECRET_MQTT_PASSWORD}
+    service:
+      type: LoadBalancer
+      loadBalancerIP: ${CLUSTER_LB_EMQX}
+      externalTrafficPolicy: Local
+    ingress:
+      dashboard:
+        enabled: true
+        ingressClassName: nginx
+        path: /
+        pathType: Prefix
+        hosts:
+          - &host "emqx.${SECRET_CLUSTER_DOMAIN}"
+        tls:
+          - hosts:
+              - *host
+    metrics:
+      enabled: false
+    persistence:
+      enabled: true
+      storageClass: rook-ceph-block
+      size: 100Mi
+    affinity:
+      podAntiAffinity:
+        preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                  - key: app.kubernetes.io/name
+                    operator: In
+                    values: ["emqx"]
+              topologyKey: kubernetes.io/hostname
+    resources:
+      requests:
+        cpu: 100m
+        memory: 150Mi
+      limits:
+        memory: 512Mi
+  valuesFrom:
+    - targetPath: emqxConfig.EMQX_DASHBOARD__DEFAULT_PASSWORD
+      kind: Secret
+      name: emqx-config
+      valuesKey: admin_password
--- a/kubernetes/apps/default/emqx/app/emqx/kustomization.yaml
+++ b/kubernetes/apps/default/emqx/app/emqx/kustomization.yaml
@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./secret.sops.yaml
+  - ./helmrelease.yaml
--- a/kubernetes/apps/default/emqx/app/emqx/secret.sops.yaml
+++ b/kubernetes/apps/default/emqx/app/emqx/secret.sops.yaml
@@ -0,0 +1,30 @@
+kind: Secret
+apiVersion: v1
+type: Opaque
+metadata:
+    name: emqx-config
+    namespace: default
+stringData:
+    admin_password: ENC[AES256_GCM,data:5CgeNci9Mr9bhHLG/cl9yajr02CInvng,iv:tzU2NnmprFiVfnxgXP8y+o2wgwooaWVpvq6+fKodLC8=,tag:MkDFv5wOn4B6yWUMfivQGA==,type:str]
+    user_1_username: ENC[AES256_GCM,data:np5xaBR5Ze8ml9UY8w==,iv:fmxB+fop4lc81BJnVataRvbtlaCaqfB8xL1AoFkuDDQ=,tag:00XN9H0wKoypgz7fUW4NGQ==,type:str]
+    user_1_password: ENC[AES256_GCM,data:NilXDCtXR0j+pWQYhesSogoWNQ==,iv:79TXQXTqYbzaLfMfQ/ZF5EP1UmtYAJ0aYHrD4HrYw3c=,tag:VIH6Zx00vLlpFGS9yrDAfg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvb3RQOTVNN0VzdElJSGRY
+            bytDQ045bnRMY2RGSmEvTE9jQkN4MTQrZUhnCnZ0TjF5ZTU2bWtJNzVGRXdqV0lP
+            RGtuaUVkZlluUjlsd0lvZ0ZuRE5ocEUKLS0tIGxsTjJpc0JEeUhxSjF6MU5mSlli
+            bXpSSjd3YU5hRXFKdnhVcTFKTzRqZzQKlFvt9rCRt+1EviAtZxaQVVwAEt300456
+            KDHW7U58DUO3TmzTG47/iLj7AxIgCQKUjgaU6FoiQ/DZLaVCloyWEA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-09-14T12:39:16Z"
+    mac: ENC[AES256_GCM,data:0dG5L2JMoLlTVR4RqxbCGLQAe+NR0wHKGUwCUO0+5tDS/klaUvMAaQQkQZd2UDXeK6nyrb0pQA5i6sgqrv6znT6TToMA1vujHbuXe7S7+zVVfU0nIEsPomQWSxaqLP0FSvfqJ06Q3SftLusnnAFrwo1SHfvinIl2XcA0fJWJ/dk=,iv:407K+60IDcnxm5bo1woKMVUySxWHavFr5eFcN2VhA+Q=,tag:fwPcZ4D5XeWMFwluUcaTGA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/kubernetes/apps/default/emqx/ks.yaml
+++ b/kubernetes/apps/default/emqx/ks.yaml
@@ -0,0 +1,25 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-emqx-app
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  dependsOn:
+    - name: cluster-apps-rook-ceph-cluster
+  path: ./kubernetes/apps/default/emqx/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: emqx
+      namespace: default
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
--- a/kubernetes/apps/default/flood/app/helmrelease.yaml
+++ b/kubernetes/apps/default/flood/app/helmrelease.yaml
@@ -0,0 +1,75 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app flood
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.2.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  dependsOn:
+    - name: qbittorrent
+    - name: rook-ceph-cluster
+      namespace: rook-ceph
+  values:
+    image:
+      repository: jesec/flood
+      tag: master
+    env:
+      FLOOD_OPTION_RUNDIR: /data
+      FLOOD_OPTION_AUTH: "none"
+      FLOOD_OPTION_QBURL: "http://qbittorrent.default.svc.cluster.local.:8080"
+    envFrom:
+      - secretRef:
+          name: *app
+    service:
+      main:
+        ports:
+          http:
+            port: 3000
+    ingress:
+      main:
+        enabled: true
+        ingressClassName: "nginx"
+        annotations:
+          auth.home.arpa/enabled: "true"
+          hajimari.io/icon: mdi:download
+        hosts:
+          - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+    podSecurityContext:
+      runAsUser: 1001
+      runAsGroup: 1001
+      fsGroup: 1001
+      fsGroupChangePolicy: "OnRootMismatch"
+    persistence:
+      data:
+        enabled: true
+        existingClaim: flood-config
+        mountPath: /data
+    resources:
+      requests:
+        memory: 250Mi
+        cpu: 15m
+      limits:
+        memory: 512Mi
--- a/kubernetes/apps/default/flood/app/kustomization.yaml
+++ b/kubernetes/apps/default/flood/app/kustomization.yaml
@@ -0,0 +1,11 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./helmrelease.yaml
+  - ./replicationsource.yaml
+  - ./restic.sops.yaml
+  - ./secret.sops.yaml
+  - ./volume.yaml
--- a/kubernetes/apps/default/flood/app/replicationsource.yaml
+++ b/kubernetes/apps/default/flood/app/replicationsource.yaml
@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: flood
+  namespace: default
+spec:
+  sourcePVC: flood-config
+  trigger:
+    schedule: "0 0 * * *"
+  restic:
+    copyMethod: Snapshot
+    pruneIntervalDays: 10
+    repository: flood-restic
+    cacheCapacity: 2Gi
+    volumeSnapshotClassName: csi-ceph-blockpool
+    storageClassName: rook-ceph-block
+    retain:
+      hourly: 0
+      daily: 10
+      weekly: 0
+      monthly: 0
--- a/kubernetes/apps/default/flood/app/restic.sops.yaml
+++ b/kubernetes/apps/default/flood/app/restic.sops.yaml
@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: flood-restic
+    namespace: default
+type: Opaque
+stringData:
+    #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
+    RESTIC_REPOSITORY: ENC[AES256_GCM,data:fVeVjIVtONVdCuSBthH5YYkzirnDbpLzX40UpQIP18xcI4O2hREchTRfKz+EgRKFfj1rDZx5pg==,iv:RlEqORfh8kK4lfl4yrGyZI29KPrWYCW/AvPprrIx7gA=,tag:6J6NRmM1vuagkWafuj5sSw==,type:str]
+    #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
+    RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
+    #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
+    #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
+    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
+    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
+            THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
+            TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
+            dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
+            3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-28T08:19:36Z"
+    mac: ENC[AES256_GCM,data:bysbIEfD4gyDw5Yq6AHxPVqY4CCuc9TIv2Z4wne8RJSgVf1/Tk0H+8xVg5j30FQEW5f3VnwJIFAIUVDoZabq8ywhESjdMclL1BPk4wz0tEDkShwkfIkv43JaEc4XZbqMOxvIVYF+9PmYV3uPXx1aFtOYi5Mtf28CETI4Mpjsvl8=,iv:f2mua5viAurKjFyiVjGT3d9vLUbYzHwXG07w28uyuM4=,tag:OjmcIja38jL2o9p5WBKYbw==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/kubernetes/apps/default/flood/app/secret.sops.yaml
+++ b/kubernetes/apps/default/flood/app/secret.sops.yaml
@@ -0,0 +1,30 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+metadata:
+    name: flood
+    namespace: default
+type: Opaque
+stringData:
+    FLOOD_OPTION_QBUSER: ENC[AES256_GCM,data:wwb74Ok=,iv:bLa7BU9lqiUKUqO5hLaMKE50ovxUJzJnaEMu9QSX6wQ=,tag:VQjtK4T8AOQIvPEujTOfcA==,type:str]
+    FLOOD_OPTION_QBPASS: ENC[AES256_GCM,data:8PzsOc2NNHkY8kRVB3z/62W4peA=,iv:pbRQ+I9IBAY/+QYfVKuNGUr4zYAawUzqdbG8IeETIhQ=,tag:X8O0AitScHuBXcoePprZ1Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoN0VJaHVYcXNDZDlZUGRn
+            YUViZDU0TCtmbzkycUpiZUVDbkluSzdSM2hVClpMRDdKREJBZEpEYUIxUGlIem9Q
+            Z08rVUVLUFhWNGdncElCR2hFVFNJUEUKLS0tIDZzcDVyb0lMTzRrNStBRU1KN2wy
+            OU81anNCMk13bXNXRVM3ZWcxTjd6SUkKd5FvLfeXe4p7j5eryl9ZuVh6oT920yiy
+            hsaI1Cwm2WH55lR++P1jtIyTo+lOL5M+IZUeyC7LXBpMp2UBNbllcw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-09-15T05:40:26Z"
+    mac: ENC[AES256_GCM,data:hwIHegLoNt6vHq1Dj3sispmAoByMN25HAG/koTtaNSCs94W4JbGGqJ+6waXX9vlWyWux6gJw8Y4j71BnjfP5Fhk4sTkS2N30XrNt/B4+95jO4u4spfZ5MPzb4FE5qIVaqDliDbhj50GA2eruVtYgGgJ4oCADWGI+iJZYyKnuUNQ=,iv:w9lUfjBF194TQQjUGzPBOpbYeey6eOG8heU7QKYF2gk=,tag:xiTESQOcm/PGaIYZqLgFQQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/kubernetes/apps/default/flood/app/volume.yaml
+++ b/kubernetes/apps/default/flood/app/volume.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: flood-config
+  namespace: default
+  labels:
+    app.kubernetes.io/name: &name flood
+    app.kubernetes.io/instance: *name
+    snapshot.home.arpa/enabled: "true"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: rook-ceph-block
+  resources:
+    requests:
+      storage: 1Gi
--- a/kubernetes/apps/default/flood/ks.yaml
+++ b/kubernetes/apps/default/flood/ks.yaml
@@ -0,0 +1,27 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-flood-app
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  dependsOn:
+    - name: cluster-apps-qbittorrent-app
+    - name: cluster-apps-rook-ceph-cluster
+    - name: cluster-apps-volsync-app
+  path: ./kubernetes/apps/default/flood/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: flood
+      namespace: default
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
--- a/kubernetes/apps/default/freshrss/app/helmrelease.yaml
+++ b/kubernetes/apps/default/freshrss/app/helmrelease.yaml
@@ -0,0 +1,64 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app freshrss
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.2.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  dependsOn:
+    - name: cloudnative-pg
+    - name: rook-ceph-cluster
+      namespace: rook-ceph
+  values:
+    image:
+      repository: freshrss/freshrss
+      tag: 1.20.2
+    service:
+      main:
+        ports:
+          http:
+            port: 80
+    env:
+      TZ: ${TIMEZONE}
+      CRON_MIN: "18,48"
+      DOMAIN: "https://freshrss.${SECRET_CLUSTER_DOMAIN}/"
+    persistence:
+      config:
+        enabled: true
+        existingClaim: freshrss-config
+        mountPath: /var/www/FreshRSS/data
+    podAnnotations:
+      secret.reloader.stakater.com/reload: *app
+    ingress:
+      main:
+        enabled: true
+        ingressClassName: "nginx"
+        hosts:
+          - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+    resources:
+      requests:
+        cpu: 50m
+        memory: 256Mi
--- a/kubernetes/apps/default/freshrss/app/kustomization.yaml
+++ b/kubernetes/apps/default/freshrss/app/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./helmrelease.yaml
+  - ./replicationsource.yaml
+  - ./restic.sops.yaml
+  - ./secret.sops.yaml
+  - ./volume.yaml
+patchesStrategicMerge:
+  - ./patches/postgres.yaml
--- a/kubernetes/apps/default/freshrss/app/patches/postgres.yaml
+++ b/kubernetes/apps/default/freshrss/app/patches/postgres.yaml
@@ -0,0 +1,32 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: freshrss
+  namespace: default
+spec:
+  values:
+    initContainers:
+      init-db:
+        image: ghcr.io/onedr0p/postgres-initdb:14.6
+        env:
+          - name: POSTGRES_HOST
+            value: ${POSTGRES_HOST}
+          - name: POSTGRES_DB
+            value: freshrss
+          - name: POSTGRES_SUPER_PASS
+            valueFrom:
+              secretKeyRef:
+                name: postgres-superuser
+                key: password
+          - name: POSTGRES_USER
+            valueFrom:
+              secretKeyRef:
+                name: freshrss
+                key: DB_USERNAME
+          - name: POSTGRES_PASS
+            valueFrom:
+              secretKeyRef:
+                name: freshrss
+                key: DB_PASSWORD
--- a/kubernetes/apps/default/freshrss/app/replicationsource.yaml
+++ b/kubernetes/apps/default/freshrss/app/replicationsource.yaml
@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: freshrss
+  namespace: default
+spec:
+  sourcePVC: freshrss-config
+  trigger:
+    schedule: "0 0 * * *"
+  restic:
+    copyMethod: Snapshot
+    pruneIntervalDays: 10
+    repository: freshrss-restic
+    cacheCapacity: 2Gi
+    volumeSnapshotClassName: csi-ceph-blockpool
+    storageClassName: rook-ceph-block
+    retain:
+      hourly: 0
+      daily: 10
+      weekly: 0
+      monthly: 0
--- a/kubernetes/apps/default/freshrss/app/restic.sops.yaml
+++ b/kubernetes/apps/default/freshrss/app/restic.sops.yaml
@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: freshrss-restic
+    namespace: default
+type: Opaque
+stringData:
+    #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
+    RESTIC_REPOSITORY: ENC[AES256_GCM,data:9Ci4hIV+kXv9XSOaXvVg2vAoECXKPvfuTtkazuiEHgLhKCKo7s/+D0/PZEa5Y8hM66E1GkoCLfzWcA==,iv:DDuFt9rgeUvBQY/ztbBJIgYMQ4p7R0O5b5axY9JgTyA=,tag:O2TjT4aPdsCWlly8/+98pQ==,type:str]
+    #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
+    RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
+    #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
+    #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
+    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
+    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
+            THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
+            TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
+            dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
+            3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-28T06:23:44Z"
+    mac: ENC[AES256_GCM,data:fghV+11Qm1SPSbeJlmHlZzUPROR/J0AoLfuN3zfjrwuEc9amCUjZzouEAsBYeOM3eDJRd33g0/pIdUFMrExORdt8vuHrUlAAZkyaJhM/znndlw64Z/7/PDIj6hg1REXyyI5YQsQeGWid4wgbZlaGsNRoeerD5dYrentlK+ceWuM=,iv:GrCfCf1RHaMsptV8UZw/4qy0f1gDGjS1JuD7IYZ+Mwk=,tag:Y5+u4dyYGTPZ+rn54JP0aA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/kubernetes/apps/default/freshrss/app/secret.sops.yaml
+++ b/kubernetes/apps/default/freshrss/app/secret.sops.yaml
@@ -0,0 +1,30 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+metadata:
+    name: freshrss
+    namespace: default
+type: Opaque
+stringData:
+    DB_USERNAME: ENC[AES256_GCM,data:cEgGT4H8dUo=,iv:9FsASsPg285Wvxh84pMJYgZcEGHusK2waZT1JDs848U=,tag:GGqWYGx7mwUnq1UkcP6anA==,type:str]
+    DB_PASSWORD: ENC[AES256_GCM,data:o3jf5T0HkJmkfDpDTl4=,iv:mfKTcA28lw4Ay7qmLlez2JFAafF9kDWcLIv7ks+NrOE=,tag:2BxNiAdwOal3zj7Om3FezQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
+            bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
+            VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
+            OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
+            LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-09-15T11:26:17Z"
+    mac: ENC[AES256_GCM,data:HONFGv4W73jhfxO+mN9LGazgzQflKX4krefmOsmdS039MVQZVKiJgoyAVku6t/WOHkyfAn+x8CXERC1swvVOMVhJXt6eXgjgCK4yD3MTBNvV4Uuov6aJ6JEwbAtXMIQm0h/QU1a99xBlRZlX2JL02tqN04bqB/tgUeNuWVr7R3U=,iv:MlkMOuKDt3TR9XtT/yzydlBUcaM+2qL7LzIPPkpw0Aw=,tag:KNuGsmvpN8vNuQ/8JDmIpw==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/kubernetes/apps/default/freshrss/app/volume.yaml
+++ b/kubernetes/apps/default/freshrss/app/volume.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: freshrss-config
+  namespace: default
+  labels:
+    app.kubernetes.io/name: &name freshrss
+    app.kubernetes.io/instance: *name
+    snapshot.home.arpa/enabled: "true"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: rook-ceph-block
+  resources:
+    requests:
+      storage: 1Gi
--- a/kubernetes/apps/default/freshrss/ks.yaml
+++ b/kubernetes/apps/default/freshrss/ks.yaml
@@ -0,0 +1,27 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-freshrss
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  path: ./kubernetes/apps/default/freshrss/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  dependsOn:
+    - name: cluster-apps-cloudnative-pg-cluster
+    - name: cluster-apps-rook-ceph-cluster
+    - name: cluster-apps-volsync-app
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: freshrss
+      namespace: default
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
--- a/kubernetes/apps/default/frigate/.gitkeep
+++ b/kubernetes/apps/default/frigate/.gitkeep
--- a/kubernetes/apps/default/gitea/app/cronjob.yaml
+++ b/kubernetes/apps/default/gitea/app/cronjob.yaml
@@ -0,0 +1,88 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: &app gitea-external-backup
+  namespace: default
+spec:
+  schedule: "@daily"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          name: *app
+        spec:
+          containers:
+            - name: *app
+              image: ghcr.io/auricom/kubectl:1.26.0@sha256:f512e3008d0492cbae7aac6eaccc21b13d723374715aaedd59d352d840f0229c
+              imagePullPolicy: IfNotPresent
+              command:
+                - "/bin/bash"
+                - "-c"
+                - |
+                  #!/bin/bash
+
+                  set -o nounset
+                  set -o errexit
+
+                  mkdir -p ~/.ssh
+                  cp /opt/id_rsa ~/.ssh/id_rsa
+                  chmod 600 ~/.ssh/id_rsa
+
+                  ssh -o StrictHostKeyChecking=no homelab@${LOCAL_LAN_TRUENAS} << 'EOF'
+
+                    set -o nounset
+                    set -o errexit
+
+                    WORK_DIR="/mnt/storage/backups/apps/gitea"
+
+                    ORGANISATIONS=$(curl --silent --location --request GET "https://gitea.${SECRET_CLUSTER_DOMAIN}/api/v1/orgs" --header "Authorization: Bearer ${SECRET_GITEA_API_TOKEN}" | jq --raw-output .[].username)
+                    ORGANISATIONS+=" auricom"
+
+                    for org in $ORGANISATIONS
+                    do
+                        mkdir -p $WORK_DIR/$org
+                        if [ $org == "auricom" ]; then
+                            keyword="users"
+                        else
+                            keyword="orgs"
+                        fi
+                        REPOSITORIES=$(curl --silent --location --request GET "https://gitea.${SECRET_CLUSTER_DOMAIN}/api/v1/$keyword/$org/repos?limit=1000" --header "Authorization: Bearer ${SECRET_GITEA_API_TOKEN}" | jq --raw-output .[].name)
+                        for repo in $REPOSITORIES
+                        do
+                            if [ -d "$WORK_DIR/$org/$repo" ]; then
+                                echo "INFO: pull $org/$repo..."
+                                cd $WORK_DIR/$org/$repo
+                                git remote show origin -n | grep -c main &> /dev/null && MAIN_BRANCH="main" || MAIN_BRANCH="master"
+                                git fetch --all
+                                test $? -ne 0 && exit 1
+                                git reset --hard origin/$MAIN_BRANCH
+                                test $? -ne 0 && exit 1
+                                git pull origin $MAIN_BRANCH
+                                test $? -ne 0 && exit 1
+                                echo "INFO: clean $org/$repo..."
+                                git fetch --prune
+                                for branch in $(git branch -vv | grep ': gone]' | awk '{print $1}')
+                                do
+                                  git branch -D $branch
+                                done
+                            else
+                                echo "INFO: clone $org/$repo..."
+                                cd $WORK_DIR/$org
+                                git clone git@gitea.${SECRET_DOMAIN}:$org/$repo.git
+                                test $? -ne 0 && exit 1
+                            fi
+                        done
+                    done
+                    echo "INFO: Backup done"
+                    curl -m 10 --retry 5 https://uptime-kuma.${SECRET_CLUSTER_DOMAIN}/api/push/Xk21W4T5mC?status=up&msg=OK&ping=
+                  EOF
+              volumeMounts:
+                - name: secret
+                  mountPath: /opt/id_rsa
+                  subPath: deployment_rsa_priv_key
+          volumes:
+            - name: secret
+              secret:
+                secretName: gitea-config
+          restartPolicy: Never
--- a/kubernetes/apps/default/gitea/app/helmrelease.yaml
+++ b/kubernetes/apps/default/gitea/app/helmrelease.yaml
@@ -0,0 +1,200 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: gitea
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: gitea
+      version: 6.0.3
+      sourceRef:
+        kind: HelmRepository
+        name: gitea
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  dependsOn:
+    - name: cloudnative-pg
+    - name: rook-ceph-cluster
+      namespace: rook-ceph
+  values:
+    image:
+      repository: gitea/gitea
+      tag: 1.17.4
+      rootless: true
+    containerSecurityContext:
+      capabilities:
+        add: ["SYS_CHROOT"]
+    gitea:
+      admin:
+        username: auricom
+      config:
+        APP_NAME: "Gitea Homelab"
+        cron.resync_all_sshkeys:
+          ENABLED: true
+          RUN_AT_START: true
+        database:
+          DB_TYPE: postgres
+          HOST: ${POSTGRES_HOST}:${POSTGRES_PORT}
+          NAME: gitea
+          SCHEMA: public
+          SSL_MODE: disable
+        server:
+          SSH_PORT: 22
+          SSH_LISTEN_PORT: 30322
+          SSH_DOMAIN: gitea.${SECRET_DOMAIN}
+          ROOT_URL: https://gitea.${SECRET_CLUSTER_DOMAIN}
+        respository:
+          DEFAULT_BRANCH: main
+          DEFAULT_PRIVATE: true
+        admin:
+          DISABLE_REGULAR_ORG_CREATION: true
+        security:
+          PASSWORD_COMPLEXITY: "lower,upper"
+          MIN_PASSWORD_LENGTH: 12
+        service:
+          DISABLE_REGISTRATION: true
+          REQUIRE_SIGNIN_VIEW: true
+        cron:
+          ENABLED: true
+        attachment:
+          STORAGE_TYPE: minio
+          MINIO_ENDPOINT: truenas.${SECRET_DOMAIN}:51515
+          MINIO_BUCKET: gitea
+          MINIO_USE_SSL: true
+        storage:
+          STORAGE_TYPE: minio
+          MINIO_ENDPOINT: truenas.${SECRET_DOMAIN}:51515
+          MINIO_BUCKET: gitea
+          MINIO_USE_SSL: true
+        mailer:
+          ENABLED: true
+          MAILER_TYPE: smtp
+          HOST: smtp-relay.default:2525
+          FROM: "Gitea <gitea@${SECRET_DOMAIN}>"
+        webhook:
+          ALLOWED_HOST_LIST: drone.default.svc
+      #   openid:
+      #     ENABLE_OPENID_SIGNIN: false
+      #     ENABLE_OPENID_SIGNUP: true
+      #     WHITELISTED_URIS: "auth.${SECRET_CLUSTER_DOMAIN}"
+      # oauth:
+      #   - name: authelia
+      #     provider: openidConnect
+      #     key: gitea
+      #     secret: "${SECRET_GITEA_OAUTH_CLIENT_SECRET}"
+      #     autoDiscoverUrl: "https://auth.${SECRET_CLUSTER_DOMAIN}/.well-known/openid-configuration"
+      #     groupClaimName: groups
+      #     adminGroup: admins
+      #     restrictedGroup: people
+      metrics:
+        enabled: true
+        serviceMonitor:
+          enabled: true
+      podAnnotations:
+        secret.reloader.stakater.com/reload: gitea-config
+    postgresql:
+      enabled: false
+    memcached:
+      enabled: false
+    persistence:
+      enabled: true
+      existingClaim: "gitea-config"
+    service:
+      ssh:
+        type: LoadBalancer
+        port: 22
+        loadBalancerIP: ${CLUSTER_LB_GITEA}
+    ingress:
+      enabled: true
+      className: nginx
+      hosts:
+        - host: "gitea.${SECRET_CLUSTER_DOMAIN}"
+          paths:
+            - path: /
+              pathType: Prefix
+      tls:
+        - hosts:
+            - "gitea.${SECRET_CLUSTER_DOMAIN}"
+    resources:
+      requests:
+        cpu: 15m
+        memory: 226M
+      limits:
+        cpu: 500m
+        memory: 1Gi
+  valuesFrom:
+    - targetPath: gitea.admin.email
+      kind: Secret
+      name: gitea-config
+      valuesKey: adminEmail
+    - targetPath: gitea.admin.password
+      kind: Secret
+      name: gitea-config
+      valuesKey: adminPassword
+    - targetPath: gitea.config.attachment.MINIO_ACCESS_KEY_ID
+      kind: Secret
+      name: gitea-config
+      valuesKey: minioAccessKeyId
+    - targetPath: gitea.config.attachment.MINIO_SECRET_ACCESS_KEY
+      kind: Secret
+      name: gitea-config
+      valuesKey: minioSecretAccessKey
+    - targetPath: gitea.config.database.PASSWD
+      kind: Secret
+      name: gitea-config
+      valuesKey: dbPassword
+    - targetPath: gitea.config.database.USER
+      kind: Secret
+      name: gitea-config
+      valuesKey: dbUser
+    - targetPath: gitea.config.storage.MINIO_ACCESS_KEY_ID
+      kind: Secret
+      name: gitea-config
+      valuesKey: minioAccessKeyId
+    - targetPath: gitea.config.storage.MINIO_SECRET_ACCESS_KEY
+      kind: Secret
+      name: gitea-config
+      valuesKey: minioSecretAccessKey
+  postRenderers:
+    - kustomize:
+        patchesStrategicMerge:
+          - kind: StatefulSet
+            apiVersion: apps/v1
+            metadata:
+              name: gitea
+            spec:
+              template:
+                spec:
+                  initContainers:
+                    - name: init-db
+                      image: ghcr.io/onedr0p/postgres-initdb:14.6
+                      env:
+                        - name: POSTGRES_HOST
+                          value: ${POSTGRES_HOST}
+                        - name: POSTGRES_DB
+                          value: gitea
+                        - name: POSTGRES_SUPER_PASS
+                          valueFrom:
+                            secretKeyRef:
+                              name: postgres-superuser
+                              key: password
+                        - name: POSTGRES_USER
+                          valueFrom:
+                            secretKeyRef:
+                              name: gitea-config
+                              key: dbUser
+                        - name: POSTGRES_PASS
+                          valueFrom:
+                            secretKeyRef:
+                              name: gitea-config
+                              key: dbPassword
--- a/kubernetes/apps/default/gitea/app/kustomization.yaml
+++ b/kubernetes/apps/default/gitea/app/kustomization.yaml
@@ -0,0 +1,12 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./cronjob.yaml
+  - ./helmrelease.yaml
+  - ./replicationsource.yaml
+  - ./restic.sops.yaml
+  - ./secret.sops.yaml
+  - ./volume.yaml
--- a/kubernetes/apps/default/gitea/app/replicationsource.yaml
+++ b/kubernetes/apps/default/gitea/app/replicationsource.yaml
@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: gitea
+  namespace: default
+spec:
+  sourcePVC: gitea-config
+  trigger:
+    schedule: "0 0 * * *"
+  restic:
+    copyMethod: Snapshot
+    pruneIntervalDays: 10
+    repository: gitea-restic
+    cacheCapacity: 2Gi
+    volumeSnapshotClassName: csi-ceph-blockpool
+    storageClassName: rook-ceph-block
+    retain:
+      hourly: 0
+      daily: 10
+      weekly: 0
+      monthly: 0
--- a/kubernetes/apps/default/gitea/app/restic.sops.yaml
+++ b/kubernetes/apps/default/gitea/app/restic.sops.yaml
@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gitea-restic
+    namespace: default
+type: Opaque
+stringData:
+    #ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
+    RESTIC_REPOSITORY: ENC[AES256_GCM,data:Y1Kpc918cOrFj1lv9aCUyoJPwYXhpQlirTzDPIiznbbVHfoOWhUdsDWDzv8Dvs7dSFbNiFdYag==,iv:CvQ3u6gmkP9wpUs0pbmG3UK5/jzJvDyjxSB/kRZrOyU=,tag:dhqdXpyGYDqnSxG6OQ0Z9A==,type:str]
+    #ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
+    RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
+    #ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
+    #ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
+    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
+    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
+            THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
+            TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
+            dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
+            3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-12-28T07:48:12Z"
+    mac: ENC[AES256_GCM,data:yQjxYGqOHqB6OvdHADZpLNpblivcBaNhwmzTZvBQ8j0eb3jk/FXjhYzaomIReq49RmsdQTbqSWNLZkx7Ze6M9E64YOBYFGA5CBucvTn+/0WG4XdrXz0W11BDGtEfU4FlAmHbLZHA11Qw/NcjR4aqP4U8OdNcDye5amGmnLg4U8A=,iv:bZRsW+I3G1uVmBBCrRjVeRAoQgqjehhiF0NJ+ej20ac=,tag:r1rt+3qtL+BIoh/XUacWqw==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/kubernetes/apps/default/gitea/app/secret.sops.yaml
+++ b/kubernetes/apps/default/gitea/app/secret.sops.yaml
@@ -0,0 +1,34 @@
+kind: Secret
+apiVersion: v1
+type: Opaque
+metadata:
+    name: gitea-config
+    namespace: default
+stringData:
+    adminEmail: ENC[AES256_GCM,data:KUhhtTXAU/lcKVsuy3tF+QjgRk8m,iv:goqGhOEkpbnYa6uELXYfdQjCdKPOW2KGAjb4cfdHrn0=,tag:SFENNvmSkEfcAgat/BHksg==,type:str]
+    adminPassword: ENC[AES256_GCM,data:SMR6vlFSysGv7iG+zjk=,iv:PtceAzAWR1nc8nACAYSOe+19evR9+orQa9DRzbcXU4U=,tag:Rq+3Ua0XhOzsnFw6/OdY4A==,type:str]
+    dbUser: ENC[AES256_GCM,data:4Mb4+JI=,iv:qTzsuXkJGFEtKjoKcAWD2VoBCD4GIH9UsBSWUknez8c=,tag:p5Q0R1DdJuZmpPiBYZxV0A==,type:str]
+    dbPassword: ENC[AES256_GCM,data:h/qQ43+3E9DfSlY6eww=,iv:ppvnc3A4binyLwnNuEPzmQCyc11RUSZ9cSw0cRYjLdI=,tag:iBXRYFPBCn4AdkdoRZK4eg==,type:str]
+    minioAccessKeyId: ENC[AES256_GCM,data:Gh41eINrkyjgEpTO5O+5lPWNPd8=,iv:XFH3RvyJwUEtszqtKVjLtMxTamPHPx4Aqi0PqsUmDCQ=,tag:abNj9gjgSlPJFsS9DBs+gw==,type:str]
+    minioSecretAccessKey: ENC[AES256_GCM,data:ZiCMwvRnVavI62F7+OIDoYEOSvM9Jfh1eqJGbJjOR+GiC2YXw7T4+A==,iv:bbCaIOXhwrCFqiu8AQ1qyWzE+yuTotCjJgaK14qC1Qs=,tag:ZESnmDhsgqffe1rdKoVStQ==,type:str]
+    deployment_rsa_priv_key: ENC[AES256_GCM,data:3Olhz6VZ6oI18hwCUDIHNLUEMM7PnGIcDDTCtX7sb6+yOmmW8cyKfZo2Ks6c4pEXJjWQ0JpvIYd/JMP53Noyb62H2+JAlcnIYgivJYpKmZ2fFD5i9Nyg+a91w6xkwwfBHEO6BBGAM4j3wARfFqLo4xqQFgf0/2DEUMVwHgXP6JGuqik+fOTHFRP66fQ16m+p+3iig1cvMvkjN7y/KmuBgT8w3VBJ6xukb/rC3mx+h5KIhoMfi+aBXi/SI7hUvnDPmaJs2Q/QlpcudQQHEYC51df0uGEeJaM/136+BON6B8fi2xUw1y/zYPJFabZg3b5Y7KRxKrDUJyOclaXEi8ZI+1Wz64KJ3Zhb7bITNLX7iIMuE2bQZq574xJre5HH/aI6/VAwLIKOFAV/l+WadfEh+1mbmoGRhjC3Ylin01mC9/z+8dxnG5sX+DvGzG7EiwoApIHpEZ4n7DZThi9xR1RSfYCqG5K9D3q+RpsnVoi6busJbevJ9U7fb0Yq7iiZfv+iiZc8HmEWyAy6r967oUGNss8VF/ahucP4uAE6nzTVadOSLc/UyS/jeil593SSn62h2hDYPuDxP/M3odiI40m0kCMuLNdIxFDl8xXNtSNy5nUmdlP/Ez9ach5Zigw+gJaeK/CVhr2e6TFkzfcYri7ryOVVNmoFw6hr66TXGjiwHATj6Ucpm0OLS1C2GP/G5FGqpdbYMTxe6JCOQggnBXLe3v5Dtr2Qrp49yA8UxLG5Ksxxd19Q1uaudWbc4S/Lg6gfey7IkuaMQ6zGIAE8vMNnKHdx0XBqKwBpwajCsFXDCrTnAs6YyST1KXHm/YmRep5KcMMuUk3UhE6TwAYTNK9SHSwXHOxaRETrVnf1XEzg7GATomW7U3Gp4v4OAnZy2T/7NJ1EfhQiMjw4J3RKN7bswITmfhLamXwDk6tiVGv9pQdsAEtr0+A5kKXV2kNXGfZ5U1Uv0wdcAhXxYnc0TaFmQ2J95Kljl/O+SYFxv3UyvQs4O1JQdeXVIrqpRzGtMRQHaPpaT0FMlk5ntShRQhGYZEoHknKw0cniajNpfCC6pqNEGbcL6PhROx9X2AK59YveX4g2z2jEhfrzb/eRow2Ha5gubmMGnwiV07wwzEe5VQCwDQgdcAc8l2bbkpgcws8RCg342towNRwjq81fqWX+hWsufXxIip9PX+AQsAcBpbdfcAEbcxLQLhkxCqA23+k+Ih8Yt/4qqKCT7QMyiJgRmigaXW5J61lVSuRjU2gQfGOqjtqQc23K6bUzrzgGiymWJEMMwKOJuxJiKk7uTs2xowmiSgFsfFdsiD+3UzOX5Fh6Y0OV858oXpzx/vD8J9RwrLnsV36xfeXPX1yh8UoCc0ZeVyvvWvXIa942RSDXtvgt86Y4kT/uTIEKrikReCD1K+1BdE8bwaMHakrKYrRwbauQM3S2SV17/XC6t8A1f4vu8/vV5Ir1oge2tFI/pJU6AqF/k7Lit1JTWXf1qiXxAxFEJJDzuwABWLQKvw1QUBHQiR/Kq5myDN589qSU5/C2zh1zq8k7BE54NR1ZyCAnIkmbZNMEMBNMArr44DbTgm5tiGhCh+OgJD/5DUGi1+E6a4IqoMzgvh3ToHAKveSz3mRQwhXx7RJH4WFkcGBVUaQohg2YlqIQilb1NFHwG5UFnoXlVPY0VpIhyoFCfvg2X/L1UmfpU7V9OpKHOcMFQ0A7YIGXgp/nGVZZchuOcuiwkF5z/GTI14RZOiBFh5P2LR3pa56j4P4PrhWV5mGgAkdfDvh0DY0yWRTzjo0piZPBCnLf/hUn8rpT9T8xIqz0EDoH3pHRR/VKgGxFOcgRecSD+fTnYFGUEi4akcBT5Lgm11/c3VNbO3/nZq6dlTxbjT8/VGOps/tPWPHUUbf/8U1NTD46zjbRGWEjod7Pwnz1hFxU3ql0KBDBhS/J+0kSmz98CPmeS8uW0OCKPFvIoPYJhr9CsxJNVEiW2+pd/WabvlIeOXtmQKjjwvmQaW77FTkKVP8Y0+9qH8Ln4M9h4QrP69YHGBtt3oIej5MUDCoZ+ut1L7ikEHbuOEb1c1a2z0PdzooudgT+NMhcBlGCpoUiC9ZcspOJn+nU6IBkJ2Sjyfl/BrMTBmJ+rs3suoEY3NvA4gWRU9xevNKpjqNRtxiYLll1JZl43lJL5RkG4bXb5JK4nSwJfADu6aIhWL2IjpFYd93A4lg19jf3nVpcazxFXcYY7UpYDhOb7fbWYmI6xV+AX52SwTKRM9fLK7j0EWx/fo0SfdZUNl4T/dtPsqe8Te/ZzkQlHA8tbC5kQeEJxGw72lvjMHNq4Fv0hVZ7r4gEFZhiPlciYG9cOwG1A2GifGthy+1fsCnKxNBx/5Cf+1OOz8AY7ZL9ECSPOrK3zlpXC6P6HhxokvTe5qY9eIR0ztYg1vgxz+XrqzOU7drfUdDigt+uqRZwvfC5AoNF2e5bFO+y83fdeVisZI0qtsOElhBYS6EIHmh1LRNhRfD3tpRyFinNlVVbOy/33A7yEUv+ieO9hL5VOvkJEvEdmeTtcCevniESu2tQEANFUiI6NpoxNycmJaCeejiZ5LvrC+BQjylqPIqAhgHdfWDIcmKjRQuolkOQ2PbzRrGCCcV3sbDaCbH769hGrdBV06bN3gNZNvnAo6kafEw62RGRaGjxJ/O8zHRALVwDECLtE3yW9ghjgPdw2zGItza0qlG2Hr+nzER9aMLWI4dzqnMNFTtiqJDLkL2Qo33h8qtGTtIEuP8jjTbGqMbs8xFzsqPkeSROW34kLAzJold7JAoRLevFGAshk0kGv4C+sXexBwNuTn4JduUdB6niVxzKkhQM3OcKNuFQ0tZNQY8fxbg0h2YhONG3spfQ8UC2bT2lSJfWec26fP8W2VzjjVLeNxpODco0eHre3i/6BRSEn8q2i+n15zKtiDlcEw8R7phnjB3I+JCZAvwy33mI0qJ/5fKIzRKtYtzPWRDcoOazdtfByBZrXjVUpSIm0e4Dxl1AIyKj5ec5DC2Czv1p+uUYMA5lhw1alXOSrlzJnRnsnohtdXIgH+xEf19V6zYf6IQBsB+4Kz1hQYo1IVwKj6qkXReNy9tQ5OrBFMzDLrbCd50gaMyT+86R8EsSZ2nW5anIaMxvSERdmED7QZkizeyUHLyLFPduv20OYQbaUxQ0oRWxpCY9OOq/vxOwLLqoRU+ohc7wnLCjsUmjQA5V5zlBYok8TMv971WM2rqmOfa7F5uOxiQ5RJ4GLCMryBl0UuLpNmN2JTdq3RjzduiQP/osJspJP0evz9ln9b0sdf6KqSnCnTiu2NUMZHhj7oGpFjBZpG7KWROVcjUiS0OVmKWjbYHJE5DNXAK9zcHodPxrAYVxUG+lDhVJ+4GmNY5o+KO5yCOswD93HrTX+KkwaLG9vhdKM3IrC6ttynCzvl1CME5A9HL+VszsJQoXWnZYNl36pD7p1k8AMqINeAN+KahalogAoMXk,iv:CYw3LLwOeyEu3/BK/SjdjneQvXPk2mHMPiFm2T4sXHQ=,tag:Et4HAytIgiVg4n8+D5anfw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSd2h2N2RELzkvODM0WE1p
+            c1M3bEQxdDZkZ3Zlcm9uKzFWYklLWWpUYXhvCkN1bXU3YmNrY255RmkwSXFDWmt1
+            dHExaGZRODhKdm1NR2xYV29CeE5vbk0KLS0tIHpBUGVaNUhKaE5UOU1hM3c0akxX
+            ZWRhWnBrY1FBNVQyOU0yVGFXb0QrVnMK26Nc5Bw/jOzuxXcufHcxnugG1bzqO9T8
+            LNIau17zdWX5bfWGDj++ipnm8x1sPswEULal4U2Muc2Iy7GuZPhVyg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-11-16T22:14:19Z"
+    mac: ENC[AES256_GCM,data:IbNuB2a6Pm2NTA6OS45kmYIdqZZIG1iJewt6n0rWLdYrbaGNGKt1ig0oTu/ubJSHNb/OgoN+fKEj/JQ+kJhwUiTEQhH+IUwPtUZeb0C0/QqatqCXoQk4qBOTuwea4gLLMHqoIwP0fETLiaVphNK7llPaI7aW0Li0W9yAdhu3VCs=,iv:utxR9+tJ8elgdvOQg5eoClb/4DDJyzvz2eWuCDNU3V0=,tag:Y8qEcwVwW2FoUOXZRQHEgA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
--- a/kubernetes/apps/default/gitea/app/volume.yaml
+++ b/kubernetes/apps/default/gitea/app/volume.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-config
+  namespace: default
+  labels:
+    app.kubernetes.io/name: &name gitea
+    app.kubernetes.io/instance: *name
+    snapshot.home.arpa/enabled: "true"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: rook-ceph-block
+  resources:
+    requests:
+      storage: 10Gi
--- a/kubernetes/apps/default/gitea/ks.yaml
+++ b/kubernetes/apps/default/gitea/ks.yaml
@@ -0,0 +1,31 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-gitea
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  path: ./kubernetes/apps/default/gitea/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  dependsOn:
+    - name: cluster-apps-cloudnative-pg-cluster
+    - name: cluster-apps-rook-ceph-cluster
+    - name: cluster-apps-volsync-app
+  healthChecks:
+    - apiVersion: batch/v1
+      kind: CronJob
+      name: gitea-external-backup
+      namespace: default
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: gitea
+      namespace: default
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
--- a/kubernetes/apps/default/gitea/readme.md
+++ b/kubernetes/apps/default/gitea/readme.md
@@ -0,0 +1,65 @@
+# Gitea
+
+## S3 Configuration
+
+1. Create `~/.mc/config.json`
+
+    ```json
+    {
+        "version": "10",
+        "aliases": {
+            "minio": {
+                "url": "https://s3.<domain>",
+                "accessKey": "<access-key>",
+                "secretKey": "<secret-key>",
+                "api": "S3v4",
+                "path": "auto"
+            }
+        }
+    }
+    ```
+
+2. Create the gitea user and password
+
+    ```sh
+    mc admin user add minio gitea <super-secret-password>
+    ```
+
+3. Create the gitea bucket
+
+    ```sh
+    mc mb minio/gitea
+    ```
+
+4. Create `gitea-user-policy.json`
+
+    ```json
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Action": [
+                    "s3:ListBucket",
+                    "s3:PutObject",
+                    "s3:GetObject",
+                    "s3:DeleteObject"
+                ],
+                "Effect": "Allow",
+                "Resource": ["arn:aws:s3:::gitea/*", "arn:aws:s3:::gitea"],
+                "Sid": ""
+            }
+        ]
+    }
+    ```
+
+5. Apply the bucket policies
+
+    ```sh
+    mc admin policy add minio gitea-private gitea-user-policy.json
+    ```
+
+6. Associate private policy with the user
+
+    ```sh
+    mc admin policy set minio gitea-private user=gitea
+    ```
--- a/kubernetes/apps/default/glauth/app/config/groups.sops.toml
+++ b/kubernetes/apps/default/glauth/app/config/groups.sops.toml
@@ -0,0 +1,20 @@
+{
+    "data": "ENC[AES256_GCM,data:s910tBBBfRjMxw3/W+Y8Wpm9ODOtWGb8MLQUgRbLLBIczBnZvuDUE6NrQnJAyK7H8sY0SqF2iYGbCKhbp/kFMe1zkB7Txi0EC81+vNCWMEzsKBWeB5HN7R/4LgwT19Ge0vXWYwfP4++Twiin/C5n8/KiPCqQDvcO92o96c5+zkWmvnayGYovmAuTkguSUDaPNJRffHZob7HOc9T9Tw==,iv:YoK+RSBsONPNzzyC6hJDTboz+MpoSv+nmjuypUyYVhk=,tag:UdUlrEe9yoOnFKBP1eSCXg==,type:str]",
+    "sops": {
+        "kms": null,
+        "gcp_kms": null,
+        "azure_kv": null,
+        "hc_vault": null,
+        "age": [
+            {
+                "recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg",
+                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZFcremxrOFJCbU12ektL\na0kwajkzRDVkQlQ3ODN2R01LNDhONVRMcDFFCnI1Mk1EWGszSm4rU0Nra0J2VUFq\nTVc3UGU1NHpQZCtTdEI5OFpIVnNKRG8KLS0tIFg4WHNUVS9pTXQxb1k3V0xsd0lL\nV09lKy9nTzBBZ3QyRDByOUhYOUd5bUkK4IEvbv8gyFv3v40Iz6Gso7M1rTWBNKBW\nGJM4LaUoAM5gCSSjPeSB1ZLn7j226Qr2M65GxQiA/4xPpBaOgzguow==\n-----END AGE ENCRYPTED FILE-----\n"
+            }
+        ],
+        "lastmodified": "2022-09-18T16:37:58Z",
+        "mac": "ENC[AES256_GCM,data:T0DB0qKA9BLT6pSud+WLeCTaYltvA19Uf2Klm/vsqCOXvtAVJVTWRMvE3OzcwTieJgBn4UOEaoUUEkpOo6T9ZKyqVzJ+Ir+RmYBkZZs08g86wPsUoMzEwmxQwz7rhaR/dqiNiWp7L0wE1ZbBg5gFpSj5WE8Hs0YJI4VZLFwVwfw=,iv:vSE1TboA1VknRr057d7ESWV8SvGGuNTbQnapieZvy7o=,tag:f2DSJqiBsjzBmexNo9U+ZA==,type:str]",
+        "pgp": null,
+        "unencrypted_suffix": "_unencrypted",
+        "version": "3.7.3"
+    }
+}
--- a/kubernetes/apps/default/glauth/app/config/server.sops.toml
+++ b/kubernetes/apps/default/glauth/app/config/server.sops.toml
@@ -0,0 +1,20 @@
+{
+    "data": "ENC[AES256_GCM,data:sD10DQPlSAMLFCyAUDpn/fDyZbDNenO9s0O+vqZ98JNJjfaP60vn6xHo0IbokHrqylq18L5TE1nJpNbqbmC0ZDNDtBeUaQ3rqxOB4vPCNHg/KVGQHR9MUhe+Eb0m6UuA8XGmv5Fuu0MZijrEL3UHPpB/FJWfLfu4TFzNQa/11FFC3g/wrFZhREH5M1a+LbG/bnCtIQg2PoOiUExyHOff6N9vncGIYX/KfV/HMY5Vg2LnMCdmaGM0Z4WShna2tUNBqD0s0ae0B0ag/qzAWYNgwudHwtHFzI1SZ6kqJgND1LkgfdasDJg=,iv:OJXBftveCPwQ376LaSvKyn9OY5YQYa1DZmSv8jmwQTo=,tag:OvtUyIFaPIz/kEOB3z7XoQ==,type:str]",
+    "sops": {
+        "kms": null,
+        "gcp_kms": null,
+        "azure_kv": null,
+        "hc_vault": null,
+        "age": [
+            {
+                "recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg",
+                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cy9WRWtkWGd0MjM4Mkpr\naFJTV1I3aDlqL201NU1TaXlTSldkT1ZVcUFvCnNWWi9JL0c0ZUpoTHhHaUNoVzNu\ndmhGK2lkTkNyc3NOb0M0ek5yKytYV00KLS0tIEcycXRqT2c0UUZaQUdraWJaS2Ey\nOG1HR1l0dUpuMXFvdVpocDJIOTV2N2MKZQckWtH/fmuoJMX7pcDqo3DAhm4JK5gG\n51+E61yqa285DwXlvDQoWyvyBewsgWjgcaA6dP9iIfkvY0eieICdIg==\n-----END AGE ENCRYPTED FILE-----\n"
+            }
+        ],
+        "lastmodified": "2022-12-19T21:22:57Z",
+        "mac": "ENC[AES256_GCM,data:7GtQ6VvSqoy14uhsvlEW13+75N02w09E7DktEkqlHpYv0NF7f9VyMZoNdsbk6h0BaUExNqycFRqv2Z+IjpVsBWSfVh3H5vOabhh/32U/NsxrXxU7L8IUi+U5a0MeelxeisNMc3PrWaHf+4nuRb7DfE4AsTcgi3AQB5URcr4sTYk=,iv:nxnGvnQCSvVMygJ4eWV33FscIptorIR24CXBP1FPPlU=,tag:zYf9Y494p2tjpfAZg4vXVQ==,type:str]",
+        "pgp": null,
+        "unencrypted_suffix": "_unencrypted",
+        "version": "3.7.3"
+    }
+}
--- a/kubernetes/apps/default/glauth/app/config/users.sops.toml
+++ b/kubernetes/apps/default/glauth/app/config/users.sops.toml
@@ -0,0 +1,20 @@
+{
+    "data": "ENC[AES256_GCM,data:q7pZXn6YGFKwKlEX+Iax8ZWoRkuK3a0HZlbKn/aDHpf9DCOpaJuxXpFL6hlkoKb3eoFBdjLHV2Yh+y6u+v/aPnLA9yaMuhZ9MDC0I6KF+5onRermWvtadiW/pmLLBd9fFBTxvKPni3sgHpZoZ7VZMRe6YZ88StsGJBX/cXjEZkOIO9S3GC28f3iNDKH5HGsYHUWyTn2osmOfrLahG5We3P9GeVTKgbnB6/OWC0lSRR+mmPc0yAjAXklTrGuk4zRV54qDoS8HdCO0FTq3Z83f6Qa3eoFDiOrm8yLCmXRqNGSoHoFrp7dnPzCna2SMAX7RBRCrOBRw+mijaxBrbMSp/2/5MqnJyJDz53ozUZog88Ywu595vfo3lEyJ7Qu/O1DX5aJTXKCPAvOIvAwSSFXfdKGmUAQrQvEP3VgpYnzGbuhnfPTJivXKpgc4vutvOH98itTquOq9KJdCOKcsd8gmBtOpPcMrUwA7jP1TV7eJIKhSN9YFt6jflTtqxfa9a4hB6FKXkXqJOrs9b4sT1iGi1bk9uVBF+3Ccc5X/JNRZ6Q6DSLYE5SkOZGOylsS4cjzjUcFSsnyNSfTwjca8SKLlc8bnPU0qFCOIVARIjKw8vMwedYKk0aiNTEa6vqShsGTUHVV/Lx7KqaVgayX+OjhUTzK4Wtrml2dvfoO4TePRmlg0AyeeqvJiIA+Fq9kaxsDkx63HSeK+0wjFH5HWThElycxVWozN6BAQ6EK4sPqrCdjfOpIAnv2YAazY647N8gcKd/OjvYM9lo0d3X0j/EiiFo3nq7ldggMJJRt9MmXVK3Ep31jjkqaeX9nljvMWsnFWwzXq/itPheEaKT3ch44PLPSFZu8NTMn0Xe4SoDaItbCAlXWjfGaLqBSGhVXCgXlzwx9ks75HntQ1zZMR151lU1RpnrZxB0g96uRAdkNBxYtxGkfqr/L4FjbDZSbLSm6JzV6hFgZZmfK4wsDJVG8dzT5/+1XNDfu9Ih2HCbh+upoNSQVzQhcHgtawpESP1v8OQr+t8KMmtVQGKLkCJAufabTI7Q==,iv:Y5jO9xDZwhvBfMUImMz6d9IksMpPCLKhzzrecbahp2Y=,tag:Bha5EyxQ3a7l+x/i0DsiaQ==,type:str]",
+    "sops": {
+        "kms": null,
+        "gcp_kms": null,
+        "azure_kv": null,
+        "hc_vault": null,
+        "age": [
+            {
+                "recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg",
+                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeDRMTnBlWXhEbXIrR0Fh\naFJXTEdWS0V3TCtmNFN1UFhGSXFLSExwNFRrCngzdVRhTG5LK2FWV2d3WTNvTTY5\nV0JrNWh0bGFaK0wvanZmL2dBSENkQkEKLS0tIHlVY2daMlVwNW8wMDRNNHN1RzdP\nRmsyY2NublJsWTRsRUJqYVlZTlRJS28Ky5QoK04bIpqAiHepeIS0FBVU+Kqn9IvY\nQ3yJxfye9EO1XJ60goxur9yzq3TNyGFykhvqVsizVBVuir1Ow3sLoQ==\n-----END AGE ENCRYPTED FILE-----\n"
+            }
+        ],
+        "lastmodified": "2022-09-18T16:27:14Z",
+        "mac": "ENC[AES256_GCM,data:W77zbh5xtZPJC7nAuJ3LyZUlfQM9cmNJo6rBGnp34vxfA/H7m0OExHTaJkW+o0Zajk/3/zC9jwhmNRJdiQzd/k1M+a3q+DGOU2vt+On7Mo8mDfyuPOA6DvQnXf9ouwBPPkFjtn8t2Hb1cKvCLVdeMqRgz+x3MwJRbB2rB5YEY4o=,iv:+figksDMN3AP5+dD/gn9cE18HlgU8BOHtMtvaDEQUzs=,tag:9eo27jDtrFrqXWef5/T2nQ==,type:str]",
+        "pgp": null,
+        "unencrypted_suffix": "_unencrypted",
+        "version": "3.7.3"
+    }
+}
--- a/kubernetes/apps/default/glauth/app/helmrelease.yaml
+++ b/kubernetes/apps/default/glauth/app/helmrelease.yaml
@@ -0,0 +1,65 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app glauth
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.2.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    controller:
+      replicas: 1
+      strategy: RollingUpdate
+      annotations:
+        reloader.stakater.com/auto: "true"
+    image:
+      repository: docker.io/glauth/glauth
+      tag: v2.1.0
+    command: ["/app/glauth", "-c", "/config"]
+    service:
+      main:
+        ports:
+          http:
+            port: 5555
+          ldap:
+            enabled: true
+            port: 8389
+    podSecurityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+      fsGroup: 1000
+      fsGroupChangePolicy: "OnRootMismatch"
+    persistence:
+      config:
+        enabled: true
+        type: secret
+        name: glauth-secret
+        items:
+          - key: server.toml
+            path: server.toml
+          - key: groups.toml
+            path: groups.toml
+          - key: users.toml
+            path: users.toml
+    resources:
+      requests:
+        cpu: 15m
+        memory: 105Mi
+      limits:
+        memory: 105Mi
--- a/kubernetes/apps/default/glauth/app/kustomization.yaml
+++ b/kubernetes/apps/default/glauth/app/kustomization.yaml
@@ -0,0 +1,15 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./helmrelease.yaml
+secretGenerator:
+  - name: glauth-secret
+    files:
+      - server.toml=./config/server.sops.toml
+      - groups.toml=./config/groups.sops.toml
+      - users.toml=./config/users.sops.toml
+generatorOptions:
+  disableNameSuffixHash: true
--- a/kubernetes/apps/default/glauth/ks.yaml
+++ b/kubernetes/apps/default/glauth/ks.yaml
@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-glauth
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  path: ./kubernetes/apps/default/glauth/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: glauth
+      namespace: default
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
--- a/kubernetes/apps/default/glauth/readme.md
+++ b/kubernetes/apps/default/glauth/readme.md
@@ -0,0 +1,88 @@
+# glAuth
+
+## Repo configuration
+
+1. Add/Update `.vscode/extensions.json`
+
+    ```json
+    {
+        "files.associations": {
+            "**/cluster/**/*.sops.toml": "plaintext"
+        }
+    }
+    ```
+
+2. Add/Update `.gitattributes`
+
+    ```text
+    *.sops.toml linguist-language=JSON
+    ```
+
+3. Add/Update `.sops.yaml`
+
+    ```yaml
+    - path_regex: cluster/.*\.sops\.toml
+        key_groups:
+        - age:
+            - age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+    ```
+
+## App Configuration
+
+Below are the decrypted versions of the sops encrypted toml files.
+
+> `passbcrypt` can be generated [on CyberChef](https://gchq.github.io/CyberChef/#recipe=Bcrypt(12)To_Hex(%27None%27,0))
+
+1. `server.sops.toml`
+
+    ```toml
+    debug = true
+    [ldap]
+        enabled = true
+        listen = "0.0.0.0:389"
+    [ldaps]
+        enabled = false
+    [api]
+        enabled = true
+        tls = false
+        listen = "0.0.0.0:5555"
+    [backend]
+        datastore = "config"
+        baseDN = "dc=home,dc=arpa"
+    ```
+
+2. `groups.sops.toml`
+
+    ```toml
+    [[groups]]
+        name = "svcaccts"
+        gidnumber = 6500
+    [[groups]]
+        name = "admins"
+        gidnumber = 6501
+    [[groups]]
+        name = "people"
+        gidnumber = 6502
+    ```
+
+3. `users.sops.toml`
+
+    ```toml
+    [[users]]
+        name = "search"
+        uidnumber = 5000
+        primarygroup = 6500
+        passbcrypt = ""
+        [[users.capabilities]]
+            action = "search"
+            object = "*"
+    [[users]]
+        name = "<name>"
+        mail = ""
+        givenname = "<Name>"
+        sn = "<sn>"
+        uidnumber = <uid>
+        primarygroup = <gid>
+        othergroups = [ <gid> ]
+        passbcrypt = ""
+    ```
--- a/kubernetes/apps/default/hajimari/app/helmrelease.yaml
+++ b/kubernetes/apps/default/hajimari/app/helmrelease.yaml
@@ -0,0 +1,69 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: hajimari
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: hajimari
+      version: 2.0.2
+      sourceRef:
+        kind: HelmRepository
+        name: hajimari
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    env:
+      TZ: ${TIMEZONE}
+    hajimari:
+      title: Apps
+      darkTheme: espresso
+      alwaysTargetBlank: true
+      showGreeting: false
+      showAppGroups: false
+      showAppStatus: false
+      showBookmarkGroups: false
+      showGlobalBookmarks: false
+      showAppUrls: false
+      defaultEnable: true
+      namespaceSelector:
+        matchNames:
+          - default
+          - flux-system
+          - monitoring
+          - networking
+          - rook-ceph
+    ingress:
+      main:
+        enabled: true
+        ingressClassName: nginx
+        annotations:
+          hajimari.io/enable: "false"
+        hosts:
+          - host: &host apps.${SECRET_CLUSTER_DOMAIN}
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+    podAnnotations:
+      configmap.reloader.stakater.com/reload: "hajimari-settings"
+    persistence:
+      data:
+        enabled: true
+        type: emptyDir
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128M
--- a/kubernetes/apps/default/hajimari/app/kustomization.yaml
+++ b/kubernetes/apps/default/hajimari/app/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./helmrelease.yaml
--- a/kubernetes/apps/default/hajimari/ks.yaml
+++ b/kubernetes/apps/default/hajimari/ks.yaml
@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: cluster-apps-hajimari
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  path: ./kubernetes/apps/default/hajimari/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: hajimari
+      namespace: default
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
--- a/kubernetes/apps/default/home-assistant/app/helmrelease.yaml
+++ b/kubernetes/apps/default/home-assistant/app/helmrelease.yaml
@@ -0,0 +1,108 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app home-assistant
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.2.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  dependsOn:
+    - name: cloudnative-pg
+    - name: emqx
+    - name: rook-ceph-cluster
+      namespace: rook-ceph
+  values:
+    image:
+      repository: ghcr.io/onedr0p/home-assistant
+      tag: 2022.12.8@sha256:472d563ab3eadcfde16848ffa59954c63cc10e71630b6e41081b8eac8c6d5ca7
+    env:
+      TZ: "${TIMEZONE}"
+      POSTGRES_HOST: ${POSTGRES_HOST}
+      POSTGRES_DB: home_assistant
+    envFrom:
+      - secretRef:
+          name: *app
+    service:
+      main:
+        type: LoadBalancer
+        loadBalancerIP: ${CLUSTER_LB_HASS}
+        externalTrafficPolicy: Local
+        ports:
+          http:
+            port: 8123
+    ingress:
+      main:
+        enabled: true
+        ingressClassName: "nginx"
+        hosts:
+          - host: &host "hass.${SECRET_CLUSTER_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+          - host: &host2 "home-assistant.${SECRET_CLUSTER_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+              - *host2
+    probes:
+      liveness:
+        enabled: false
+      readiness:
+        enabled: false
+      startup:
+        enabled: false
+    podSecurityContext:
+      runAsUser: 0
+      runAsGroup: 0
+      fsGroup: 0
+      fsGroupChangePolicy: "OnRootMismatch"
+    securityContext:
+      privileged: true
+    podAnnotations:
+      secret.reloader.stakater.com/reload: *app
+    persistence:
+      config:
+        enabled: true
+        existingClaim: hass-config
+      usb:
+        enabled: true
+        type: hostPath
+        hostPath: /dev/serial/by-id/usb-Arduino__www.arduino.cc__0042_5503731323735171A241-if00
+        hostPathType: CharDevice
+        mountPath: /dev/ttyUSB0
+    resources:
+      requests:
+        cpu: 10m
+        memory: 100Mi
+      limits:
+        memory: 750Mi
+    affinity:
+      nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+            - matchExpressions:
+                - {
+                    key: "feature.node.kubernetes.io/custom-rflink",
+                    operator: In,
+                    values: ["true"],
+                  }
--- a/kubernetes/apps/default/home-assistant/app/kustomization.yaml
+++ b/kubernetes/apps/default/home-assistant/app/kustomization.yaml
@@ -0,0 +1,16 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./helmrelease.yaml
+  - ./replicationsource.yaml
+  - ./restic.sops.yaml
+  - ./secret.sops.yaml
+  - ./token.sops.yaml
+  - ./podmonitor.yaml
+  - ./volume.yaml
+patchesStrategicMerge:
+  - ./patches/addons.yaml
+  - ./patches/postgres.yaml
--- a/kubernetes/apps/default/home-assistant/app/patches/addons.yaml
+++ b/kubernetes/apps/default/home-assistant/app/patches/addons.yaml
@@ -0,0 +1,42 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: home-assistant
+  namespace: default
+spec:
+  values:
+    addons:
+      codeserver:
+        enabled: true
+        image:
+          repository: ghcr.io/coder/code-server
+          tag: 4.9.1
+        env:
+          TZ: ${TIMEZONE}
+        workingDir: /config
+        args:
+          - --auth
+          - "none"
+          - --user-data-dir
+          - "/config/.vscode"
+          - --extensions-dir
+          - "/config/.vscode"
+        ingress:
+          enabled: true
+          ingressClassName: nginx
+          annotations:
+            hajimari.io/appName: "Hass Config"
+            hajimari.io/icon: cib:visual-studio-code
+          hosts:
+            - host: &host hass-code.${SECRET_CLUSTER_DOMAIN}
+              paths:
+                - path: /
+                  pathType: Prefix
+          tls:
+            - hosts:
+                - *host
+        volumeMounts:
+          - name: config
+            mountPath: /config
--- a/kubernetes/apps/default/home-assistant/app/patches/postgres.yaml
+++ b/kubernetes/apps/default/home-assistant/app/patches/postgres.yaml
@@ -0,0 +1,25 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app home-assistant
+  namespace: default
+spec:
+  values:
+    initContainers:
+      init-db:
+        image: ghcr.io/onedr0p/postgres-initdb:14.6
+        env:
+          - name: POSTGRES_HOST
+            value: ${POSTGRES_HOST}
+          - name: POSTGRES_DB
+            value: home_assistant
+          - name: POSTGRES_SUPER_PASS
+            valueFrom:
+              secretKeyRef:
+                name: postgres-superuser
+                key: password
+        envFrom:
+          - secretRef:
+              name: *app
--- a/kubernetes/apps/default/home-assistant/app/podmonitor.yaml
+++ b/kubernetes/apps/default/home-assistant/app/podmonitor.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: home-assistant
+  namespace: default
+spec:
+  podMetricsEndpoints:
+    - interval: 1m
+      path: /api/prometheus
+      port: http
+      scrapeTimeout: 30s
+      bearerTokenSecret:
+        name: home-automation
+        key: prometheus-token
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: home-assistant
+      app.kubernetes.io/name: home-assistant
--- a/Show More
+++ b/Show More