53ll/values.yaml.gotmpl

@@ -1,52 +0,0 @@
-image:
-  debug: true
-
-ghostBlogTitle: 53rd Parallel Photography
-ghostHost: https://53ll.ca
-ghostUsername: {{ requiredEnv "GHOST_53LL_USER_NAME" }}
-existingSecret: ghost-53ll-user-secret
-
-allowEmptyPassword: false
-
-
-readinessProbe:
-  enabled: false
-
-resources:
-  limits:                        
-    cpu: 500m                    
-    ephemeral-storage: 2Gi
-    memory: 250Mi
-  requests:
-    cpu: 10m
-    ephemeral-storage: 50Mi
-    memory: 128Mi
-persistence:
-  size: 1Gi
-
-smtpHost: "smtp.sendgrid.net"
-smtpPort: 465
-smtpUser: "apikey"
-smtpService: "SendGrid"
-smtpProtocol: "tls"
-smtpExistingSecret: 53ll-smtp-password
-
-mysql:
-  enabled: false
-externalDatabase:
-  host: mariadb.datastore.svc.cluster.local
-  user: 53ll_ghost
-  database: 53ll_ghost
-  existingSecret: ghost-53ll-db-secret
-   
-updateStrategy:
-  type: Recreate
-
-service:
-  type: ClusterIP    
-ingress:
-  enabled: true
-  hostname: 53ll.ca
-  tls: true
-  annotations:
-    "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt" 

gitea/values.yaml.gotmpl

@@ -1,94 +0,0 @@
-gitea:
-  config:
-    server:
-      ROOT_URL: https://git.incngrnt.ca/
-      MINIMUM_KEY_SIZE_CHECK: false
-    service:
-      DISABLE_REGISTRATION: true
-    database:
-      DB_TYPE: postgres
-    indexer:
-      ISSUE_INDEXER_TYPE: bleve
-      REPO_INDEXER_ENABLED: true
-    cron:
-      enabled: true
-    repository:
-      DISABLE_DOWNLOAD_SOURCE_ARCHIVES: true
-  additionalConfigFromEnvs:
-    - name: GITEA__DATABASE__HOST
-      valueFrom:
-        secretKeyRef:
-          name: postgres-pguser-gitea
-          key: host 
-    - name: GITEA__DATABASE__NAME
-      valueFrom:
-        secretKeyRef:
-          name: postgres-pguser-gitea
-          key: dbname  
-    - name: GITEA__DATABASE__USER
-      valueFrom:
-        secretKeyRef:
-          name: postgres-pguser-gitea
-          key: user
-    - name: GITEA__DATABASE__PASSWD
-      valueFrom:
-        secretKeyRef:
-          name: postgres-pguser-gitea
-          key: password
-  admin:
-    password: {{ requiredEnv "GITEA_ADMIN_PASSWORD" }}
-
-strategy:
-  type: Recreate
-
-ingress:
-  enabled: true
-  hosts:
-    - host: git.incngrnt.ca
-      paths:
-        - path: "/"
-          pathType: Prefix
-  annotations:
-    "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
-
-service:
-  ssh:
-    type: ClusterIP
-    port: 22
-    clusterIP:
-      
-actions:
-  enabled: true
-  giteaRootURL: https://git.incngrnt.ca
-  existingSecret: gitea-runner-token
-  existingSecretKey: token
-  provisioning:
-    enabled: false
-  persistence:
-    enabled: false
-redis:
-  enabled: true
-redis-cluster:
-  enabled: false
-postgresql:
-  enabled: false
-postgresql-ha:
-  enabled: false
-
-
-extraDeploy:
-- apiVersion: traefik.io/v1alpha1
-  kind: IngressRouteTCP
-  metadata:
-    name: gitea-ssh
-    namespace: gitea
-    labels:
-      app: gitea
-  spec:
-    entryPoints:
-      - ssh
-    routes:
-      - match: HostSNI(`*`)
-        services:
-          - name: gitea-ssh
-            port: 22 

helmfile.d/01-infrastructure.lock

@@ -2,15 +2,15 @@ version: 0.170.1
 dependencies:
 - name: rook-ceph
   repository: https://charts.rook.io/release
-  version: v1.18.7
+  version: v1.18.2
 - name: rook-ceph-cluster
   repository: https://charts.rook.io/release
-  version: v1.18.7
+  version: v1.18.2
 - name: tailscale-operator
   repository: https://pkgs.tailscale.com/helmcharts
-  version: 1.90.9
+  version: 1.86.5
 - name: traefik
   repository: https://traefik.github.io/charts
-  version: 37.4.0
-digest: sha256:e36f2d6589d83e74cb3a4bf19bc795f09d4a199a46547a2ff703c33ff6264b49
-generated: "2025-11-25T20:30:30.565674799-07:00"
+  version: 37.1.1
+digest: sha256:390b9f11dc9645c5add8f2efdbaa28bbbaf9ad8ab3056ef5b83580a53abdc112
+generated: "2025-09-16T10:37:17.844160925-06:00"

helmfile.d/02-datastore.lock

@@ -2,15 +2,15 @@ version: 0.170.1
 dependencies:
 - name: k8up
   repository: https://k8up-io.github.io/k8up
-  version: 4.8.6
+  version: 4.8.5
 - name: mariadb
   repository: https://charts.bitnami.com/bitnami
-  version: 24.0.0
+  version: 22.0.0
 - name: pgo
   repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main
   version: 5.8.1
 - name: postgrescluster
   repository: git+https://github.com/grantdhunter/postgres-operator@helm?ref=main
   version: 5.7.4
-digest: sha256:7be4f89cbc10d297156dd9924e6076659ddd410586434be062dcb6b52c276bde
-generated: "2025-11-25T20:31:00.986270323-07:00"
+digest: sha256:df6cd58e23f8c570ef0f3d57e26720a29685275bee12525ca9abb2e70e28e491
+generated: "2025-09-16T10:37:30.538389689-06:00"

helmfile.d/03-apps.lock

@@ -8,7 +8,7 @@ dependencies:
   version: 25.0.4
 - name: immich
   repository: https://immich-app.github.io/immich-charts
-  version: 0.10.3
+  version: 0.9.3
 - name: k8up-backup
   repository: git+https://git.incngrnt.ca/grant/charts@charts?ref=main
   version: 0.0.3
@@ -26,9 +26,9 @@ dependencies:
   version: 0.1.0
 - name: matrix-synapse
   repository: https://ananace.gitlab.io/charts
-  version: 3.12.16
+  version: 3.12.8
 - name: static-site
   repository: git+https://github.com/cfpb/static-site@charts?ref=main
   version: 0.1.1
-digest: sha256:59866b3b160d35756885a2db0a3344bba48161e5ba6935350286f9a754b8b219
-generated: "2025-11-25T20:31:24.531424306-07:00"
+digest: sha256:a7f2ab0e045290264fd7675f2e8979e449ccc60df6518ac20eb4d0c4c007fd96
+generated: "2025-09-16T10:37:47.891825732-06:00"

helmfile.d/04-monitoring.lock

@@ -2,12 +2,12 @@ version: 0.170.1
 dependencies:
 - name: alloy
   repository: https://grafana.github.io/helm-charts
-  version: 1.4.0
+  version: 1.2.1
 - name: kube-state-metrics
   repository: https://prometheus-community.github.io/helm-charts
-  version: 6.4.2
+  version: 6.3.0
 - name: lgtm-distributed
   repository: https://grafana.github.io/helm-charts
-  version: 3.0.1
-digest: sha256:a40ace61a59a7d0262123468c4fc4af581cdbb7a20e7e044bbd3d54ef0d47b8b
-generated: "2025-11-25T20:31:47.82049253-07:00"
+  version: 2.1.0
+digest: sha256:8a06f8a58058fcc5487b01542d48a745189ab4d01a8f9aad6710ffda3cab765a
+generated: "2025-09-16T10:38:05.465270419-06:00"

immich/values.yaml.gotmpl

@@ -1,9 +1,5 @@
-controllers:
-  main:
-    containers:
-      main:
 image:
-          tag: v2.3.1
+  tag: v1.142.1
   
 env:
   DB_HOSTNAME: {{ exec "kubectl" (list "-n" "immich" "get" "secrets" "postgres-pguser-immich" "-ogo-template='{{.data.host | base64decode }}'") }}
@@ -17,7 +13,7 @@ immich:
     library: 
       existingClaim: immich-data
  
-valkey:
+redis:
   enabled: true
   master:
     persistence:
@@ -30,35 +26,25 @@ valkey:
           cpu: 1
 
 server:
-  enabled: true
-  controllers:
-    main:
-      strategy: Recreate
-      containers:
-        main:
-          resources:
-            requests:
-              cpu: 10m
-            limits: 
-              cpu: 1
   ingress:
     main:
       enabled: true
       annotations:
-        traefik.ingress.kubernetes.io/router.tls.certresolver: "letsencrypt"
+        "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
       hosts:
         - host: photos.incngrnt.ca
           paths:
             - path: "/"
-              service:
-                identifier: main
-
-machine-learning:
-  enabled: true
-  controllers:
-    main:
-      containers:
-        main:
+              pathType: Prefix
+  resources:
+    requests:
+      cpu: 10m
+    limits: 
+      cpu: 1
+  controller:
+    strategy:  Recreate
+
+machine-learning:
   resources:
     requests:
       cpu: 10m

justfile

@@ -23,12 +23,6 @@ cleanupjobs:
 pgrestart:
     kubectl patch postgrescluster/postgres  --type merge --patch '{"spec":{"metadata":{"annotations":{"restarted":"'"$(date)"'"}}}}'
 
-
-talos-upgrade VERSION NODE:
-    talosctl upgrade  \
-      --image factory.talos.dev/metal-installer/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba:{{VERSION}} \
-      -n {{NODE}}
-
 goatchat-register:
     bws run 'curl -v -H '\"'Authorization: SharedSecret $GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET'\"' \
         -H "Content-Type: application/json" \

kgnot/values.yaml.gotmpl

@@ -1,54 +0,0 @@
-image:
-  debug: true
-
-ghostBlogTitle: K&G Tie the Kgnot
-ghostHost: https://kgnot.ca
-ghostUsername: {{ requiredEnv "KGNOT_GHOST_USER_NAME" }}
-existingSecret: ghost-kgnot-user-secret
-
-allowEmptyPassword: false
-
-
-readinessProbe:
-  enabled: false
-
-resources:
-  limits:                        
-    cpu: 500m                    
-    ephemeral-storage: 2Gi
-    memory: 250Mi
-  requests:
-    cpu: 10m
-    ephemeral-storage: 50Mi
-    memory: 128Mi
-
-persistence:
-  size: 1Gi
-
-smtpHost: "smtp.sendgrid.net"
-smtpPort: 465
-smtpUser: "apikey"
-smtpService: "SendGrid"
-smtpProtocol: "tls"
-smtpExistingSecret: kgnot-smtp-password
-
-mysql:
-  enabled: false
-externalDatabase:
-  host: mariadb.datastore.svc.cluster.local
-  user: kgnot_ghost
-  database: kgnot_ghost
-  existingSecret: ghost-kgnot-db-secret
-   
-updateStrategy:
-  type: Recreate
-
-service:
-  type: ClusterIP
-  
-ingress:
-  enabled: true
-  hostname: kgnot.ca
-  tls: true
-  annotations:
-    "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt" 

matrix-registration/values.yaml.gotmpl

@@ -1,5 +0,0 @@
-serverLocation: http://goatchat-matrix-synapse:8008
-serverName: goatchat.ca
-serverBaseUrl: /gate
-registrationSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_SHARED_SECRET" }}
-adminApiSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_ADMIN_API_SHARE_SECRET" }} 

synapse/values.yaml.gotmpl

@@ -1,84 +0,0 @@
-serverName: 'goatchat.ca'
-publicServerName: 'goatchat.ca'
-
-wellknown:
-  enabled: true
-  
-signingkey:
-  job:
-    enabled: false
-  existingSecret: goatchatca-signingkey
-  existingSecretKey: signing.key
-
-synapse:
-  strategy:
-    type: Recreate
-  resources:
-    requests:
-      cpu: 10m
-      memory: 160Mi
-    limits:
-      cpu: '1'
-      memory: 320Mi
-
-config:
-  macaroonSecretKey: {{ requiredEnv "GOATCHAT_SYNAPSE_MACAROON_SECRET_KEY" }}
-  registrationSharedSecret: {{ requiredEnv "GOATCHAT_REGISTRATION_SHARED_SECRET" }}
-
-extraConfig:
-  url_preview_enabled: true    
-  url_preview_ip_range_blacklist:
-     - '127.0.0.0/8'
-     - '10.0.0.0/8'
-     - '172.16.0.0/12'
-     - '192.168.0.0/16'
-     - '100.64.0.0/10'
-     - '169.254.0.0/16'
-     - '::1/128'
-     - 'fe80::/64'
-     - 'fc00::/7'
-
-  max_upload_size: 100M
-
-  email:
-    enable_notifs: true
-    smtp_host: "smtp.sendgrid.net"
-    smtp_port: 587
-    smtp_user: "apikey"
-    smtp_pass: {{ requiredEnv "GOATCHAT_SMTP_PASSWORD" }}
-    require_transport_security: true
-    notif_from: "Your Friendly %(app)s homeserver <noreply@goatchat.ca>"
-    app_name: Goatchat
-    validation_token_lifetime: 1h
-
-
-  user_directory:
-    enabled: true
-    search_all_users: true
-    prefer_local_users: true
-
-  server_notices:
-    system_mxid_localpart: notices
-    system_mxid_display_name: "Screaming Goat"
-    system_mxid_avatar_url: ""
-    room_name: "Goatchat Notices"
-    room_avatar_url: ""
-    room_topic: "Room used by your server admin to notify you of important information"
-    auto_join: true
-  
-
-ingress:
-  traefikPaths: true
-  annotations:
-    "traefik.ingress.kubernetes.io/router.tls.certresolver": "letsencrypt"
-
-
-persistence:
-  size: 30Gi    
-
-postgresql:
-  enabled: false    
-externalPostgresql:
-  host: postgres-primary.datastore.svc
-  existingSecret: postgres-pguser-synapse
-  existingSecretPasswordKey: password 

tailscale/values.yaml.gotmpl

@@ -1,8 +0,0 @@
-operatorConfig:
-  extraEnv:
-    - name: PROXY_PRIORITY_CLASS_NAME
-      value: critical
-
-oauth:
-  clientId: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_ID" }}
-  clientSecret: {{ requiredEnv "TAILSCALE_OAUTH_CLIENT_SECRET" }} 

traefik/values.yaml.gotmpl

@@ -1,102 +0,0 @@
-deployment:
-  initContainers:
-    - name: volume-permissions
-      image: busybox:latest
-      command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
-      volumeMounts:
-        - name: data
-          mountPath: /data
-
-updateStrategy:
-  type: Recreate
-    
-env:
- - name: HETZNER_API_KEY
-   valueFrom:
-     secretKeyRef:
-       name: hetzner-api-key
-       key: token
-
-additionalArguments:
- - "--api.basePath=/fog/traefik"
-
-persistence:
-  enabled: true
-    
-logs:
-  format: json    
-  access:
-    enabled: true
-    format: json    
-
-service:
-  spec:
-    externalTrafficPolicy: Local
-    
-ingressRoute:
-  dashboard:
-    enabled: true
-    matchRule: Host(`fog.incngrnt.ca`) && (PathPrefix(`/fog/traefik/dashboard`) || PathPrefix(`/fog/traefik/api`))
-    entryPoints: ["websecure"]
-    middlewares:
-      - name: traefik-dashboard-auth
-    tls:
-      certResolver: letsencrypt
-
-ports:
-  websecure:
-    middlewares:
-      - traefik-rate-limit@kubernetescrd
-  web:
-    middlewares:
-      - traefik-redirectscheme@kubernetescrd      
-  ssh:
-    port: 2222
-    expose:
-      default: true
-    exposedPort: 2222
-    protocol: TCP
-    
-    
-extraObjects:
-  - apiVersion: v1
-    kind: Secret
-    metadata:
-      name: traefik-dashboard-auth-secret
-    type: kubernetes.io/basic-auth
-    stringData:
-      username: admin
-      password: {{ requiredEnv "TRAEFIK_ADMIN_PASSWORD" }}
-
-  - apiVersion: traefik.io/v1alpha1
-    kind: Middleware
-    metadata:
-      name: traefik-dashboard-auth
-    spec:
-      basicAuth:
-        secret: traefik-dashboard-auth-secret
-  - apiVersion: traefik.io/v1alpha1
-    kind: Middleware
-    metadata:
-      name: rate-limit
-    spec:
-      rateLimit:
-        average: 50
-        burst: 100
-  - apiVersion: traefik.io/v1alpha1
-    kind: Middleware
-    metadata:
-      name: redirectscheme
-    spec:
-      redirectScheme:
-        scheme: https
-        permanent: true
-
-certificatesResolvers:
-  letsencrypt:
-    acme:
-      dnschallenge:
-        provider: hetzner
-        delaybeforecheck: 30
-      email: {{ requiredEnv "ACME_EMAIL" }}
-      storage: /data/acme.json