Update k8s/apps/gitea/deployment.yaml

2025-07-03 15:52:04 +00:00 · 2025-07-03 12:13:58 +00:00 · 2025-07-03 12:00:36 +00:00 · 2025-07-03 12:00:09 +00:00 · 2025-07-03 11:43:01 +00:00 · 2025-07-03 11:38:16 +00:00
41 changed files with 985 additions and 166 deletions
--- a/k8s/apps/gitea/deployment.yaml
+++ b/k8s/apps/gitea/deployment.yaml
@ -30,6 +30,20 @@ spec:
      containers:
        - name: gitea
          image: 'gitea/gitea:latest'
          env:
            - name: GITEA__service__REGISTER_MANUAL_CONFIRM
              value: "true"
            - name: GITEA__service__ENABLE_CAPTCHA
              value: "false"
            - name: GITEA__service__REQUIRE_CAPTCHA_FOR_LOGIN
              value: "true"
            - name: GITEA__service__REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA
              value: "true"
            - name: GITEA__service__CAPTCHA_TYPE
              value: "hcaptcha"
          envFrom:
          - secretRef:
              name: gitea-recapcha-creds
          ports:
            - name: http
              containerPort: 3000
@ -56,19 +70,23 @@ spec:
        app: gitea-runner
    spec:
      nodeSelector:
-        kubernetes.io/hostname: master.tail2fe2d.ts.net
+        kubernetes.io/hostname: home.homenet
      volumes:
        - name: docker-sock
          hostPath:
            #path: /var/run/k3s/containerd/containerd.sock
            path: /var/run/docker.sock
            type: Socket
        - name: runner-data
          persistentVolumeClaim:
            claimName: gitea-runner-pvc
      containers:
        - name: gitea-runner
          image: gitea/act_runner:nightly
          volumeMounts:
            - name: docker-sock
              mountPath: /var/run/docker.sock
            - name: runner-data
              mountPath: /data
          env:
            - name: GITEA_INSTANCE_URL
              value: "https://gt.hexor.cy"
@ -82,3 +100,16 @@ spec:
            - name: GITEA_RUNNER_LABELS
              value: "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest,ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04,ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04"
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: gitea-runner-pvc
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: local-path
--- a/k8s/apps/gitea/external-secrets.yaml
+++ b/k8s/apps/gitea/external-secrets.yaml
@ -23,3 +23,37 @@ spec:
        key: e475b5ab-ea3c-48a5-bb4c-a6bc552fc064
        property: login.password
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: gitea-recapcha-creds
 spec:
  refreshInterval: 1m
  target:
    name: gitea-recapcha-creds
    deletionPolicy: Delete
    template:
      type: Opaque
      data:
        GITEA__service__HCAPTCHA_SITEKEY: |-
          {{ .HCAPTCHA_SITEKEY }}
        GITEA__service__HCAPTCHA_SECRET: |-
          {{ .HCAPTCHA_SECRET }}
  data:
    - secretKey: HCAPTCHA_SITEKEY
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        key: 89c8d8d2-6b53-42c5-805f-38a341ef163e
        property: login.username
    - secretKey: HCAPTCHA_SECRET
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        key: 89c8d8d2-6b53-42c5-805f-38a341ef163e
        property: login.password
--- a/k8s/apps/immich/deployments.yaml
+++ b/k8s/apps/immich/deployments.yaml
@ -16,17 +16,14 @@ spec:
      containers:
      - name: immich-server
        image: ghcr.io/immich-app/immich-server:release
        imagePullPolicy: Always
        ports:
        - containerPort: 2283
        env:
        - name: UPLOAD_LOCATION
          value: /usr/src/app/upload
-            - name: DB_PASSWORD
+        - name: DB_URL
-              value: postgres
+          value: postgresql://postgres:postgres@immich-rw.immich:5432/immich
            - name: DB_USERNAME
              value: postgres
            - name: DB_DATABASE_NAME
              value: immich
        - name: REDIS_HOST
          value: redis
        - name: REDIS_PORT
@ -38,29 +35,57 @@ spec:
          name: upload-storage
        - mountPath: /GPHOTO
          name: gphoto-storage
        - mountPath: /Camera
          name: camera
        - mountPath: /etc/localtime
          name: localtime
          readOnly: true
-      nodeSelector:
+      affinity:
-        kubernetes.io/hostname: nas.homenet
+        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - home.homenet
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - home.homenet
                - nas.homenet
      volumes:
      - name: upload-storage
-          persistentVolumeClaim:
+        nfs:
-            claimName: immich-upload-pvc
+          server: nas.homenet
          path: /mnt/storage/Storage/k8s/immich/library/
          readOnly: false
      - name: gphoto-storage
-          persistentVolumeClaim:
+        nfs:
-            claimName: immich-gphoto-pvc
+          server: nas.homenet
          path: /mnt/storage/Storage/k8s/immich/GPHOTO/
          readOnly: false
      - name: camera
        nfs:
          server: nas.homenet
          path: /mnt/storage/Storage/Photos/Phone/
          readOnly: true
      - name: localtime
        hostPath:
          path: /etc/localtime
          type: File
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: immich-machine-learning
 spec:
-  replicas: 1
+  replicas: 4
  selector:
    matchLabels:
      app: immich-ml
@ -69,20 +94,68 @@ spec:
      labels:
        app: immich-ml
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                  - home.homenet
                  - master.tail2fe2d.ts.net
                  - nas.homenet
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 4
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - home.homenet
          - weight: 6
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - master.tail2fe2d.ts.net
          - weight: 1
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - home.homenet
      topologySpreadConstraints:
      - maxSkew: 2
        topologyKey: kubernetes.io/hostname
        whenUnsatisfiable: DoNotSchedule
        labelSelector:
          matchLabels:
            app: immich-ml
      containers:
      - name: immich-ml
        image: ghcr.io/immich-app/immich-machine-learning:release
        imagePullPolicy: Always
        env:
        - name: TZ
          value: Asia/Nicosia
        - name: IMMICH_MACHINE_LEARNING_MODEL_FACE
          value: buffalo_l
        - name: IMMICH_MACHINE_LEARNING_MODEL_CLIP
          value: ViT-L/14
        - name: IMMICH_MACHINE_LEARNING_USE_GPU
          value: "true"
        volumeMounts:
        - mountPath: /cache
          name: model-cache
      nodeSelector:
        kubernetes.io/hostname: nas.homenet
      volumes:
      - name: model-cache
        emptyDir: {}
 ---
 apiVersion: apps/v1
 kind: Deployment
@ -106,60 +179,3 @@ spec:
              command: ["redis-cli", "ping"]
      nodeSelector:
        kubernetes.io/hostname: nas.homenet
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: database
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: database
  template:
    metadata:
      labels:
        app: database
    spec:
      securityContext:
        fsGroup: 999
      containers:
        - name: immich-postgres
          image: tensorchord/pgvecto-rs:pg14-v0.2.0
          securityContext:
            runAsUser: 999
            runAsGroup: 999
          env:
            - name: POSTGRES_PASSWORD
              value: postgres
            - name: POSTGRES_USER
              value: postgres
            - name: POSTGRES_DB
              value: immich
            - name: POSTGRES_INITDB_ARGS
              value: '--data-checksums'
            - name: TZ
              value: Asia/Nicosia
          command: ["postgres"]
          args:
            - "-c"
            - "shared_preload_libraries=vectors.so"
            - "-c"
            - "search_path='\"$user\", public, vectors'"
            - "-c"
            - "logging_collector=on"
            - "-c"
            - "max_wal_size=2GB"
            - "-c"
            - "shared_buffers=512MB"
            - "-c"
            - "wal_compression=on"
          volumeMounts:
            - mountPath: /var/lib/postgresql/data
              name: db-storage
      nodeSelector:
        kubernetes.io/hostname: nas.homenet
      volumes:
        - name: db-storage
          persistentVolumeClaim:
            claimName: immich-db-pvc
--- a/k8s/apps/immich/service.yaml
+++ b/k8s/apps/immich/service.yaml
@ -97,6 +97,24 @@ spec:
                name: immich-server
                port:
                  number: 2283
  tls:
    - secretName: immich-tls
      hosts:
        - photos.hexor.cy
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: immich-homenet-tls-ingress
  annotations:
    ingressClassName: traefik
    cert-manager.io/cluster-issuer: hexor-lab
    traefik.ingress.kubernetes.io/router.middlewares: |
      kube-system-https-redirect@kubernetescrd, immich-upload-buffering@kubernetescrd
    acme.cert-manager.io/http01-edit-in-place: "true"
 spec:
  rules:
    - host: photos.homenet
      http:
        paths:
@ -108,7 +126,6 @@ spec:
                port:
                  number: 2283
  tls:
-    - secretName: immich-tls
+    - secretName: immich-homenet-tls
      hosts:
        - photos.hexor.cy
        - photos.homenet
--- a/k8s/apps/jellyfin/qbittorent.yaml
+++ b/k8s/apps/jellyfin/qbittorent.yaml
@ -54,7 +54,7 @@ spec:
            type: DirectoryOrCreate
        - name: media
          hostPath:
-            path: /k8s/jellyfin/media
+            path: /k8s/media/downloads
            type: DirectoryOrCreate
      containers:
        - name: qbittorrent
--- a/k8s/apps/jellyfin/values.yaml
+++ b/k8s/apps/jellyfin/values.yaml
@ -15,7 +15,7 @@ persistence:
    isPvc: false
    customVolume:
      hostPath:
-        path: /k8s/jellyfin/media
+        path: /k8s/media/downloads
        type: DirectoryOrCreate
 ingress:
--- a/k8s/apps/khm/deployment.yaml
+++ b/k8s/apps/khm/deployment.yaml
@ -22,11 +22,12 @@ spec:
      containers:
        - name: khm
          image: 'ultradesu/khm:latest'
          imagePullPolicy: Always
          command:
            - /bin/sh
            - -c
            - |
-              /usr/local/bin/khm --server --db-user=${PG_USER} --db-password=${PG_PASS} --flows=default --db-host=psql.psql.svc --ip=0.0.0.0
+              /usr/local/bin/khm --server --db-user=${PG_USER} --db-password=${PG_PASS} --flows=private,work --db-host=psql.psql.svc --ip=0.0.0.0
          env:
            - name: PG_USER
              valueFrom:
--- a/k8s/apps/paperless/gotenberg-values.yaml
+++ b/k8s/apps/paperless/gotenberg-values.yaml
@ -0,0 +1,20 @@
 replicaCount: 1
 image:
  repository: gotenberg/gotenberg
  tag: "8"
 nodeSelector:
  kubernetes.io/hostname: nas.homenet
 resources:
  limits:
    cpu: 1000m
    memory: 1Gi
  requests:
    cpu: 200m
    memory: 256Mi
 service:
  type: ClusterIP
  port: 3000
--- a/k8s/apps/paperless/kustomization.yaml
+++ b/k8s/apps/paperless/kustomization.yaml
@ -11,6 +11,20 @@ helmCharts:
    version: 0.24.1
    releaseName: paperless-ngx
    namespace: paperless
-    valuesFile: values.yaml
+    valuesFile: paperless-values.yaml
    includeCRDs: true
  - name: tika
    repo: https://apache.jfrog.io/artifactory/tika
    version: 2.9.0
    releaseName: apache-tika
    namespace: paperless
    valuesFile: tika-values.yaml
    includeCRDs: true
  - name: gotenberg
    repo: https://maikumori.github.io/helm-charts
    version: 1.12.0
    releaseName: gotenberg
    namespace: paperless
    valuesFile: gotenberg-values.yaml
    includeCRDs: true
--- a/k8s/apps/paperless/paperless-values.yaml
+++ b/k8s/apps/paperless/paperless-values.yaml
@ -1,11 +1,11 @@
 image:
-  tag: 2.15.1
+  tag: 2.15.3
 initContainers:
  install-tesseract-langs:
    image: ghcr.io/paperless-ngx/paperless-ngx:2.15.1
    command: ["/bin/sh", "-c"]
    args:
-      - apt-get update && apt-get install -y --reinstall tesseract-ocr-rus tesseract-ocr-eng tesseract-ocr-ell && cp -v -r /usr/share/tesseract-ocr/5/tessdata/* /custom-tessdata/
+      - apt-get update && apt-get install -y --reinstall tesseract-ocr-rus tesseract-ocr-jpn tesseract-ocr-chi-sim tesseract-ocr-eng tesseract-ocr-ell && cp -v -r /usr/share/tesseract-ocr/5/tessdata/* /custom-tessdata/
    volumeMounts:
      - name: tessdata
        mountPath: /custom-tessdata
@ -15,9 +15,13 @@ env:
  TZ: Asia/Nicosia
  PAPERLESS_URL: https://docs.hexor.cy
  PAPERLESS_ALLOWED_HOSTS: docs.hexor.cy
  PAPERLESS_REDIS: redis://:NOTSECUREBUTMAYBELOCAL@paperless-ngx-redis-master
  PAPERLESS_CSRF_TRUSTED_ORIGINS: https://idm.hexor.cy
-  PAPERLESS_OCR_LANGUAGE: "eng+rus+ell"
+  PAPERLESS_OCR_LANGUAGE: "eng+rus+ell+jpn+chi_sim"
  TESSDATA_PREFIX: /custom-tessdata
  PAPERLESS_TIKA_ENABLED: "1"
  PAPERLESS_TIKA_GOTENBERG_ENDPOINT: "http://gotenberg.paperless.svc:3000"
  PAPERLESS_TIKA_ENDPOINT: "http://apache-tika.paperless.svc:9998"
  PAPERLESS_DBENGINE: postgresql
  PAPERLESS_DBHOST: psql-nas.psql.svc
  PAPERLESS_DBPORT: "5432"
@ -87,6 +91,17 @@ persistence:
    hostPath: /mnt/storage/Storage/k8s/paperless/consume
    globalMounts:
      - path: /usr/src/paperless/consume
 redis:
  enabled: true
  master:
    nodeSelector:
      kubernetes.io/hostname: nas.homenet
  replica:
    nodeSelector:
      kubernetes.io/hostname: nas.homenet
  global:
    redis:
      password: "NOTSECUREBUTMAYBELOCAL"
 postgresql:
  enabled: false
 mariadb:
--- a/k8s/apps/paperless/tika-values.yaml
+++ b/k8s/apps/paperless/tika-values.yaml
@ -0,0 +1,20 @@
 replicaCount: 1
 image:
  repository: apache/tika
  tag: "latest"
 nodeSelector:
  kubernetes.io/hostname: nas.homenet
 resources:
  limits:
    cpu: 500m
    memory: 512Mi
  requests:
    cpu: 100m
    memory: 128Mi
 service:
  type: ClusterIP
  port: 9998
--- a/k8s/apps/qbittorent-nas/app.yaml
+++ b/k8s/apps/qbittorent-nas/app.yaml
@ -0,0 +1,21 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: qbittorent-nas
  namespace: argocd
 spec:
  project: apps
  destination:
    namespace: qbittorent-nas
    server: https://kubernetes.default.svc
  source:
    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
    targetRevision: HEAD
    path: k8s/apps/qbittorent-nas
  syncPolicy:
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/k8s/apps/qbittorent-nas/kustomization.yaml
+++ b/k8s/apps/qbittorent-nas/kustomization.yaml
@ -0,0 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - app.yaml
  - qbittorent.yaml
--- a/k8s/apps/qbittorent-nas/qbittorent.yaml
+++ b/k8s/apps/qbittorent-nas/qbittorent.yaml
@ -0,0 +1,62 @@
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: qbittorent-nas
  labels:
    app: qbittorent-nas
  annotations:
    reloader.stakater.com/auto: "true"
 spec:
  selector:
    matchLabels:
      app: qbittorent-nas
  replicas: 1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  template:
    metadata:
      labels:
        app: qbittorent-nas
    spec:
      nodeSelector:
        kubernetes.io/hostname: nas.homenet
      volumes:
        - name: config
          hostPath:
            path: /mnt/storage/Storage/configs/qbittorrent
            type: DirectoryOrCreate
        - name: media
          hostPath:
            path: /mnt/storage/Storage/Donwloads
            type: DirectoryOrCreate
      containers:
        - name: qbittorrent
          image: 'linuxserver/qbittorrent:latest'
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          volumeMounts:
            - name: config
              mountPath: /config
            - name: media
              mountPath: /downloads
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: qbittorent-nas
 spec:
  type: NodePort
  selector:
    app: qbittorent-nas
  ports:
    - port: 8080
      targetPort: 8080
      nodePort: 31337
      protocol: TCP
--- a/k8s/apps/rustdesk/app.yaml
+++ b/k8s/apps/rustdesk/app.yaml
@ -0,0 +1,21 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: rustdesk
  namespace: argocd
 spec:
  project: apps
  destination:
    namespace: rustdesk
    server: https://kubernetes.default.svc
  source:
    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
    targetRevision: HEAD
    path: k8s/apps/rustdesk
  syncPolicy:
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/k8s/apps/rustdesk/external-secrets.yaml
+++ b/k8s/apps/rustdesk/external-secrets.yaml
@ -0,0 +1,66 @@
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: postgres-creds
 spec:
  target:
    name: postgres-creds
    deletionPolicy: Delete
    template:
      type: Opaque
      data:
        psql_user: paperless
        psql_pass: |-
          {{ .psql_pass }}
        oauth_config: |-
          {
            "openid_connect": {
              "APPS": [
                {
                  "provider_id": "authentik",
                  "name": "Authentik",
                  "client_id": "{{ .oauth_id }}",
                  "secret": "{{ .oauth_secret }}",
                  "settings": {
                    "server_url": "{{ .server_url }}"
                  }
                }
              ],
              "OAUTH_PKCE_ENABLED": "True"
            }
          }
  data:
    - secretKey: psql_pass
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[5].value
    - secretKey: oauth_id
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        key: 07d4efd9-597c-4a4c-a78d-13bfc43e6055
        property: fields[0].value
    - secretKey: oauth_secret
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        key: 07d4efd9-597c-4a4c-a78d-13bfc43e6055
        property: fields[1].value
    - secretKey: server_url
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        key: 07d4efd9-597c-4a4c-a78d-13bfc43e6055
        property: fields[2].value
--- a/k8s/apps/rustdesk/kustomization.yaml
+++ b/k8s/apps/rustdesk/kustomization.yaml
@ -0,0 +1,16 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - app.yaml
  #- external-secrets.yaml
 helmCharts:
  - name: rustdesk-server-oss
    repo: https://schich.tel/helm-charts
    version: 0.2.2
    releaseName: rustdesk
    namespace: rustdesk
    valuesFile: values.yaml
    includeCRDs: true
--- a/k8s/apps/rustdesk/values.yaml
+++ b/k8s/apps/rustdesk/values.yaml
@ -0,0 +1,87 @@
 replicaCount: 1
 image:
  repository: docker.io/rustdesk/rustdesk-server
  pullPolicy: IfNotPresent
  tag: 1
 nodeSelector:
  kubernetes.io/hostname: master.tail2fe2d.ts.net
 ingress:
  enabled: true
  className: "traefik"
  annotations:
    ingressClassName: traefik
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
    acme.cert-manager.io/http01-edit-in-place: "true"
  hosts:
  - rd.hexor.cy
  tls:
    - secretName: rustdesk-tls
      hosts:
        - rd.hexor.cy
 service:
  type: LoadBalancer
  externalTrafficPolicy: Cluster
  loadBalancerIP: null
  enableWebClientSupport: false
  hbbr:
    replayPort:
      port: 21117
      targetPort: 21117
    clientPort:
      port: 21119
      targetPort: 21119
  hbbs:
    natPort:
      port: 21115
      targetPort: 21115
    registryPort:
      port: 21116
      targetPort: 21116
    heartbeatPort:
      port: 21116
      targetPort: 21116
    webPort:
      port: 21118
      targetPort: 21118
 resources:
  hbbrResource: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi
  hbbsResource: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi
  # Additional volumes on the output Deployment definition.
 volume: {}
 # - name: foo
 #   secret:
 #     secretName: mysecret
 #     optional: false
 # - name: foo
 #   mountPath: "/etc/foo"
 #   readOnly: true
--- a/k8s/apps/sonarr-stack/bazarr-values.yaml
+++ b/k8s/apps/sonarr-stack/bazarr-values.yaml
@ -0,0 +1,13 @@
 nodeSelector:
  kubernetes.io/hostname: master.tail2fe2d.ts.net
 volumes:
  - name: downloads
    hostPath:
      path: /k8s/media/downloads
      type: DirectoryOrCreate
 volumeMounts:
  - name: downloads
    mountPath: /downloads
    readOnly: false
--- a/k8s/apps/sonarr-stack/kustomization.yaml
+++ b/k8s/apps/sonarr-stack/kustomization.yaml
@ -13,4 +13,18 @@ helmCharts:
    namespace: sonarr-stack
    valuesFile: sonarr-values.yaml
    includeCRDs: true
  - name: prowlarr
    repo: https://charts.pree.dev
    version: 1.42.0
    releaseName: prowlarr
    namespace: sonarr-stack
    valuesFile: sonarr-values.yaml
    includeCRDs: true
  - name: bazarr
    repo: oci://ghcr.io/m0nsterrr/helm-charts
    version: 2.0.3
    releaseName: bazarr
    namespace: sonarr-stack
    valuesFile: bazarr-values.yaml
    includeCRDs: true
--- a/k8s/apps/sonarr-stack/prowlarr-values.yaml
+++ b/k8s/apps/sonarr-stack/prowlarr-values.yaml
@ -0,0 +1,9 @@
 env:
  TZ: Asia/Nicosia
 nodeSelector:
  kubernetes.io/hostname: master.tail2fe2d.ts.net
 persistence:
  config:
    enabled: true
    mountPath: /config
--- a/k8s/apps/sonarr-stack/sonarr-values.yaml
+++ b/k8s/apps/sonarr-stack/sonarr-values.yaml
@ -6,13 +6,10 @@ nodeSelector:
 persistence:
  config:
    enabled: true
    mountPath: /config
    accessMode: ReadWriteOnce
    size: 1Gi
  downloads:
    enabled: true
    type: hostPath
-    hostPath: /k8s/jellyfin/media
+    hostPath: /k8s/media/downloads
    mountPath: /downloads
    accessMode: ReadWriteOnce
--- a/k8s/apps/stirling-pdf/app.yaml
+++ b/k8s/apps/stirling-pdf/app.yaml
@ -0,0 +1,21 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: stirling-pdf
  namespace: argocd
 spec:
  project: apps
  destination:
    namespace: stirling-pdf
    server: https://kubernetes.default.svc
  source:
    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
    targetRevision: HEAD
    path: k8s/apps/stirling-pdf
  syncPolicy:
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/k8s/apps/stirling-pdf/kustomization.yaml
+++ b/k8s/apps/stirling-pdf/kustomization.yaml
@ -0,0 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - app.yaml
 helmCharts:
  - name: stirling-pdf-chart
    repo: https://stirling-tools.github.io/Stirling-PDF-chart
    version: 1.10.0
    releaseName: stirling-pdf
    namespace: stirling-pdf
    valuesFile: values.yaml
    includeCRDs: true
--- a/k8s/apps/stirling-pdf/values.yaml
+++ b/k8s/apps/stirling-pdf/values.yaml
@ -0,0 +1,56 @@
 replicaCount: 1
 image:
  registry: docker.stirlingpdf.com
  repository: stirlingtools/stirling-pdf
  tag: "latest"
  pullPolicy: Always
 securityContext:
  enabled: true
  fsGroup: 1000
 ingress:
  enabled: true
  ingressClassName: "traefik"
  pathType: "Prefix"
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt"
    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
  labels:
    app: stirling-pdf
  hosts:
    - name: pdf.hexor.cy
      path: /
      tls: true
      tlsSecret: pdf-hexor-cy-tls
 resources:
  limits:
    cpu: 500m
    memory: 512Mi
  requests:
    cpu: 250m
    memory: 256Mi
 probes:
  liveness:
    enabled: true
    initialDelaySeconds: 30
    periodSeconds: 10
    timeoutSeconds: 5
    failureThreshold: 3
  readiness:
    enabled: true
    initialDelaySeconds: 5
    periodSeconds: 5
    timeoutSeconds: 3
    failureThreshold: 3
 envs:
  - name: UI_APP_NAME
    value: "Stirling PDF"
  - name: UI_HOME_DESCRIPTION
    value: "Your locally hosted one-stop-shop for all your PDF needs."
--- a/k8s/apps/syncthing/kustomization.yaml
+++ b/k8s/apps/syncthing/kustomization.yaml
@ -9,8 +9,15 @@ helmCharts:
  - name: syncthing
    repo: https://k8s-home-lab.github.io/helm-charts
    version: 4.0.0
-    releaseName: syncthing
+    releaseName: syncthing-master
    namespace: syncthing
-    valuesFile: syncthing-values.yaml
+    valuesFile: syncthing-master.yaml
    includeCRDs: true
  - name: syncthing
    repo: https://k8s-home-lab.github.io/helm-charts
    version: 4.0.0
    releaseName: syncthing-khv
    namespace: syncthing
    valuesFile: syncthing-khv.yaml
    includeCRDs: true
--- a/k8s/apps/syncthing/syncthing-khv.yaml
+++ b/k8s/apps/syncthing/syncthing-khv.yaml
@ -0,0 +1,42 @@
 image:
  tag: latest
 persistence:
  config:
    enabled: true
    type: hostPath
    hostPath: "/k8s/syncthing"
    mountPath: "/var/syncthing"
  storage:
    enabled: true
    type: hostPath
    hostPath: "/home/share"
    mountPath: "/storage"
 nodeSelector:
  kubernetes.io/hostname: iris.khv
 service:
  main:
    ports:
      http:
        port: 8384
  listen:
    enabled: true
    type: LoadBalancer
    ports:
      listen:
        enabled: true
        port: 30023
        protocol: TCP
        targetPort: 22000
    selector:
      app.kubernetes.io/name: syncthing
  discovery:
    enabled: true
    type: NodePort
    externalTrafficPolicy: Cluster
    ports:
      discovery:
        enabled: true
        port: 21027
        protocol: UDP
        targetPort: 21027
--- a/k8s/apps/syncthing/syncthing-master.yaml
+++ b/k8s/apps/syncthing/syncthing-master.yaml
@ -1,3 +1,6 @@
 image:
  tag: latest
 persistence:
  config:
    enabled: true
--- a/k8s/core/argocd/appprojects.yaml
+++ b/k8s/core/argocd/appprojects.yaml
@ -30,3 +30,20 @@ spec:
    server: https://kubernetes.default.svc
  sourceRepos:
  - ssh://git@gt.hexor.cy:30022/ab/homelab.git
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: AppProject
 metadata:
  name: games
  namespace: argocd
 spec:
  clusterResourceWhitelist:
  - group: '*'
    kind: '*'
  description: Hexor Home Lab Games
  destinations:
  - namespace: '*'
    server: https://kubernetes.default.svc
  sourceRepos:
  - ssh://git@gt.hexor.cy:30022/ab/homelab.git
--- a/k8s/core/authentik/values.yaml
+++ b/k8s/core/authentik/values.yaml
@ -1,6 +1,9 @@
 global:
  image:
    tag: "2025.4.1"
  nodeSelector:
    kubernetes.io/hostname: master.tail2fe2d.ts.net
 authentik:
    error_reporting:
        enabled: true
@ -16,8 +19,6 @@ server:
  envFrom:
    - secretRef:
        name: authentik-creds
  image:
    tag: "2025.2.4"
  ingress:
      enabled: true
      ingressClassName: traefik
@ -37,6 +38,7 @@ server:
        - backup.hexor.cy    # Kopia Backup UI
        - fm.hexor.cy        # Filemanager
        - hexound.hexor.cy   # Hexound
        - minecraft.hexor.cy # Minecraft UI and server
      tls:
        - secretName: idm-tls
          hosts:
--- a/k8s/core/cert-manager/kustomization.yaml
+++ b/k8s/core/cert-manager/kustomization.yaml
@ -5,6 +5,7 @@ resources:
  - app.yaml
  - external-secrets.yaml
  - issuer.yaml
  - self-signed.yaml
 helmCharts:
  - name: cert-manager
--- a/k8s/core/cert-manager/self-signed.yaml
+++ b/k8s/core/cert-manager/self-signed.yaml
@ -0,0 +1,30 @@
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: selfsigned
 spec:
  selfSigned: {}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: hexor-ca-root
 spec:
  isCA: true
  duration: 87600h # 10y
  commonName: hexor-ca
  secretName: hexor-ca-root-secret
  issuerRef:
    name: selfsigned
    kind: ClusterIssuer
 ---
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: hexor-lab
 spec:
  ca:
    secretName: hexor-ca-root-secret
--- a/k8s/core/external-secrets/Dockerfile-bitwarden-cli
+++ b/k8s/core/external-secrets/Dockerfile-bitwarden-cli
@ -1,6 +1,6 @@
 FROM debian:sid
-ENV BW_CLI_VERSION=2024.7.2
+ENV BW_CLI_VERSION=2025.5.0
 RUN apt update && \
    apt install -y wget unzip && \
@ -12,15 +12,15 @@ RUN apt update && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*
-// Entrypoint content
+# Build entrypoint script
-    #!/bin/sh
+RUN echo '#!/bin/sh\n\
-    set -e
+set -e\n\
-    bw config server ${BW_HOST}
+bw config server ${BW_HOST}\n\
-    export BW_SESSION=$(bw login ${BW_USER} --passwordenv BW_PASSWORD --raw)
+export BW_SESSION=$(bw login ${BW_USER} --passwordenv BW_PASSWORD --raw)\n\
-    bw unlock --check
+bw unlock --check\n\
-    echo 'Running `bw server` on port 8087'
+echo "Running \`bw server\` on port 8087"\n\
-    bw serve --hostname 0.0.0.0 #--disable-origin-protection
+bw serve --hostname 0.0.0.0\n' > /entrypoint.sh && \
-// End Entrypoint content
+    chmod +x /entrypoint.sh
    COPY entrypoint.sh /
 CMD ["/entrypoint.sh"]
--- a/k8s/core/external-secrets/bitwarden-store.yaml
+++ b/k8s/core/external-secrets/bitwarden-store.yaml
@ -37,7 +37,7 @@ spec:
        kubernetes.io/hostname: master.tail2fe2d.ts.net
      containers:
        - name: bitwarden-cli
-          image: ultradesu/bitwarden-client:2024.7.2
+          image: ultradesu/bitwarden-client:2025.5.0
          imagePullPolicy: Always
          env:
            - name: BW_HOST
--- a/k8s/core/external-secrets/kustomization.yaml
+++ b/k8s/core/external-secrets/kustomization.yaml
@ -8,7 +8,7 @@ resources:
 helmCharts:
  - name: external-secrets
    repo: https://charts.external-secrets.io
-    version: 0.15.1
+    version: 0.16.2
    releaseName: external-secrets
    namespace: external-secrets
    valuesFile: values.yaml
--- a/k8s/core/postgresql/kustomization.yaml
+++ b/k8s/core/postgresql/kustomization.yaml
@ -6,6 +6,7 @@ resources:
  - app.yaml
  - external-secrets.yaml
  - main-db.yaml
  - nas.yaml
  - nas-db.yaml
@ -15,6 +16,12 @@ helmCharts:
    version: 1.37.0
    releaseName: pgmanager
    namespace: psql
-    valuesFile: values.yaml
+    valuesFile: pgadmin4-values.yaml
    includeCRDs: true
  - name: cloudnative-pg
    repo: https://cloudnative-pg.github.io/charts
    version: 0.23.2
    releaseName: cnpg
    namespace: psql
    includeCRDs: true
--- a/k8s/core/postgresql/nas.yaml
+++ b/k8s/core/postgresql/nas.yaml
@ -0,0 +1,141 @@
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: immich-pv
  namespace: immich
 spec:
  capacity:
    storage: 50Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-storage
  nfs:
    server: nas.homenet
    path: /mnt/storage/Storage/k8s/immich/db-vector
    readOnly: false
  volumeMode: Filesystem
 ---
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
 metadata:
  name: nfs-storage
 provisioner: kubernetes.io/no-provisioner
 reclaimPolicy: Retain
 volumeBindingMode: Immediate
 ---
 apiVersion: v1
 data:
  password: cG9zdGdyZXM=
  username: cG9zdGdyZXM=
 kind: Secret
 metadata:
  name: immich-db-pass
  namespace: immich
 type: kubernetes.io/basic-auth
 ---
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  name: immich
  namespace: immich
 spec:
  description: "PostgreSQL cluster for Immich with vector support"
  imageName: ghcr.io/tensorchord/cloudnative-pgvecto.rs:14-v0.3.0
  enableSuperuserAccess: true
  instances: 1
  startDelay: 300
  primaryUpdateStrategy: unsupervised
  postgresql:
    parameters:
      shared_buffers: "512MB"
      max_wal_size: "2GB"
      wal_compression: "on"
    shared_preload_libraries:
      - "vectors.so"
    pg_hba:
      - host all all 0.0.0.0/0 md5
  bootstrap:
    initdb:
      database: immich
      owner: postgres
      dataChecksums: true
      secret:
        name: immich-db-pass
      postInitApplicationSQL:
        - ALTER SYSTEM SET search_path TO "$user", public, vectors;
        - SET search_path TO "$user", public, vectors;
        - CREATE EXTENSION IF NOT EXISTS "vectors";
        - ALTER SCHEMA vectors OWNER TO "postgres";
        - GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA vectors TO "postgres";
        - GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "postgres";
        - CREATE EXTENSION IF NOT EXISTS cube;
        - CREATE EXTENSION IF NOT EXISTS earthdistance;
  storage:
    size: 50Gi
    storageClass: nfs-storage
    pvcTemplate:
      accessModes:
        - ReadWriteOnce
      resources:
        requests:
          storage: 50Gi
      storageClassName: nfs-storage
      volumeMode: Filesystem
  resources:
    requests:
      memory: "1Gi"
      cpu: "500m"
    limits:
      memory: "2Gi"
      cpu: "1"
  affinity:
    enablePodAntiAffinity: true
    nodeAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
        - weight: 100
          preference:
            matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                  - nas.homenet
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
          - matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                  - home.homenet
                  - nas.homenet
    tolerations:
      - key: cnpg.io/cluster
        effect: NoSchedule
        value: immich-db
        operator: Equal
    additionalPodAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
        - weight: 1
          podAffinityTerm:
            labelSelector:
              matchExpressions:
                - key: app.component
                  operator: In
                  values:
                    - "pg-cluster"
            topologyKey: topology.kubernetes.io/zone
  monitoring:
    enablePodMonitor: true
--- a/k8s/core/postgresql/pgadmin4-values.yaml
+++ b/k8s/core/postgresql/pgadmin4-values.yaml
@ -1,5 +1,5 @@
 image:
-  tag: "9.2"
+  tag: "9.3"
  pullPolicy: Always
 env:
  email: "postgres@hexor.cy"
--- a/k8s/core/system-upgrade/app.yaml
+++ b/k8s/core/system-upgrade/app.yaml
@ -13,9 +13,6 @@ spec:
    targetRevision: HEAD
    path: k8s/core/system-upgrade
  syncPolicy:
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/k8s/core/system-upgrade/plan.yaml
+++ b/k8s/core/system-upgrade/plan.yaml
@ -16,7 +16,7 @@ spec:
  serviceAccountName: system-upgrade
  upgrade:
    image: rancher/k3s-upgrade
-  version: v1.32.3+k3s1
+  version: v1.33.1+k3s1
 ---
 # Agent plan
 apiVersion: upgrade.cattle.io/v1
@ -39,5 +39,5 @@ spec:
  serviceAccountName: system-upgrade
  upgrade:
    image: rancher/k3s-upgrade
-  version: v1.32.3+k3s1
+  version: v1.33.1+k3s1
--- a/k8s/games/minecraft/deployments.yaml
+++ b/k8s/games/minecraft/deployments.yaml
@ -18,7 +18,7 @@ data:
        location / {
          proxy_pass http://localhost:8123;
          sub_filter 'Minecraft Dynamic Map' "Hexor's MC server";
-          sub_filter "</body>" '<p style="background-color: #CEC6CB; color: black; padding: 10px 10px; text-align: center; font-size: large; text-decoration: none; display: inline-block; border-radius: 4px; position: absolute; top: 10px; left: 150px;">Get <a href="https://prismlauncher.org/" >Prism Launcher</a> and <a href="/clients/1.12.2.zip" >client.zip</a> for this server</p></body>';
+          sub_filter "</body>" '<p style="background-color: #CEC6CB; color: black; padding: 10px 10px; text-align: center; font-size: large; text-decoration: none; display: inline-block; border-radius: 4px; position: absolute; top: 10px; left: 150px;">Get <a href="https://github.com/PrismLauncher/PrismLauncher/releases/tag/8.4" >Prism Launcher</a> and <a href="/clients/1.12.2.zip" >client.zip</a> for this server. Server address <b>minecraft.hexor.cy:30565</b></p></body>';
          sub_filter_once off;
        }
        location /clients/ {
@ -61,7 +61,7 @@ spec:
      - name: storage
        hostPath:
          path: /k8s/mc-server/
-          type: Directory
+          type: DirectoryOrCreate
      - name: nginx-config
        configMap:
          name: nginx-config
@ -82,8 +82,8 @@ spec:
          image: 'openjdk:8-jdk-alpine'
          command: ["java"]
          args:
-            - -Xms12G
+            - -Xms4G
-            - -Xmx12G
+            - -Xmx4G
            - -XX:+UseG1GC
            - -XX:+ParallelRefProcEnabled
            - -XX:MaxGCPauseMillis=200
@ -108,10 +108,10 @@ spec:
          workingDir: /mc/
          resources:
              limits:
-                memory: 15Gi
+                memory: 8Gi
                #cpu: 1
              requests:
-                memory: 10Gi
+                memory: 5Gi
                #cpu: 100m
          ports:
            - name: game