bump version

53ll/values.yaml.gotmpl

@@ -0,0 +1,52 @@
+image:
+  debug: true
+
+ghostBlogTitle: 53rd Parallel Photography
+ghostHost: https://53ll.ca
+ghostUsername: {{ requiredEnv "GHOST_53LL_USER_NAME" }}
+existingSecret: ghost-53ll-user-secret
+
+allowEmptyPassword: false
+
+
+readinessProbe:
+  enabled: false
+
+resources:
+  limits:                        
+    cpu: 500m                    
+    ephemeral-storage: 2Gi
+    memory: 250Mi
+  requests:
+    cpu: 10m
+    ephemeral-storage: 50Mi
+    memory: 128Mi
+persistence:
+  size: 1Gi
+
+smtpHost: "smtp.sendgrid.net"
+smtpPort: 465
+smtpUser: "apikey"
+smtpService: "SendGrid"
+smtpProtocol: "tls"
+smtpExistingSecret: 53ll-smtp-password
+
+mysql:
+  enabled: false
+externalDatabase:
+  host: mariadb.datastore.svc.cluster.local
+  user: 53ll_ghost
+  database: 53ll_ghost
+  existingSecret: ghost-53ll-db-secret
+   
+updateStrategy:
+  type: Recreate
+
+service:
+  type: ClusterIP    
+ingress:
+  enabled: true
+  hostname: 53ll.ca
+  tls: true
+  annotations:
+    "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt" 

gitea/values.yaml.gotmpl

@@ -0,0 +1,94 @@
+gitea:
+  config:
+    server:
+      ROOT_URL: https://git.incngrnt.ca/
+      MINIMUM_KEY_SIZE_CHECK: false
+    service:
+      DISABLE_REGISTRATION: true
+    database:
+      DB_TYPE: postgres
+    indexer:
+      ISSUE_INDEXER_TYPE: bleve
+      REPO_INDEXER_ENABLED: true
+    cron:
+      enabled: true
+    repository:
+      DISABLE_DOWNLOAD_SOURCE_ARCHIVES: true
+  additionalConfigFromEnvs:
+    - name: GITEA__DATABASE__HOST
+      valueFrom:
+        secretKeyRef:
+          name: postgres-pguser-gitea
+          key: host 
+    - name: GITEA__DATABASE__NAME
+      valueFrom:
+        secretKeyRef:
+          name: postgres-pguser-gitea
+          key: dbname  
+    - name: GITEA__DATABASE__USER
+      valueFrom:
+        secretKeyRef:
+          name: postgres-pguser-gitea
+          key: user
+    - name: GITEA__DATABASE__PASSWD
+      valueFrom:
+        secretKeyRef:
+          name: postgres-pguser-gitea
+          key: password
+  admin:
+    password: {{ requiredEnv "GITEA_ADMIN_PASSWORD" }}
+
+strategy:
+  type: Recreate
+
+ingress:
+  enabled: true
+  hosts:
+    - host: git.incngrnt.ca
+      paths:
+        - path: "/"
+          pathType: Prefix
+  annotations:
+    "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
+
+service:
+  ssh:
+    type: ClusterIP
+    port: 22
+    clusterIP:
+      
+actions:
+  enabled: true
+  giteaRootURL: https://git.incngrnt.ca
+  existingSecret: gitea-runner-token
+  existingSecretKey: token
+  provisioning:
+    enabled: false
+  persistence:
+    enabled: false
+redis:
+  enabled: true
+redis-cluster:
+  enabled: false
+postgresql:
+  enabled: false
+postgresql-ha:
+  enabled: false
+
+
+extraDeploy:
+- apiVersion: traefik.io/v1alpha1
+  kind: IngressRouteTCP
+  metadata:
+    name: gitea-ssh
+    namespace: gitea
+    labels:
+      app: gitea
+  spec:
+    entryPoints:
+      - ssh
+    routes:
+      - match: HostSNI(`*`)
+        services:
+          - name: gitea-ssh
+            port: 22 

helmfile.d/01-infrastructure.lock

@@ -2,15 +2,15 @@ version: 0.170.1
 dependencies:
 - name: rook-ceph
   repository: https://charts.rook.io/release
-  version: v1.18.2
+  version: v1.18.7
 - name: rook-ceph-cluster
   repository: https://charts.rook.io/release
-  version: v1.18.2
+  version: v1.18.7
 - name: tailscale-operator
   repository: https://pkgs.tailscale.com/helmcharts
-  version: 1.86.5
+  version: 1.90.9
 - name: traefik
   repository: https://traefik.github.io/charts
-  version: 37.1.1
+  version: 37.4.0
-digest: sha256:390b9f11dc9645c5add8f2efdbaa28bbbaf9ad8ab3056ef5b83580a53abdc112
+digest: sha256:e36f2d6589d83e74cb3a4bf19bc795f09d4a199a46547a2ff703c33ff6264b49
-generated: "2025-09-16T10:37:17.844160925-06:00"
+generated: "2025-11-25T20:30:30.565674799-07:00"

helmfile.d/02-datastore.lock

@@ -2,15 +2,15 @@ version: 0.170.1
 dependencies:
 - name: k8up
   repository: https://k8up-io.github.io/k8up
-  version: 4.8.5
+  version: 4.8.6
 - name: mariadb
   repository: https://charts.bitnami.com/bitnami
-  version: 22.0.0
+  version: 24.0.0
 - name: pgo
   repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main
   version: 5.8.1
 - name: postgrescluster
   repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main
   version: 5.7.4
-digest: sha256:df6cd58e23f8c570ef0f3d57e26720a29685275bee12525ca9abb2e70e28e491
+digest: sha256:7be4f89cbc10d297156dd9924e6076659ddd410586434be062dcb6b52c276bde
-generated: "2025-09-16T10:37:30.538389689-06:00"
+generated: "2025-11-25T20:31:00.986270323-07:00"

helmfile.d/03-apps.lock

@@ -8,7 +8,7 @@ dependencies:
   version: 25.0.4
 - name: immich
   repository: https://immich-app.github.io/immich-charts
-  version: 0.9.3
+  version: 0.10.3
 - name: k8up-backup
   repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main
   version: 0.0.3
@@ -26,9 +26,9 @@ dependencies:
   version: 0.1.0
 - name: matrix-synapse
   repository: https://ananace.gitlab.io/charts
-  version: 3.12.8
+  version: 3.12.16
 - name: static-site
   repository: git+https://github.com/cfpb/static-site@charts?ref=main
   version: 0.1.1
-digest: sha256:a7f2ab0e045290264fd7675f2e8979e449ccc60df6518ac20eb4d0c4c007fd96
+digest: sha256:59866b3b160d35756885a2db0a3344bba48161e5ba6935350286f9a754b8b219
-generated: "2025-09-16T10:37:47.891825732-06:00"
+generated: "2025-11-25T20:31:24.531424306-07:00"

helmfile.d/04-monitoring.lock

@@ -2,12 +2,12 @@ version: 0.170.1
 dependencies:
 - name: alloy
   repository: https://grafana.github.io/helm-charts
-  version: 1.2.1
+  version: 1.4.0
 - name: kube-state-metrics
   repository: https://prometheus-community.github.io/helm-charts
-  version: 6.3.0
+  version: 6.4.2
 - name: lgtm-distributed
   repository: https://grafana.github.io/helm-charts
-  version: 2.1.0
+  version: 3.0.1
-digest: sha256:8a06f8a58058fcc5487b01542d48a745189ab4d01a8f9aad6710ffda3cab765a
+digest: sha256:a40ace61a59a7d0262123468c4fc4af581cdbb7a20e7e044bbd3d54ef0d47b8b
-generated: "2025-09-16T10:38:05.465270419-06:00"
+generated: "2025-11-25T20:31:47.82049253-07:00"

immich/values.yaml.gotmpl

@@ -1,19 +1,23 @@
-image:
+controllers:
-  tag: v1.142.1
+  main:
+    containers:
+      main:
+        image:
+          tag: v2.3.1
 
-env:
+        env:
-  DB_HOSTNAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.host | base64decode }}'") }}
+          DB_HOSTNAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.host | base64decode }}'") }}
-  DB_USERNAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.user | base64decode }}'") }}
+          DB_USERNAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.user | base64decode }}'") }}
-  DB_DATABASE_NAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.dbname | base64decode }}'") }}
+          DB_DATABASE_NAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.dbname | base64decode }}'") }}
-  DB_PASSWORD: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.password | base64decode }}'") }}
+          DB_PASSWORD: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.password | base64decode }}'") }}
-  DB_VECTOR_EXTENSION: pgvector
+          DB_VECTOR_EXTENSION: pgvector
 
 immich:
   persistence:
     library: 
       existingClaim: immich-data
  
-redis:
+valkey:
   enabled: true
   master:
     persistence:
@@ -26,27 +30,37 @@ redis:
           cpu: 1
 
 server:
+  enabled: true
+  controllers:
+    main:
+      strategy: Recreate
+      containers:
+        main:
+          resources:
+            requests:
+              cpu: 10m
+            limits: 
+              cpu: 1
   ingress:
     main:
       enabled: true
       annotations:
-        "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
+        traefik.ingress.kubernetes.io/router.tls.certresolver: "letsencrypt"
       hosts:
         - host: photos.incngrnt.ca
           paths:
             - path: "/"
-              pathType: Prefix
+              service:
-  resources:
+                identifier: main
-    requests:
-      cpu: 10m
-    limits: 
-      cpu: 1
-  controller:
-    strategy:  Recreate
 
 machine-learning:
-  resources:
+  enabled: true
-    requests:
+  controllers:
-      cpu: 10m
+    main:
-    limits: 
+      containers:
-      cpu: 1
+        main:
+          resources:
+            requests:
+              cpu: 10m
+            limits: 
+              cpu: 1

kgnot/values.yaml.gotmpl

@@ -0,0 +1,54 @@
+image:
+  debug: true
+
+ghostBlogTitle: K&G Tie the Kgnot
+ghostHost: https://kgnot.ca
+ghostUsername: {{ requiredEnv "KGNOT_GHOST_USER_NAME" }}
+existingSecret: ghost-kgnot-user-secret
+
+allowEmptyPassword: false
+
+
+readinessProbe:
+  enabled: false
+
+resources:
+  limits:                        
+    cpu: 500m                    
+    ephemeral-storage: 2Gi
+    memory: 250Mi
+  requests:
+    cpu: 10m
+    ephemeral-storage: 50Mi
+    memory: 128Mi
+
+persistence:
+  size: 1Gi
+
+smtpHost: "smtp.sendgrid.net"
+smtpPort: 465
+smtpUser: "apikey"
+smtpService: "SendGrid"
+smtpProtocol: "tls"
+smtpExistingSecret: kgnot-smtp-password
+
+mysql:
+  enabled: false
+externalDatabase:
+  host: mariadb.datastore.svc.cluster.local
+  user: kgnot_ghost
+  database: kgnot_ghost
+  existingSecret: ghost-kgnot-db-secret
+   
+updateStrategy:
+  type: Recreate
+
+service:
+  type: ClusterIP
+  
+ingress:
+  enabled: true
+  hostname: kgnot.ca
+  tls: true
+  annotations:
+    "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt" 

matrix-registration/values.yaml.gotmpl

@@ -0,0 +1,5 @@
+serverLocation: http://goatchat-matrix-synapse:8008
+serverName: goatchat.ca
+serverBaseUrl: /gate
+registrationSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_SHARED_SECRET" }}
+adminApiSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET" }} 

synapse/values.yaml.gotmpl

@@ -0,0 +1,84 @@
+serverName: 'goatchat.ca'
+publicServerName: 'goatchat.ca'
+
+wellknown:
+  enabled: true
+  
+signingkey:
+  job:
+    enabled: false
+  existingSecret: goatchatca-signingkey
+  existingSecretKey: signing.key
+
+synapse:
+  strategy:
+    type: Recreate
+  resources:
+    requests:
+      cpu: 10m
+      memory: 160Mi
+    limits:
+      cpu: '1'
+      memory: 320Mi
+
+config:
+  macaroonSecretKey: {{ requiredEnv "GOATCHAT_SYNAPSE_MACAROON_SECRET_KEY" }}
+  registrationSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_SHARED_SECRET" }}
+
+extraConfig:
+  url_preview_enabled: true    
+  url_preview_ip_range_blacklist:
+     - '127.0.0.0/8'
+     - '10.0.0.0/8'
+     - '172.16.0.0/12'
+     - '192.168.0.0/16'
+     - '100.64.0.0/10'
+     - '169.254.0.0/16'
+     - '::1/128'
+     - 'fe80::/64'
+     - 'fc00::/7'
+
+  max_upload_size: 100M
+
+  email:
+    enable_notifs: true
+    smtp_host: "smtp.sendgrid.net"
+    smtp_port: 587
+    smtp_user: "apikey"
+    smtp_pass: {{ requiredEnv "GOATCHAT_SMTP_PASSWORD" }}
+    require_transport_security: true
+    notif_from: "Your Friendly %(app)s homeserver <noreply@goatchat.ca>"
+    app_name: Goatchat
+    validation_token_lifetime: 1h
+
+
+  user_directory:
+    enabled: true
+    search_all_users: true
+    prefer_local_users: true
+
+  server_notices:
+    system_mxid_localpart: notices
+    system_mxid_display_name: "Screaming Goat"
+    system_mxid_avatar_url: ""
+    room_name: "Goatchat Notices"
+    room_avatar_url: ""
+    room_topic: "Room used by your server admin to notify you of important information"
+    auto_join: true
+  
+
+ingress:
+  traefikPaths: true
+  annotations:
+    "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
+
+
+persistence:
+  size: 30Gi    
+
+postgresql:
+  enabled: false    
+externalPostgresql:
+  host: postgres-primary.datastore.svc
+  existingSecret: postgres-pguser-synapse
+  existingSecretPasswordKey: password 

tailscale/values.yaml.gotmpl

@@ -0,0 +1,8 @@
+operatorConfig:
+  extraEnv:
+    - name: PROXY_PRIORITY_CLASS_NAME
+      value: critical
+
+oauth:
+  clientId: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_ID" }}
+  clientSecret: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_SECRET" }} 

traefik/values.yaml.gotmpl

@@ -0,0 +1,102 @@
+deployment:
+  initContainers:
+    - name: volume-permissions
+      image: busybox:latest
+      command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
+      volumeMounts:
+        - name: data
+          mountPath: /data
+
+updateStrategy:
+  type: Recreate
+    
+env:
+ - name: HETZNER_API_KEY
+   valueFrom:
+     secretKeyRef:
+       name: hetzner-api-key
+       key: token
+
+additionalArguments:
+ - "--api.basePath=/fog/traefik"
+
+persistence:
+  enabled: true
+    
+logs:
+  format: json    
+  access:
+    enabled: true
+    format: json    
+
+service:
+  spec:
+    externalTrafficPolicy: Local
+    
+ingressRoute:
+  dashboard:
+    enabled: true
+    matchRule: Host(`fog.incngrnt.ca`) && (PathPrefix(`/fog/traefik/dashboard`) || PathPrefix(`/fog/traefik/api`))
+    entryPoints: ["websecure"]
+    middlewares:
+      - name: traefik-dashboard-auth
+    tls:
+      certResolver: letsencrypt
+
+ports:
+  websecure:
+    middlewares:
+      - traefik-rate-limit@kubernetescrd
+  web:
+    middlewares:
+      - traefik-redirectscheme@kubernetescrd      
+  ssh:
+    port: 2222
+    expose:
+      default: true
+    exposedPort: 2222
+    protocol: TCP
+    
+    
+extraObjects:
+  - apiVersion: v1
+    kind: Secret
+    metadata:
+      name: traefik-dashboard-auth-secret
+    type: kubernetes.io/basic-auth
+    stringData:
+      username: admin
+      password: {{ requiredEnv "TRAEFIK_ADMIN_PASSWORD" }}
+
+  - apiVersion: traefik.io/v1alpha1
+    kind: Middleware
+    metadata:
+      name: traefik-dashboard-auth
+    spec:
+      basicAuth:
+        secret: traefik-dashboard-auth-secret
+  - apiVersion: traefik.io/v1alpha1
+    kind: Middleware
+    metadata:
+      name: rate-limit
+    spec:
+      rateLimit:
+        average: 50
+        burst: 100
+  - apiVersion: traefik.io/v1alpha1
+    kind: Middleware
+    metadata:
+      name: redirectscheme
+    spec:
+      redirectScheme:
+        scheme: https
+        permanent: true
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      dnschallenge:
+        provider: hetzner
+        delaybeforecheck: 30
+      email: {{ requiredEnv "ACME_EMAIL" }}
+      storage: /data/acme.json