chore(deps): update docker image docker.io/bitnami/postgresql to v16.2.0

This reverts commit afd7dbac88.

.archive/crowdsec/project.yml

@@ -5,4 +5,4 @@ apps:
 - name: crowdsec
   repoURL: https://crowdsecurity.github.io/helm-charts
   chart: crowdsec
-  targetRevision: 0.9.12
+  targetRevision: 0.11.0

.archive/neuvector/project.yml

@@ -5,4 +5,4 @@ apps:
 - name: core
   repoURL: https://neuvector.github.io/neuvector-helm/
   chart: core
-  targetRevision: 2.7.3
+  targetRevision: 2.7.7

bootstrap/flux-system/gotk-components.yaml

@@ -3563,7 +3563,7 @@ spec:
               fieldPath: metadata.namespace
         - name: TUF_ROOT
           value: /tmp/.sigstore
-        image: ghcr.io/fluxcd/source-controller:v1.2.4
+        image: ghcr.io/fluxcd/source-controller:v1.4.1
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:
@@ -5299,7 +5299,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: ghcr.io/fluxcd/kustomize-controller:v1.2.2
+        image: ghcr.io/fluxcd/kustomize-controller:v1.4.0
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:
@@ -7975,7 +7975,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: ghcr.io/fluxcd/notification-controller:v1.2.4
+        image: ghcr.io/fluxcd/notification-controller:v1.4.0
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:

projects/adguard/values/adguard.yaml

@@ -1,6 +1,6 @@
 image:
   repository: adguard/adguardhome
-  tag: v0.107.44
+  tag: v0.107.53
 
 env:
   TZ: Europe/Amsterdam

projects/ai/project.yaml

@@ -3,16 +3,34 @@ config:
 
 apps:
 - name: localai
-  repoURL: https://go-skynet.github.io/helm-charts
+  # repoURL: https://go-skynet.github.io/helm-charts
-  chart: local-ai
+  # chart: local-ai
-  targetRevision: 3.1.0
+  # targetRevision: 3.1.0
+  repoURL: https://github.com/nold360/localai-charts.git
+  path: charts/local-ai
+  targetRevision: feat/envsecret
+  secrets:
+    - name: localai
+      keys:
+        - hf-token
 
 - name: anythingllm
   repo: bjw-s 
   chart: app-template
   targetRevision: 2.4.0
 
-- name: flowise
+# - name: flowise
+#   repo: bjw-s 
+#   chart: app-template
+#   targetRevision: 2.4.0
+
+# - name: big-agi
+#   repo: bjw-s
+#   chart: app-template
+#   targetRevision: 2.4.0
+
+- name: browserless
+  namespace: browserless
   repo: bjw-s
   chart: app-template
   targetRevision: 2.4.0

projects/ai/values/anythingllm.yml

@@ -5,6 +5,7 @@ controllers:
         image:
           repository: mintplexlabs/anythingllm
           tag: master
+          pullPolicy: Always
 
         env:
           STORAGE_DIR: /app/server/storage
@@ -17,7 +18,7 @@ controllers:
           ######## LLM API SElECTION ################
           LLM_PROVIDER: 'localai'
           LOCAL_AI_BASE_PATH: 'http://localai-local-ai.ai.svc.cluster.local/v1'
-          LOCAL_AI_MODEL_PREF: 'thebloke__dolphin-2.2.1-mistral-7b-gguf__dolphin-2.2.1-mistral-7b.q5_k_m.gguf'
+          LOCAL_AI_MODEL_PREF: main
           LOCAL_AI_MODEL_TOKEN_LIMIT: 1024
           # LOCAL_AI_API_KEY="sk-123abc"
 
@@ -29,6 +30,8 @@ controllers:
           ######## Vector Database Selection ########
           VECTOR_DB: "lancedb"
 
+          DISABLE_TELEMETRY: "true"
+
 ingress:
   main:
     annotations:

projects/ai/values/bibot.yml

@@ -0,0 +1,84 @@
+controllers:
+  # main agent
+  main:
+    containers:
+      main:
+        image:
+          repository: reg.dc/bi
+          tag: latest
+          pullPolicy: Always
+        env:
+          BIBOT_CONFIG: /config/bibot.yml
+          BIBOT_KAFKA__BROKER: kafka://bi-cluster-kafka-bootstrap:9092
+          PHOENIX_COLLECTOR_ENDPOINT: http://phoenix.phoenix.svc.cluster.local:6006
+          PHOENIX_PROJECT_NAME: bi
+        command: ["python3"]
+        args: ["/app/bi/agents/main/app.py", "worker", "-l", "info"]
+
+  controller:
+    containers:
+      main:
+        image:
+          repository: reg.dc/bi
+          tag: latest
+          pullPolicy: Always
+        env:
+          BIBOT_CONFIG: /config/bibot.yml
+          BIBOT_KAFKA__BROKER: kafka://bi-cluster-kafka-bootstrap:9092
+        command: ["python3"]
+        args: ["/app/bi/controller.py", "worker", "-l", "info"]
+
+  discord:
+    containers:
+      main:
+        image:
+          repository: reg.dc/bi
+          tag: latest
+          pullPolicy: Always
+    
+        command: ["python3"]
+        args: ["/app/bi/connectors/discord/app.py", "worker", "-l", "info"]
+
+        env:
+          BIBOT_KAFKA__BROKER: bi-cluster-kafka-bootstrap:9092
+          OPENAI_API_KEY: fake
+          BIBOT_DISCORD__TOKEN:
+            valueFrom:
+              secretKeyRef:
+                name: bibot
+                key: discord-token
+          ## Prod:
+          BIBOT_DISCORD__CHANNELS: "1216440541064200192"
+          # Dev:
+          # BIBOT_DISCORD_CHANNELS: "1217418069693960223"
+        probes:
+          liveness: 
+            enabled: false
+          readiness: 
+            enabled: false
+          startup: 
+            enabled: false
+
+persistence:
+  secret:
+    name: bibot
+    enabled: true
+    type: secret
+
+  config:
+    name: bibot-config
+    enabled: true
+    type: configMap
+
+  data:
+    size: 10Gi
+    type: persistentVolumeClaim
+    accessMode: ReadWriteOnce
+
+# service:
+#   main:
+#     controller: main
+#     ports:
+#       http:
+#         port: 8000
+#     type: ClusterIP

projects/ai/values/big-agi.yml

@@ -0,0 +1,60 @@
+controllers:
+  main:
+    containers:
+      main:
+        image:
+          repository: ghcr.io/enricoros/big-agi
+          tag: latest
+          pullPolicy: Always
+        command: [ "next", "start", "-p", "3001" ]
+        env:
+          PUPPETEER_WSS_ENDPOINT: ws://browserless.browserless.svc.cluster.local:3000
+          # ANTHROPIC_API_HOST: ""
+          # ANTHROPIC_API_KEY: ""
+          # ELEVENLABS_API_HOST: ""
+          # ELEVENLABS_API_KEY: ""
+          # ELEVENLABS_VOICE_ID: ""
+          # GOOGLE_CLOUD_API_KEY: ""
+          # GOOGLE_CSE_ID: ""
+          # HELICONE_API_KEY: ""
+          # OPENAI_API_HOST: "http://localai-local-ai.ai.svc.cluster.local/v1"
+          LOCALAI_API_HOST: "http://localai-local-ai.ai.svc.cluster.local"
+          # OPENAI_API_KEY: "sk-xxxxxxxxxxxx"
+          # OPENAI_API_ORG_ID: ""
+          # PRODIA_API_KEY: ""
+
+ingress:
+  main:
+    annotations:
+      cert-manager.io/cluster-issuer: vault-issuer
+    enabled: true
+    hosts:
+    - host: bigagi.dc
+      paths:
+      - path: /
+        service:
+          name: main
+          port: http
+    tls:
+    - hosts:
+      - bigagi.dc
+      secretName: bigagi-tls
+
+persistence:
+  data:
+    accessMode: ReadWriteOnce
+    enabled: false
+    readOnly: false
+    size: 10Gi
+    type: persistentVolumeClaim
+
+securityContext:
+  privileged: false
+
+service:
+  main:
+    ports:
+      http:
+        enabled: true
+        port: 3001
+    type: ClusterIP

projects/ai/values/browserless.yml

@@ -0,0 +1,40 @@
+controllers:
+  main:
+    containers:
+      main:
+        image: 
+          repository:  browserless/chrome
+          tag: latest
+          pullPolicy: Always
+        env:
+          MAX_CONCURRENT_SESSIONS: 10
+
+ingress:
+  main:
+    annotations:
+      cert-manager.io/cluster-issuer: vault-issuer
+    enabled: true
+    hosts:
+    - host: browserless.dc
+      paths:
+      - path: /
+        service:
+          name: main
+          port: http
+    tls:
+    - hosts:
+      - browserless.dc
+      secretName: browserless-tls
+
+
+
+securityContext:
+  privileged: false
+
+service:
+  main:
+    ports:
+      http:
+        enabled: true
+        port: 3000
+    type: ClusterIP

projects/ai/values/dify.yml

@@ -185,7 +185,7 @@ postgresql:
   image:
     registry: docker.io
     repository: bitnami/postgresql
-    tag: 15.6.0-debian-11-r7
+    tag: 16.2.0-debian-11-r7
     pullPolicy: IfNotPresent
   ## @param architecture PostgreSQL architecture (`standalone` or `replication`)
   ##

projects/ai/values/flowise.yml

@@ -4,7 +4,7 @@ controllers:
       main:
         image:
           repository: flowiseai/flowise
-          tag: 1.5.0
+          tag: 1.8.4
         command:
           - flowise
           - start

projects/ai/values/localai.yaml

@@ -1,18 +1,29 @@
 replicaCount: 1
 
 deployment:
-  image: quay.io/go-skynet/local-ai:master-ffmpeg-core
+  image: 
+    repository: quay.io/go-skynet/local-ai
+    #tag: latest-aio-gpu-nvidia-cuda-12
+    tag: v2.22.0-cublas-cuda12-ffmpeg
+  pullPolicy: Always
+  runtimeClassName: nvidia
+
   env:
     threads: 16
-    context_size: 2048
+    context_size: 4096
     DEBUG: "true"
+    #
+    # SINGLE_ACTIVE_BACKEND: "true"
+    # PYTHON_GRPC_MAX_WORKERS: "1"
+    # LLAMACPP_PARALLEL: "1"
+    # PARALLEL_REQUESTS: "false"
 
     ## Specify a different bind address (defaults to ":8080")
     # ADDRESS=127.0.0.1:8080
 
     ## Define galleries.
     ## models will to install will be visible in `/models/available`
-    GALLERIES: '[{"name":"model-gallery", "url":"github:go-skynet/model-gallery/index.yaml"}, {"url": "github:go-skynet/model-gallery/huggingface.yaml","name":"huggingface"}]'
+    #GALLERIES: '[{"name":"model-gallery", "url":"github:go-skynet/model-gallery/index.yaml"}, {"url": "github:go-skynet/model-gallery/huggingface.yaml","name":"huggingface"}]'
 
     ## Default path for models
     #MODELS_PATH=/models
@@ -46,6 +57,14 @@ deployment:
     # UPLOAD_LIMIT
 
     # HUGGINGFACEHUB_API_TOKEN=Token here
+  # Inject Secrets into Environment:
+  secretEnv:
+  - name: HF_TOKEN
+    valueFrom:
+      secretKeyRef:
+        name: localai
+        key: hf-token
+
 
   modelsPath: "/models"
   download_model:
@@ -54,9 +73,6 @@ deployment:
   prompt_templates:
     # To use cloud provided (eg AWS) image, provide it like: 1234356789.dkr.ecr.us-REGION-X.amazonaws.com/busybox
     image: busybox
-  pullPolicy: Always
-  imagePullSecrets: []
-    # - name: secret-names
 
 resources:
   requests:
@@ -80,17 +96,25 @@ models:
 
   # The list of URLs to download models from
   # Note: the name of the file will be the name of the loaded model
-  list:
+  list: []
-    - url: "https://gpt4all.io/models/ggml-gpt4all-j.bin"
+    # - url: "https://gpt4all.io/models/ggml-gpt4all-j.bin"
       # basicAuth: base64EncodedCredentials
 
-  persistence:
+persistence:
-    pvc:
+  models: 
-      enabled: true
+    enabled: true
-      size: 100Gi
+    annotations: {}
-      accessModes:
+    storageClass: ssd
-        - ReadWriteOnce
+    accessModes: ReadWriteOnce
-      storageClass: "ssd"
+    size: 100Gi
+    globalMount: /models
+  output:
+    enabled: false
+    annotations: {}
+    storageClass: ssd
+    accessModes: ReadWriteOnce
+    size: 100Gi
+    globalMount: /tmp/generated
 
 service:
   type: ClusterIP
@@ -115,5 +139,3 @@ ingress:
       hosts:
         - ai.dc
 
-image:
-  pullPolicy: IfNotPresent

projects/ai/values/qdrant.yml

@@ -0,0 +1,49 @@
+image:
+  repository: docker.io/qdrant/qdrant
+  pullPolicy: IfNotPresent
+  tag: "v1.12.1"
+  useUnprivilegedImage: true
+
+env:
+  - name: QDRANT__TELEMETRY_DISABLED
+    value: "true"
+
+ingress:
+  enabled: false
+  ingressClassName: ""
+  additionalLabels: {}
+  annotations: {}
+    # kubernetes.io/ingress.class: alb
+  hosts:
+    - host: example-domain.com
+      paths:
+        - path: /
+          pathType: Prefix
+          servicePort: 6333
+  tls: []
+    # - hosts:
+    #    - example-domain.com
+    #   secretName: tls-secret-name
+
+updateVolumeFsOwnership: false
+
+persistence:
+  accessModes: ["ReadWriteOnce"]
+  size: 10Gi
+  storageClassName: ssd
+
+# modification example for configuration to overwrite defaults
+config:
+  cluster:
+    enabled: false
+
+# api key for authentication at qdrant
+# false: no api key will be configured
+# true: an api key will be auto-generated
+# string: the given string will be set as an apikey
+apiKey: true
+# read-only api key for authentication at qdrant
+# false: no read-only api key will be configured
+# true: an read-only api key will be auto-generated
+# string: the given string will be set as a read-only apikey
+readOnlyApiKey: true

projects/argocd/values/argocd.yaml

@@ -8,7 +8,7 @@ installCRDs: true
 global:
   image:
     repository: quay.io/argoproj/argocd
-    tag: v2.10.1
+    tag: v2.12.6
 #    imagePullPolicy: IfNotPresent
   securityContext:
     runAsUser: 999
@@ -176,7 +176,7 @@ repoServer:
 
   initContainers:
   - name: copy-cmp-server
-    image: quay.io/argoproj/argocd:v2.10.1
+    image: quay.io/argoproj/argocd:v2.12.6
     command:
     - cp
     - -n

projects/arrstack/project.yaml

@@ -61,17 +61,3 @@ apps:
   - noRoot
   - tmpdirs
   - ingress-internal
-
-- name: unpackerr
-  chart: unpackerr
-  targetRevision: 5.1.0
-  include:
-  - noRoot
-  - tmpdirs
-  - ingress-internal
-  secrets:
-    - name: unpackerr-config
-      keys:
-        - UN_LIDARR_0_API_KEY
-        - UN_RADARR_0_API_KEY
-        - UN_SONARR_0_API_KEY

projects/arrstack/values/bazarr.yaml

@@ -1,6 +1,6 @@
 image:
   repository: ghcr.io/onedr0p/bazarr
-  tag: 1.4.1
+  tag: 1.4.5
 
 ingress:
   main:

projects/arrstack/values/lidarr.yaml

@@ -1,6 +1,6 @@
 image:
   repository: ghcr.io/onedr0p/lidarr
-  tag: 2.1.7.4030
+  tag: 2.4.3.4248
 
 ingress:
   main:

projects/arrstack/values/ombi.yaml

@@ -1,6 +1,6 @@
 image:
   repository: ghcr.io/linuxserver/ombi
-  tag: 4.43.5
+  tag: 4.44.1
 
 ingress:
   main:

projects/arrstack/values/prowlarr.yaml

@@ -9,7 +9,7 @@ image:
   # -- image repository
   repository: ghcr.io/onedr0p/prowlarr-develop
   # @default -- chart.appVersion
-  tag: "1.13"
+  tag: "1.25"
   # -- image pull policy
   pullPolicy: IfNotPresent
 
@@ -80,7 +80,7 @@ metrics:
       # -- image repository
       repository: ghcr.io/onedr0p/exportarr
       # -- image tag
-      tag: v1.6.1
+      tag: v2.0.1
       # -- image pull policy
       pullPolicy: IfNotPresent
     env:

projects/arrstack/values/radarr.yaml

@@ -1,6 +1,6 @@
 image:
   repository: ghcr.io/onedr0p/radarr
-  tag: 5.2.6.8376
+  tag: 5.12.2.9335
 
 env:
   UMASK: "002"

projects/arrstack/values/sonarr.yaml

@@ -1,6 +1,6 @@
 image:
   repository: ghcr.io/onedr0p/sonarr
-  tag: 4.0.1.929
+  tag: 4.0.9.2244
 
 securityContext:
   privileged: true

projects/bi/manifests/kafka.yml

@@ -0,0 +1,139 @@
+apiVersion: kafka.strimzi.io/v1beta2
+kind: Kafka
+metadata:
+  name: bi-cluster
+  namespace: bi
+spec:
+  kafka:
+    version: 3.7.0
+    replicas: 1
+    listeners:
+      - name: plain
+        port: 9092
+        type: internal
+        tls: false
+      - name: tls
+        port: 9093
+        type: internal
+        tls: true
+    config:
+      offsets.topic.replication.factor: 1
+      transaction.state.log.replication.factor: 1
+      transaction.state.log.min.isr: 1
+      default.replication.factor: 1
+      min.insync.replicas: 1
+      inter.broker.protocol.version: "3.7"
+    storage:
+      type: jbod
+      volumes:
+      - id: 0
+        type: persistent-claim
+        size: 100Gi
+        deleteClaim: false
+  zookeeper:
+    replicas: 1
+    storage:
+      type: persistent-claim
+      size: 100Gi
+      deleteClaim: false
+  entityOperator:
+    topicOperator: {}
+    userOperator: {}
+---
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaTopic
+metadata:
+  name: bi-input
+  namespace: bi
+  labels:
+    strimzi.io/cluster: bi-cluster
+spec:
+  partitions: 1
+  replicas: 1
+  config:
+    retention.ms: 7200000
+    segment.bytes: 1073741824
+---
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaTopic
+metadata:
+  name: bi-output
+  namespace: bi
+  labels:
+    strimzi.io/cluster: bi-cluster
+spec:
+  partitions: 1
+  replicas: 1
+  config:
+    retention.ms: 7200000
+    segment.bytes: 1073741824
+---
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaTopic
+metadata:
+  name: agent-registry
+  namespace: bi
+  labels:
+    strimzi.io/cluster: bi-cluster
+spec:
+  partitions: 24
+  replicas: 1
+  config:
+    retention.ms: 7200000
+    segment.bytes: 1073741824
+---
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaTopic
+metadata:
+  name: agent-main-input
+  namespace: bi
+  labels:
+    strimzi.io/cluster: bi-cluster
+spec:
+  partitions: 1
+  replicas: 1
+  config:
+    retention.ms: 7200000
+    segment.bytes: 1073741824
+---
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaTopic
+metadata:
+  name: discord-input
+  namespace: bi
+  labels:
+    strimzi.io/cluster: bi-cluster
+spec:
+  partitions: 1
+  replicas: 1
+  config:
+    retention.ms: 7200000
+    segment.bytes: 1073741824
+---
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaTopic
+metadata:
+  name: agent-researcher-input
+  namespace: bi
+  labels:
+    strimzi.io/cluster: bi-cluster
+spec:
+  partitions: 1
+  replicas: 1
+  config:
+    retention.ms: 7200000
+    segment.bytes: 1073741824
+---
+apiVersion: kafka.strimzi.io/v1beta2
+kind: KafkaTopic
+metadata:
+  name: agent-researcher-config
+  namespace: bi
+  labels:
+    strimzi.io/cluster: bi-cluster
+spec:
+  partitions: 1
+  replicas: 1
+  config:
+    retention.ms: 7200000
+    segment.bytes: 1073741824

projects/bi/manifests/mongo.yml

@@ -0,0 +1,22 @@
+---
+apiVersion: mongodbcommunity.mongodb.com/v1
+kind: MongoDBCommunity
+metadata:
+  name: bi-mongo
+  namespace: bi
+spec:
+  members: 1
+  type: ReplicaSet
+  version: "6.0.5"
+  security:
+    authentication:
+      modes: ["SCRAM"]
+  users:
+    - name: bi
+      db: bi
+      passwordSecretRef:
+        name: bi-mongo-password
+      roles:
+        - name: dbOwner
+          db: bi
+      scramCredentialsSecretName: bi

projects/bi/project.yaml

@@ -0,0 +1,33 @@
+config:
+  description: Bi Agent Framework
+
+apps:
+- name: bi
+  namespace: bi
+  repo: bjw-s
+  chart: app-template
+  targetRevision: 3.2.1
+  secrets:
+    - name: bibot
+      keys:
+        - discord-token
+        - ombi-api-key
+        - prompt-template
+        - instruct-template
+        - OPENWEATHERMAP_API_KEY
+  ignoreDiff:
+  - group: apps
+    kind: Deployment
+    jsonPointers:
+    - /spec/replicas
+
+# - name: mongo-express
+#   repoURL: https://cowboysysop.github.io/charts/
+#   chart: mongo-express
+#   targetRevision: 6.5.2
+#   secrets:
+#     - name: mongo-express
+#       keys:
+#         - mongodb-admin-password
+#         - site-cookie-secret
+#         - site-session-secret

projects/bi/values/bi.yml

@@ -0,0 +1,182 @@
+controllers:
+  # main agent
+  main:
+    containers:
+      main:
+        image:
+          repository: reg.dc/bi
+          tag: latest
+          pullPolicy: Always
+        env:
+          BIBOT_CONFIG: /config/bibot.yml
+          BIBOT_KAFKA__BROKER: kafka://bi-cluster-kafka-bootstrap:9092
+          BIBOT_MONGODB__URI: mongodb://bi-mongo-svc:27017/
+          BIBOT_MONGODB__USER:
+            valueFrom:
+              secretKeyRef:
+                name: bi-mongo-bi-bi
+                key: username
+          BIBOT_MONGODB__PASSWORD:
+            valueFrom:
+              secretKeyRef:
+                name: bi-mongo-bi-bi
+                key: password
+          PHOENIX_COLLECTOR_ENDPOINT: http://phoenix.phoenix.svc.cluster.local:6006
+          PHOENIX_PROJECT_NAME: bi
+        command: ["python3"]
+        args: ["/app/bi/agents/main/app.py", "worker", "-l", "info"]
+
+  controller:
+    containers:
+      main:
+        image:
+          repository: reg.dc/bi
+          tag: latest
+          pullPolicy: Always
+        env:
+          BIBOT_CONFIG: /config/bibot.yml
+          BIBOT_KAFKA__BROKER: kafka://bi-cluster-kafka-bootstrap:9092
+          BIBOT_MONGODB__URI: mongodb://bi-mongo-svc:27017/
+          BIBOT_MONGODB__USER:
+            valueFrom:
+              secretKeyRef:
+                name: bi-mongo-bi-bi
+                key: username
+          BIBOT_MONGODB__PASSWORD:
+            valueFrom:
+              secretKeyRef:
+                name: bi-mongo-bi-bi
+                key: password
+        command: ["python3"]
+        args: ["/app/bi/controller.py", "worker", "-l", "info"]
+
+  discord:
+    containers:
+      main:
+        image:
+          repository: reg.dc/bi
+          tag: latest
+          pullPolicy: Always
+    
+        command: ["python3"]
+        args: ["/app/bi/connectors/discord/app.py", "worker", "-l", "info"]
+
+        env:
+          BIBOT_KAFKA__BROKER: bi-cluster-kafka-bootstrap:9092
+          BIBOT_MONGODB__URI: mongodb://bi-mongo-svc:27017/
+          BIBOT_MONGODB__USER:
+            valueFrom:
+              secretKeyRef:
+                name: bi-mongo-bi-bi
+                key: username
+          BIBOT_MONGODB__PASSWORD:
+            valueFrom:
+              secretKeyRef:
+                name: bi-mongo-bi-bi
+                key: password
+          OPENAI_API_KEY: fake
+          BIBOT_DISCORD__TOKEN:
+            valueFrom:
+              secretKeyRef:
+                name: bibot
+                key: discord-token
+
+          ## Prod:
+          BIBOT_DISCORD__CHANNELS: "1216440541064200192"
+          # Dev:
+          # BIBOT_DISCORD_CHANNELS: "1217418069693960223"
+        probes:
+          liveness: 
+            enabled: false
+          readiness: 
+            enabled: false
+          startup: 
+            enabled: false
+
+  researcher:
+    containers:
+      main:
+        image:
+          repository: reg.dc/bi
+          tag: latest
+          pullPolicy: Always
+        env:
+          BIBOT_CONFIG: /config/bibot.yml
+          BIBOT_OPENAI__TEMPERATURE: "0.0"
+          BIBOT_KAFKA__BROKER: kafka://bi-cluster-kafka-bootstrap:9092
+          BIBOT_MONGODB__URI: mongodb://bi-mongo-svc:27017/
+          BIBOT_MONGODB__USER:
+            valueFrom:
+              secretKeyRef:
+                name: bi-mongo-bi-bi
+                key: username
+          BIBOT_MONGODB__PASSWORD:
+            valueFrom:
+              secretKeyRef:
+                name: bi-mongo-bi-bi
+                key: password
+          OPENWEATHERMAP_API_KEY:
+            valueFrom:
+              secretKeyRef:
+                name: bibot
+                key: OPENWEATHERMAP_API_KEY
+          PHOENIX_COLLECTOR_ENDPOINT: http://phoenix.phoenix.svc.cluster.local:6006
+          PHOENIX_PROJECT_NAME: bi
+        command: ["python3"]
+        args: ["/app/bi/agents/researcher/app.py", "worker", "-l", "info"]
+
+  mongoui:
+    containers:
+      main:
+        image:
+          repository: ugleiton/mongo-gui
+          tag: latest
+          pullPolicy: Always
+        env:
+          MONGO_URL:
+            valueFrom:
+              secretKeyRef:
+                name: bi-mongo-bi-bi
+                key: connectionString.standardSrv
+
+persistence:
+  secret:
+    name: bibot
+    enabled: true
+    type: secret
+
+  config:
+    name: bibot-config
+    enabled: true
+    type: configMap
+
+  data:
+    size: 10Gi
+    type: persistentVolumeClaim
+    accessMode: ReadWriteOnce
+
+service:
+  main:
+    controller: mongoui
+    ports:
+      http:
+        port: 4321
+    type: ClusterIP
+
+ingress:
+  main:
+    annotations:
+      cert-manager.io/cluster-issuer: vault-issuer
+    enabled: true
+    hosts:
+    - host: mongo.dc
+      paths:
+      - path: /
+        service:
+          # name: main
+          identifier: main
+          port: 4321
+    tls:
+    - hosts:
+      - mongo.dc
+      secretName: mongo-tls

projects/bi/values/mongo-express.yml

@@ -0,0 +1,50 @@
+ingress:
+  enabled: true
+  ingressClassName: "ingress-internal"
+  pathType: ImplementationSpecific
+
+  annotations:
+    cert-manager.io/cluster-issuer: vault-issuer
+
+  hosts:
+    - host: mongo.dc
+      paths:
+        - /
+
+  tls:
+    - secretName: mongo-express-tls
+      hosts:
+        - mongo.dc
+
+## @param mongodbServer MongoDB host name or IP address
+mongodbServer: bi-mongo-svc.bi.svc.cluster.local
+
+## @param mongodbPort MongoDB port
+mongodbPort: 27017
+
+## @param mongodbEnableAdmin Enable administrator access
+mongodbEnableAdmin: true
+
+## @param mongodbAdminUsername Administrator username
+mongodbAdminUsername: admin
+
+## @param mongodbAdminPassword Administrator password
+# mongodbAdminPassword: ""
+
+## @param siteBaseUrl Set the express baseUrl to ease mounting at a subdirectory
+siteBaseUrl: /
+
+## @param basicAuthUsername Mongo Express web login name
+basicAuthUsername: ""
+
+## @param basicAuthPassword Mongo Express web login password
+basicAuthPassword: ""
+
+## @param existingSecret Name of existing Secret to use
+existingSecret: "mongo-express"
+
+## @param existingSecretKeyMongodbAdminPassword Key in existing Secret that contains administrator password
+# existingSecretKeyMongodbAdminPassword: bi-mongo-admin-admin
+
+## @param existingSecretKeyMongodbAuthPassword Key in existing Secret that contains database password
+# existingSecretKeyMongodbAuthPassword: bi-mongo-admin-admin

projects/core/manifests/cloudflare-ddns.yml

@@ -0,0 +1,73 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: cloudflare-ddns-gnu
+  namespace: core
+spec:
+  schedule: "*/15 * * * *"
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3  
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: cloudflare-ddns
+              image: mirioeggmann/cloudflare-ddns:v0.5.1
+              envFrom:
+                - secretRef:
+                    name: cloudflare-ddns-gnu
+          restartPolicy: OnFailure
+---
+apiVersion: ricoberger.de/v1alpha1
+kind: VaultSecret
+metadata:
+  annotations:
+  name: cloudflare-ddns-gnu
+  namespace: core
+spec:
+  keys:
+  - API_TOKEN
+  - NAME
+  - RECORD_ID
+  - ZONE_ID
+  - PROXIED
+  path: heqet/core/cloudflare-ddns-gnu
+  type: Opaque
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: cloudflare-ddns-nold
+  namespace: core
+spec:
+  schedule: "*/15 * * * *"
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3  
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: cloudflare-ddns
+              image: mirioeggmann/cloudflare-ddns:v0.5.1
+              envFrom:
+                - secretRef:
+                    name: cloudflare-ddns-nold
+          restartPolicy: OnFailure
+---
+apiVersion: ricoberger.de/v1alpha1
+kind: VaultSecret
+metadata:
+  annotations:
+  name: cloudflare-ddns-nold
+  namespace: core
+spec:
+  keys:
+  - API_TOKEN
+  - NAME
+  - RECORD_ID
+  - ZONE_ID
+  - PROXIED
+  path: heqet/core/cloudflare-ddns-nold
+  type: Opaque

projects/core/project.yml

@@ -42,29 +42,40 @@ apps:
   namespace: ingress-internal
   repoURL: https://kubernetes.github.io/ingress-nginx
   chart: ingress-nginx
-  targetRevision: 4.9.1
+  targetRevision: 4.11.1
   syncWave: '0'
 
 - name: cilium
   existingNamespace: kube-system
   repoURL: https://helm.cilium.io
   chart: cilium
-  targetRevision: 1.15.1
+  targetRevision: 1.15.9
 
 - name: external-dns
   repoURL: https://kubernetes-sigs.github.io/external-dns
   chart: external-dns
-  targetRevision: 1.14.3
+  targetRevision: 1.14.5
   secrets:
   - name: cloudflare-api
     keys:
     - CF_API_TOKEN
 
+- name: external-dns-adguard
+  repoURL: https://kubernetes-sigs.github.io/external-dns
+  chart: external-dns
+  targetRevision: 1.14.5
+  secrets:
+  - name: adguard-config
+    keys:
+    - ADGUARD_URL
+    - ADGUARD_USER
+    - ADGUARD_PASSWORD
+
 - name: cert-manager
   namespace: cert-manager
   repoURL: https://charts.jetstack.io
   chart: cert-manager
-  targetRevision: v1.14.2
+  targetRevision: v1.15.3
   secrets:
   - name: cert-manager-vault-approle
     keys:

projects/core/values/cert-manager.yaml

@@ -23,7 +23,13 @@ global:
   # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose.
   logLevel: 2
 
-installCRDs: true
+  leaderElection:
+    namespace: "cert-manager"
+
+crds:
+  enabled: true
+
+    
 replicaCount: 1
 
 strategy:

projects/core/values/external-dns-adguard.yaml

@@ -0,0 +1,104 @@
+# Default values for external-dns.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+image:
+  repository: registry.k8s.io/external-dns/external-dns
+  tag: "v0.15.0"
+  pullPolicy: IfNotPresent
+
+shareProcessNamespace: false
+
+podSecurityContext:
+  fsGroup: 65534
+
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 65534
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop: ["ALL"]
+
+# Defaults to `ClusterFirst`.
+# Valid values are: `ClusterFirstWithHostNet`, `ClusterFirst`, `Default` or `None`.
+dnsPolicy:
+
+serviceMonitor:
+  enabled: false
+  additionalLabels: {}
+  interval: 1m
+  scrapeTimeout: 10s
+
+resources:
+  limits:
+    memory: 50Mi
+    cpu: 200m
+  requests:
+    memory: 50Mi
+    cpu: 10m
+
+logLevel: info
+logFormat: text
+
+interval: 1m
+triggerLoopOnEvent: false
+
+sources:
+  - ingress
+#  - service
+
+policy: upsert-only
+
+registry: txt
+txtOwnerId: ""
+txtPrefix: ""
+txtSuffix: ""
+
+domainFilters:
+  - dc
+
+#extraArgs:
+
+deploymentStrategy:
+  type: Recreate
+
+provider:
+    name: webhook
+    webhook:
+      image: 
+        repository: ghcr.io/muhlba91/external-dns-provider-adguard
+        tag: latest
+      livenessProbe:
+        httpGet:
+          path: /healthz
+          port: 8888
+        initialDelaySeconds: 10
+        timeoutSeconds: 5
+      readinessProbe:
+        httpGet:
+          path: /healthz
+          port: 8888
+        initialDelaySeconds: 10
+        timeoutSeconds: 5
+      env:
+        - name: LOG_LEVEL
+          value: debug
+        - name: ADGUARD_URL
+          valueFrom:
+            secretKeyRef:
+              name: adguard-config
+              key: ADGUARD_URL
+        - name: ADGUARD_USER
+          valueFrom:
+            secretKeyRef:
+              name: adguard-config
+              key: ADGUARD_USER
+        - name: ADGUARD_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: adguard-config
+              key: ADGUARD_PASSWORD
+        - name: SERVER_HOST
+          value: "0.0.0.0" 
+        - name: DRY_RUN
+          value: "false"  

projects/core/values/external-dns.yaml

@@ -3,8 +3,8 @@
 # Declare variables to be passed into your templates.
 
 image:
-  repository: k8s.gcr.io/external-dns/external-dns
+  repository: registry.k8s.io/external-dns/external-dns
-  tag: "v0.13.4"
+  tag: "v0.15.0"
   pullPolicy: IfNotPresent
 
 shareProcessNamespace: false

projects/crossplane/project.yml

@@ -6,7 +6,7 @@ apps:
 - name: crossplane
   repoURL: https://charts.crossplane.io/stable
   chart: crossplane
-  targetRevision: 1.14.5
+  targetRevision: 1.16.0
   secrets:
   - name: terraform
     keys:

projects/downloader/values/qbittorrent.yaml

@@ -1,7 +1,7 @@
 ---
 image:
   repository: ghcr.io/onedr0p/qbittorrent
-  tag: 4.6.3
+  tag: 4.6.7
 
 ingress:
   main:

projects/forgejo/values/forgejo.yml

@@ -13,7 +13,7 @@ strategy:
 image:
   registry: codeberg.org
   repository: forgejo/forgejo
-  tag: "1.21"
+  tag: "7.0"
   rootless: true
 
 podSecurityContext:

projects/forgejo/values/gitea.yaml

@@ -3,7 +3,7 @@ image:
   registry: "codeberg.org"
   repository: forgejo/forgejo
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "1.21.5-0"
+  tag: "1.21.11-0"
   pullPolicy: Always
   rootless: true
 

projects/grafana/project.yml

@@ -5,26 +5,17 @@ apps:
 - name: kube-prometheus-stack
   repoURL: https://prometheus-community.github.io/helm-charts
   chart: kube-prometheus-stack
-  targetRevision: 55.11.0
+  targetRevision: 60.5.0
   secrets:
     - name: grafana
       keys:
         - admin-password
         - admin-user
-  helm:
-    skipCrds: true
-
-- name: kube-prometheus-crds
-  repoURL: https://github.com/prometheus-community/helm-charts.git
-  path: charts/kube-prometheus-stack/crds/
-  targetRevision: kube-prometheus-stack-46.8.0
-  directory:
-    recurse: true
   syncPolicy:
     syncOptions:
-      - Replace=true
+      - ServerSideApply=true
 
-- name: loki-stack
+# - name: loki-stack
-  repoURL: https://grafana.github.io/helm-charts
+#   repoURL: https://grafana.github.io/helm-charts
-  chart: loki-stack
+#   chart: loki-stack
-  targetRevision: 2.10.1
+#   targetRevision: 2.10.2

projects/grafana/values/loki-stack.yaml

@@ -2,7 +2,7 @@ loki:
   enabled: true
   image:
     repository: grafana/loki
-    tag: 2.9.4
+    tag: 3.2.1
 
 promtail:
   enabled: true

projects/grafana/values/prometheus.yaml

@@ -8,7 +8,7 @@ nodeExporter:
   enabled: true
   image:
     repository: quay.io/prometheus/node-exporter
-    tag: v1.7.0
+    tag: v1.8.2
 
   hostNetwork: true
   hostPID: true
@@ -24,7 +24,7 @@ server:
   enabled: true
   image:
     repository: quay.io/prometheus/prometheus
-    tag: v2.49.1
+    tag: v2.54.1
  
   strategy:
     type: Recreate

projects/homeassistant/values/homeassistant.yaml

@@ -4,7 +4,7 @@ controllers:
       main:
         image:
           repository: homeassistant/home-assistant
-          tag: "2024.2"
+          tag: "2024.10"
 
         env:
           TZ: Europe/Berlin

projects/homeassistant/values/influx.yaml

@@ -1,6 +1,6 @@
 image:
   repository: influxdb
-  tag: 2.7.5-alpine
+  tag: 2.7.10-alpine
   pullPolicy: IfNotPresent
   ## If specified, use these secrets to access the images
   # pullSecrets:

projects/homeassistant/values/nodered.yaml

@@ -172,7 +172,7 @@ sidecar:
     # -- The image repository to pull from
     repository: kiwigrid/k8s-sidecar
     # -- The image tag to pull, default: `1.23.1`
-    tag: 1.25.4
+    tag: 1.28.0
     # -- The image pull policy, default: `IfNotPresent`
     pullPolicy: IfNotPresent
   # -- The extra volume mounts for the sidecar

projects/homeassistant/values/wmbusmeters.yml

@@ -33,7 +33,7 @@ configMaps:
         format=json
         logfile=/dev/stdout
         donotprobe=/dev/ttyACM0
-        shell=/usr/bin/mosquitto_pub -h mqtt.lan -t wmbusmeters/"$METER_ID" -m "$METER_JSON"
+        shell=/usr/bin/mosquitto_pub -h 192.168.1.20 -t wmbusmeters/"$METER_ID" -m "$METER_JSON"
         ignoreduplicates=false
 
   meters:

projects/homer/project.yml

@@ -4,7 +4,7 @@ apps:
 - name: homer
   repoURL: https://djjudas21.github.io/charts
   chart: homer
-  targetRevision: 8.1.9
+  targetRevision: 8.1.12
   include:
   - ingress-internal
   - noRoot

projects/homer/values/homer.yml

@@ -1,6 +1,6 @@
 image:
   repository: b4bz/homer
-  tag: v23.10.1
+  tag: v24.10.1
 
 initContainers:
   clone-assets:

projects/ingress-external/project.yml

@@ -13,5 +13,5 @@ apps:
 - name: ingress-external
   repoURL: https://kubernetes.github.io/ingress-nginx
   chart: ingress-nginx
-  targetRevision: 4.9.1
+  targetRevision: 4.11.1
   syncWave: '0'

projects/mqtt/values/mosquitto.yaml

@@ -1,6 +1,6 @@
 image:
   repository: eclipse-mosquitto
-  tag: 2.0.18
+  tag: 2.0.20
 
 service:
   main:

projects/mqtt/values/zigbee2mqtt.yaml

@@ -1,6 +1,6 @@
 image:
   repository: koenkk/zigbee2mqtt
-  tag: 1.35.3
+  tag: 1.40.2
 
 service:
   main:

projects/music/project.yaml

@@ -1,5 +1,11 @@
 config:
   desc: Music Streaming
+  networkPolicy:
+    groups:
+    - internet
+
+  labels:
+    environment: external
 
 apps:
   - name: navidrome

projects/music/values/navidrome.yaml

@@ -1,6 +1,6 @@
 image:
   repository: ghcr.io/navidrome/navidrome
-  tag: 0.51.1
+  tag: 0.53.3
 
 env:
   TZ: "Europe/Amsterdam"
@@ -26,20 +26,26 @@ service:
 ingress:
   main:
     enabled: true
-    ingressClassName: "ingress-internal"
+    ingressClassName: "ingress-external"
+    labels:
+      environment: external
     annotations:
-      cert-manager.io/cluster-issuer: vault-issuer
+      #cert-manager.io/cluster-issuer: vault-issuer
-      traefik.ingress.kubernetes.io/router.tls: 'true'
+      nginx.ingress.kubernetes.io/proxy-body-size: 20G
+      kubernetes.io/tls-acme: "true"
+      cert-manager.io/cluster-issuer: letsencrypt
+      external-dns.alpha.kubernetes.io/hostname: music.nold.in
+      external-dns.alpha.kubernetes.io/target: nold.in
+      external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
     hosts:
-    - host: music.dc
+    - host: music.nold.in
       paths:
       - path: /
         pathType: Prefix
     tls:
-    - secretName: music-tls
+    - secretName: music-ext-tls
       hosts:
-      - music.dc
+      - music.nold.in
-
 
 podSecurityContext:
   runAsUser: 568

projects/nextcloud/project.yaml

@@ -5,18 +5,16 @@ config:
     - internet
     rules:
     - allow-minio
+    - allow-localai
 
   labels:
     environment: external
 
 apps:
 - name: nextcloud
-  #repoURL: https://nextcloud.github.io/helm
+  repoURL: https://nextcloud.github.io/helm
-  #chart: nextcloud
+  chart: nextcloud
-  #targetRevision: 3.1.0
+  targetRevision: 5.2.0
-  repoURL: https://github.com/Nold360/nextcloud-helm
-  targetRevision: f/multifix
-  path: charts/nextcloud
   secrets:
   - name: nextcloud-user
     keys:

projects/nextcloud/values/nextcloud.yaml

@@ -1,9 +1,9 @@
 image:
-  tag: 25-fpm
+  tag: 29-fpm
   pullPolicy: Always
 
 nextcloud:
-  host: share.gnu.one
+  host: share.nold.in
   extraEnv:
     - name: HTTP_PROXY
       value: http://proxy-squid.proxy.svc.cluster.local:3128
@@ -76,17 +76,43 @@ ingress:
     cert-manager.io/cluster-issuer: letsencrypt
     traefik.ingress.kubernetes.io/router.tls: 'true'
     kubernetes.io/ingress.class: ingress-external
-    external-dns.alpha.kubernetes.io/hostname: share.gnu.one
+    external-dns.alpha.kubernetes.io/hostname: share.nold.in
-    external-dns.alpha.kubernetes.io/target: gnu.one
+    external-dns.alpha.kubernetes.io/target: nold.in
     external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
 
+    nginx.ingress.kubernetes.io/server-snippet: |-
+      server_tokens off;
+      proxy_hide_header X-Powered-By;
+      rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last;
+      rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last;
+      rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+      rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
+      location = /.well-known/carddav {
+        return 301 $scheme://$host/remote.php/dav;
+      }
+      location = /.well-known/caldav {
+        return 301 $scheme://$host/remote.php/dav;
+      }
+      location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+      }
+      location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+        deny all;
+      }
+      location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
+        deny all;
+      }
+
   tls:
     - secretName: nextcloud-tls
       hosts:
-      - share.gnu.one
+      - share.nold.in
 
 nginx:
   enabled: true
+  containerPort: 8080
 
 cronjob:
   enabled: false

projects/octoprint/chart/values.yaml

@@ -9,7 +9,7 @@ image:
   # -- image repository
   repository: octoprint/octoprint
   # -- image tag
-  tag: 1.9.3-minimal
+  tag: 1.10.2-minimal
   # -- image pull policy
   pullPolicy: IfNotPresent
 

projects/ovos/lai.sh

@@ -1,14 +0,0 @@
-LOCALAI=https://ai.dc
-if [ "$1" == "search" ] ; then
-  curl ${LOCALAI}/models/available | jq ".[] | select(.name | contains(\"${2}\")) | .name"
-elif [ "$1" == "apply" ] ; then
-  STATUS_URL=$(curl -q $LOCALAI/models/apply -H "Content-Type: application/json" -d "{ \"id\": \"${2}\" }" | jq -r .status)
-  STATUS=$(curl -q $STATUS_URL | jq -r .message)
-  while [ "$STATUS" != "completed" ] ; do
-    STATUS=$(curl -q $STATUS_URL | jq -r .message)
-    echo $STATUS
-    sleep 5
-  done
-elif [ "$1" == "list" ] ; then
-  curl -q $LOCALAI/models | jq .
-fi

projects/ovos/project.yaml

@@ -1,13 +0,0 @@
-config:
-  description: OpenVoice OS Services
-
-apps:
-- name: ovos-tts-server
-  repo: bjw-s 
-  chart: app-template
-  targetRevision: 2.4.0
-
-- name: ovos-stt-server
-  repo: bjw-s 
-  chart: app-template
-  targetRevision: 2.4.0

projects/ovos/values/ovos-stt-server.yml

@@ -1,68 +0,0 @@
-controllers:
-  main:
-    containers:
-      main:
-        image:
-          repository: smartgic/ovos-stt-server-fasterwhisper
-          tag: alpha
-          pullPolicy: Always
-
-        env:
-          ## VECTOR_DB: "lancedb"
-
-ingress:
-  main:
-    enabled: true
-    annotations:
-      cert-manager.io/cluster-issuer: vault-issuer
-    hosts:
-    - host: ovos-stt-server.dc
-      paths:
-      - path: /
-        service:
-          name: main
-          port: http
-    tls:
-    - hosts:
-      - ovos-stt-server.dc
-      secretName: ovos-stt-server-tls
-
-configMaps:
-  config:
-    enabled: true
-    data: 
-      mycroft.conf: |
-        {
-          "stt": {
-            "module": "ovos-stt-plugin-fasterwhisper",
-            "ovos-stt-plugin-fasterwhisper": {
-                "model": "medium",
-                "cpu_threads": 8
-            }
-          }
-        }
-
-
-persistence:
-  config:
-    type: configMap
-    enabled: true
-    name: ovos-stt-server-config
-    advancedMounts:
-      main: 
-        main: 
-          - path: /home/ovos/.config/mycroft/mycroft.conf
-            readOnly: true
-            subPath: mycroft.conf
-
-
-securityContext:
-  privileged: false
-
-service:
-  main:
-    ports:
-      http:
-        enabled: true
-        port: 8080
-    type: ClusterIP

projects/ovos/values/ovos-tts-server.yml

@@ -1,75 +0,0 @@
-controllers:
-  main:
-    containers:
-      main:
-        image:
-          repository: docker.io/smartgic/ovos-tts-server-piper
-          tag: alpha
-          pullPolicy: Always
-
-        env:
-          # GID='1000'
-
-ingress:
-  main:
-    annotations:
-      cert-manager.io/cluster-issuer: vault-issuer
-    enabled: true
-    hosts:
-    - host: ovos-tts-server.dc
-      paths:
-      - path: /
-        service:
-          name: main
-          port: http
-    tls:
-    - hosts:
-      - ovos-tts-server.dc
-      secretName: ovos-tts-server-tls
-
-configMaps:
-  config:
-    enabled: true
-    data:
-      mycroft.conf: | 
-        {
-          "tts": {
-            "module": "ovos-tts-plugin-piper",
-            "ovos-tts-plugin-piper": {
-              "model": "alan-low"
-            }
-          }
-        }
-
-persistence:
-  data:
-    type: persistentVolumeClaim
-    enabled: true
-    size: 2Gi
-    storageClass: ssd
-    accessMode: ReadWriteOnce
-    globalMounts:
-      - path: /home/ovos/.local/share/piper_tts
-
-  config:
-    type: configMap
-    enabled: true
-    name: ovos-tts-server-config
-    advancedMounts:
-      main: 
-        main: 
-          - path: /home/ovos/.config/mycroft/mycroft.conf
-            readOnly: true
-            subPath: mycroft.conf
-
-
-securityContext:
-  privileged: false
-
-service:
-  main:
-    ports:
-      http:
-        enabled: true
-        port: 9666
-    type: ClusterIP

projects/paperless/values/paperless.yml

@@ -15,7 +15,7 @@ ingress:
       - paperless.dc
 image:
   repository: ghcr.io/paperless-ngx/paperless-ngx
-  tag: 2.5.3
+  tag: 2.12.1
   pullPolicy: IfNotPresent
 
 # -- See the following files for additional environment variables:

projects/searxng/manifests/config.yml

@@ -0,0 +1,85 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: searxng-config
+  namespace: searxng
+data:
+  settings.yml: |
+    ---
+    use_default_settings:
+      engines:
+        remove:
+          - soundcloud
+
+    server:
+      limiter: false
+      image_proxy: false
+
+    search:
+      default_lang: en
+      formats:
+        - html
+        - json
+    #   autocomplete: google
+
+    general:
+      instance_name: HiveSearch
+
+    ui:
+      static_use_hash: true
+      default_theme: simple
+      theme_args:
+        simple_style: dark
+      infinite_scroll: true
+      results_on_new_tab: true
+
+    enabled_plugins:
+      - Basic Calculator
+      - Hash plugin
+      - Hostname replace
+      - Open Access DOI rewrite
+      - Self Informations
+      - Tracker URL remover
+      - Unit converter plugin
+
+    hostname_replace:
+      (www\.)?reddit\.com$: redlib.rostvik.site
+
+  limiter.toml: |
+    [real_ip]
+
+    # Number of values to trust for X-Forwarded-For.
+
+    x_for = 1
+
+    # The prefix defines the number of leading bits in an address that are compared
+    # to determine whether or not an address is part of a (client) network.
+
+    ipv4_prefix = 32
+    ipv6_prefix = 48
+
+    [botdetection.ip_limit]
+
+    # To get unlimited access in a local network, by default link-lokal addresses
+    # (networks) are not monitored by the ip_limit
+    filter_link_local = true
+
+    # activate link_token method in the ip_limit method
+    link_token = false
+
+    [botdetection.ip_lists]
+
+    # In the limiter, the ip_lists method has priority over all other methods -> if
+    # an IP is in the pass_ip list, it has unrestricted access and it is also not
+    # checked if e.g. the "user agent" suggests a bot (e.g. curl).
+
+    block_ip = [
+    ]
+
+    pass_ip = [
+      '10.0.0.0/24',      # IPv4 private network
+    ]
+
+    # Activate passlist of (hardcoded) IPs from the SearXNG organization,
+    # e.g. `check.searx.space`.
+    pass_searxng_org = false

projects/searxng/project.yaml

@@ -0,0 +1,13 @@
+config:
+  description: Local Meta Search
+
+apps:
+- name: searxng
+  repo: bjw-s 
+  chart: app-template
+  targetRevision: 3.2.1
+  secrets:
+    - name: searxng 
+      keys:
+        - SEARXNG_SECRET
+

projects/searxng/values/searxng.yml

@@ -0,0 +1,97 @@
+controllers:
+  app:
+    replicas: 1
+    strategy: RollingUpdate
+    containers:
+      app:
+        image:
+          repository: searxng/searxng
+          tag: 2024.5.16-2f2d93b29
+
+        env:
+          BASE_URL: https://search.dc
+          AUTOCOMPLETE: "false"
+          INSTANCE_NAME: "HiveSearch"
+
+        envFrom:
+          - secretRef:
+              name: searxng
+
+        # probes:
+        #   liveness: 
+        #     enabled: true
+        #     custom: true
+        #     spec:
+        #       httpGet:
+        #         path: /stats
+        #         port: 8080
+        #       initialDelaySeconds: 0
+        #       periodSeconds: 10
+        #       timeoutSeconds: 1
+        #       failureThreshold: 3
+        #   readiness:
+        #     enabled: true
+        #     custom: true
+        #     spec:
+        #       httpGet:
+        #         path: /stats
+        #         port: 8080
+        #       initialDelaySeconds: 0
+        #       periodSeconds: 10
+        #       timeoutSeconds: 1
+        #       failureThreshold: 3
+
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: false
+          capabilities:
+            drop:
+              - ALL
+            add:
+              - CHOWN
+              - SETGID
+              - SETUID
+              - DAC_OVERRIDE
+        resources:
+          requests:
+            cpu: 10m
+          limits:
+            memory: 3Gi
+
+service:
+  app:
+    controller: app
+    ports:
+      http:
+        port: 8080
+
+persistence:
+  config:
+    type: configMap
+    name: searxng-config
+    advancedMounts:
+      app:
+        app:
+          - path: /etc/searxng/settings.yml
+            subPath: settings.yml
+            readOnly: true
+          - path: /etc/searxng/limiter.toml
+            subPath: limiter.toml
+            readOnly: true
+
+ingress:
+  app:
+    # className: ingress-internal
+    annotations:
+      cert-manager.io/cluster-issuer: vault-issuer
+    hosts:
+      - host: search.dc
+        paths:
+          - path: /
+            service:
+              identifier: app
+              port: http
+    tls:
+      - hosts:
+        - search.dc
+        secretName: searxng-tls

projects/services/project.yml

@@ -11,7 +11,7 @@ apps:
   namespace: s3
   repoURL: https://charts.min.io
   chart: minio
-  targetRevision: 5.0.15
+  targetRevision: 5.2.0
   secrets:
   - name: minio-root
     keys:
@@ -22,10 +22,22 @@ apps:
   namespace: cnpg-system
   repoURL: https://cloudnative-pg.github.io/charts
   chart: cloudnative-pg
-  targetRevision: 0.20.1
+  targetRevision: 0.21.6
 
 - name: redis-operator
   repoURL: https://ot-container-kit.github.io/helm-charts
   namespace: redis-operator
   chart: redis-operator
-  targetRevision: 0.15.9
+  targetRevision: 0.16.4
+
+- name: kafka-operator
+  repoURL: https://strimzi.io/charts
+  namespace: kafka-operator
+  chart: strimzi-kafka-operator
+  targetRevision: 0.41.0
+
+- name: mongodb-operator
+  repoURL: https://mongodb.github.io/helm-charts
+  namespace: mongodb-operator
+  chart: community-operator
+  targetRevision: 0.10.0

projects/services/values/kafka-operator.yml

@@ -0,0 +1 @@
+watchAnyNamespace: true

projects/services/values/mongodb-operator.yml

@@ -0,0 +1,19 @@
+operator:
+  watchNamespace: "*"
+  resources:
+    limits:
+      cpu: 1100m
+      memory: 1Gi
+    requests:
+      cpu: 100m
+      memory: 100Mi
+  replicas: 1
+
+  podSecurityContext:
+    runAsNonRoot: true
+    runAsUser: 2000
+
+  securityContext: {}
+
+community-operator-crds:
+  enabled: true

projects/services/values/redis-operator.yaml

@@ -4,67 +4,37 @@
 
 # Name of the image repository to pull the container image from.
 image:
-  repository: quay.io/spotahome/redis-operator
+  repository: ghcr.io/ot-container-kit/redis-operator/redis-operator
   pullPolicy: IfNotPresent
-  tag: v1.2.4
+  #tag: v1.2.4
 
 imageCredentials:
   create: false
-  registry: url.private.registry
-  username: someone
-  password: somepassword
-  email: someone@example.com
-  # Use exists secrets in namespace
-  existsSecrets:
-    - registrysecret
 
 updateStrategy:
   type: RollingUpdate
 
 replicas: 1
 
-# A name in place of the chart name for `app:` labels.
-nameOverride: ""
-
-# A name to substitute for the full names of resources.
-fullnameOverride: ""
-
-serviceAccount:
-  # Enable service account creation.
-  create: true
-  # Annotations to be added to the service account.
-  annotations: {}
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template.
-  name: ""
-
-service:
-  type: ClusterIP
-  port: 9710
-
-container:
-  port: 9710
-
-# Container [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container).
-# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) for details.
 securityContext:
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: 1000
 
-# Container resource [requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
-# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) for details.
-# @default -- No requests or limits.
 resources:
   requests:
     cpu: 10m
     memory: 16Mi
   limits:
-    cpu: 100m
+    cpu: 500m
-    memory: 128Mi
+    memory: 500Mi
+
+certificate:
+  secretName: redis-operator-tls
+
+certmanager:
+  enabled: false
 
-### Monitoring
-###############
 monitoring:
   # Enable Prometheus PodMonitor to monitor the operator.
   enabled: false

projects/speech/project.yaml

@@ -1,13 +0,0 @@
-config:
-  description: STT & TTS Services
-
-apps:
-- name: whisper
-  repo: bjw-s 
-  chart: app-template
-  targetRevision: 1.5.0
-
-- name: piper
-  repo: bjw-s 
-  chart: app-template
-  targetRevision: 1.5.0

projects/speech/values/piper.yaml

@@ -1,55 +0,0 @@
-image:
-  repository: rhasspy/wyoming-piper  
-  tag: latest
-  pullPolicy: Always
-
-args:
-  - --voice
-  #  - en-US-danny-low
-  - en-us-lessac-low
-
-service:
-  main:
-    type: ClusterIP
-    # externalTrafficPolicy: Local
-    # annotations:
-    #   metallb.universe.tf/allow-shared-ip: iot
-    #   metallb.universe.tf/address-pool: iot
-    ports:
-      http:
-        enabled: false
-      tcp:
-        enabled: true
-        port: 10200
-        protocol: TCP
-        primary: true
-
-persistence:
-  data:
-    enabled: true
-    type: pvc
-    mountPath: /data
-    accessMode: ReadWriteOnce
-    storageClass: ssd
-    size: 10Gi
-
-  tmp:
-    enabled: true
-    type: emptyDir
-    mountPath: /tmp
-
-podSecurityContext:
-  runAsUser: 1001
-  runAsGroup: 10000
-  fsGroup: 10000
-
-securityContext:
-  runAsUser: 1001
-  runAsGroup: 10000
-  runAsNonRoot: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-    - ALL

projects/speech/values/whisper.yaml

@@ -1,55 +0,0 @@
-image:
-  repository: rhasspy/wyoming-whisper  
-  tag: latest 
-  pullPolicy: Always
-
-args:
-  - --model 
-#  - medium-int8
-  - small-int8
-  - --language
-  - en
-
-env:
-  OMP_NUM_THREADS: "8"
-
-service:
-  main:
-    type: LoadBalancer
-    externalTrafficPolicy: Local
-    annotations:
-       metallb.universe.tf/allow-shared-ip: iot
-       metallb.universe.tf/address-pool: iot
-    ports:
-      http:
-        enabled: false
-      tcp:
-        enabled: true
-        port: 10300
-        protocol: TCP
-        primary: true
-
-persistence:
-  data:
-    enabled: true
-    type: pvc
-    mountPath: /data
-    accessMode: ReadWriteOnce
-    storageClass: ssd
-    size: 10Gi
-
-podSecurityContext:
-  runAsUser: 1001
-  runAsGroup: 10000
-  fsGroup: 10000
-
-securityContext:
-  runAsUser: 1001
-  runAsGroup: 10000
-  runAsNonRoot: true
-  privileged: false
-  readOnlyRootFilesystem: true
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-    - ALL

projects/vault/project.yml

@@ -5,7 +5,7 @@ apps:
 - name: vault
   repoURL: https://helm.releases.hashicorp.com
   chart: vault
-  targetRevision: 0.27.0
+  targetRevision: 0.28.1
   syncWave: '-3'
   ignoreDiff:
     - group: "*"
@@ -18,5 +18,5 @@ apps:
   namespace: vault-secrets-operator
   repoURL: https://ricoberger.github.io/helm-charts
   chart: vault-secrets-operator
-  targetRevision: 2.5.6
+  targetRevision: 2.5.10
   syncWave: '-2'

projects/vault/values/vault.yaml

@@ -5,13 +5,13 @@ global:
     enable: false
 
 injector:
-  enabled: true
+  enabled: false
 
 server:
   enabled: true
   image:
     repository: "hashicorp/vault"
-    tag: "1.15.5"
+    tag: "1.18.0"
   auditStorage:
     accessMode: ReadWriteOnce
     annotations: {}

projects/woodpecker/manifests/netpol.yaml

@@ -0,0 +1,16 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-kubeapi
+  namespace: woodpecker
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: agent
+  egress:
+  - toEntities:
+    - kube-apiserver
+  - toPorts:
+    - ports:
+      - port: "6443"
+        protocol: TCP

projects/woodpecker/project.yml

@@ -6,6 +6,8 @@ config:
   networkPolicy:
     groups:
     - internet
+    rules:
+    - allow-agent
 
   labels:
     environment: external
@@ -13,7 +15,7 @@ config:
 
 apps:
   - name: woodpecker-server
-    path: charts/server
+    path: charts/woodpecker/charts/server
     secrets:
       - name: github-oauth
         keys:
@@ -24,8 +26,11 @@ apps:
           - WOODPECKER_AGENT_SECRET
 
   - name: woodpecker-agent
+    path: charts/woodpecker/charts/agent
     namespace: woodpecker-agent
-    path: charts/agent
+    networkPolicy:
+      rules:
+      - allow-agent
     secrets:
       - name: woodpecker-secret
         fromApp: woodpecker-server

projects/woodpecker/values/woodpecker-agent.yaml

@@ -1,45 +0,0 @@
-replicaCount: 2
-
-image:
-  registry: docker.io
-  repository: woodpeckerci/woodpecker-agent
-  pullPolicy: Always
-  tag: "next"
-
-env:
-  WOODPECKER_SERVER: "woodpecker-server.woodpecker.svc.cluster.local:9000"
-  WOODPECKER_BACKEND: kubernetes
-  WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker-agent
-  WOODPECKER_BACKEND_K8S_STORAGE_CLASS: "ssd"
-  WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 1G
-  WOODPECKER_BACKEND_K8S_STORAGE_RWX: false
-
-dind:
-  enabled: false
-
-extraSecretNamesForEnvFrom:
-- woodpecker-secret
-
-serviceAccount:
-  create: true
-  rbac:
-    create: true
-
-podSecurityContext:
-  fsGroup: 2000
-
-securityContext:
-  capabilities:
-    drop:
-    - ALL
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-  runAsUser: 1000
-
-resources:
-  limits:
-    cpu: 4000m
-    memory: 1024Mi
-  requests:
-    cpu: 100m
-    memory: 128Mi

projects/woodpecker/values/woodpecker-agent.yml

@@ -0,0 +1,56 @@
+# -- The number of replicas for the deployment
+replicaCount: 2
+
+image:
+  registry: docker.io
+  repository: woodpeckerci/woodpecker-agent
+  pullPolicy: Always
+  tag: 'next'
+
+env:
+  # -- Add the environment variables for the agent component
+  WOODPECKER_SERVER: 'woodpecker-server.woodpecker.svc.cluster.local:9000'
+  WOODPECKER_BACKEND: kubernetes
+  WOODPECKER_BACKEND_K8S_NAMESPACE: woodpecker-agent
+  WOODPECKER_BACKEND_K8S_STORAGE_CLASS: 'ssd'
+  WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 10G
+  WOODPECKER_BACKEND_K8S_STORAGE_RWX: false
+  WOODPECKER_BACKEND_K8S_POD_LABELS: ''
+  WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS: ''
+  WOODPECKER_CONNECT_RETRY_COUNT: '1'
+
+# -- Add extra secret that is contains environment variables
+extraSecretNamesForEnvFrom:
+  - woodpecker-secret
+
+persistence:
+  enabled: true
+  size: 1Gi
+  storageClass: 'ssd'
+  accessModes:
+    - ReadWriteOnce
+
+# -- Add pod security context
+podSecurityContext:
+  runAsUser: 1000
+  runAsGroup: 2000
+  fsGroup: 2000
+
+# -- Add security context
+securityContext:
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 1000
+  runAsGroup: 2000
+
+# -- Specifies the resources for the agent component
+resources:
+  limits:
+    cpu: 2000m
+    memory: 1024Mi
+  requests:
+    cpu: 10m
+    memory: 10Mi

projects/woodpecker/values/woodpecker-server.yml

@@ -1,15 +1,16 @@
-replicaCount: 1
+statefulSet:
+  replicaCount: 1
+
+updateStrategy:
+  type: RollingUpdate
 
 image:
   registry: docker.io
   repository: woodpeckerci/woodpecker-server
   pullPolicy: Always
-  # Overrides the image tag whose default is the chart appVersion.
+  tag: 'next'
-  tag: "next"
-
-dind:
-  enabled: false
 
+# -- Add environment variables for the server component
 env:
   WOODPECKER_OPEN: "false"
   WOODPECKER_ADMIN: "Nold360"
@@ -25,15 +26,20 @@ env:
   no_proxy: localhost,.cluster.local,10.43.0.1
 
 
+# -- Add extra environment variables from the secrets list
 extraSecretNamesForEnvFrom:
-- github-oauth
+  - woodpecker-secret
-- woodpecker-secret
+  - github-oauth
+
+# -- Create a generic secret to store things in, e.g. env values
+secrets:
+  - name: woodpecker-store
 
 persistentVolume:
   enabled: true
   size: 10Gi
-  mountPath: "/var/lib/woodpecker"
+  mountPath: '/var/lib/woodpecker'
-  storageClass: "local-path"
+  storageClass: ''
 
 podSecurityContext:
   fsGroup: 2000
@@ -46,10 +52,6 @@ securityContext:
   runAsNonRoot: true
   runAsUser: 1000
 
-service:
-  type: ClusterIP
-  port: 80
-
 ingress:
   enabled: true
   ingressClassName: ingress-external
@@ -72,6 +74,7 @@ ingress:
       hosts:
         - ci.nold.in
 
+# -- Specifies the ressources for the server component
 resources:
   limits:
     cpu: 500m

projects/workflows/project.yml

@@ -5,7 +5,7 @@ apps:
 - name: argo-workflows
   repoURL: https://argoproj.github.io/argo-helm
   chart: argo-workflows
-  targetRevision: 0.40.11
+  targetRevision: 0.41.11
   # secrets:
   # - name: argocd-secret
   #   keys:

resources/networkpolicy.yml

@@ -141,3 +141,22 @@ networkPolicy:
         - namespaceSelector:
             matchLabels:
               app.heqet.gnu.one/project: argocd
+
+    # Allow access to internet proxy
+    allow-localai:
+      podSelector: {}
+      policyTypes:
+      - Egress
+      egress:
+      - ports:
+        - port: 80
+          protocol: TCP
+        - port: 8080
+          protocol: TCP
+        to:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: local-ai
+        - namespaceSelector:
+            matchLabels:
+              app.heqet.gnu.one/project: ai