WIP: Working on new lldap bootstrap script

2025-01-30 01:15:02 +01:00
204 changed files with 1879 additions and 4704 deletions
--- a/.kcignore
+++ b/.kcignore
@ -1 +0,0 @@
 .sops.yaml
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -1,29 +0,0 @@
 repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v5.0.0
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
      - id: check-yaml
        args:
          - --allow-multiple-documents
      - id: check-added-large-files
      - id: check-merge-conflict
  - repo: https://github.com/crate-ci/typos
    rev: v1.30.2
    hooks:
      - id: typos
        args: ["--force-exclude"]
  - repo: git@huizinga.dev:Dreaded_X/cluster-crds.git
    rev: 951a61836937c443aa9a8d49d973cfc23dd6d219
    hooks:
      - id: kubeconform
  # Linting does not work with external values.yaml
  # TODO: Include url to schema in values.yaml and validate based on that?
  # - repo: https://github.com/tarioch/flux-check-hook
  #   rev: v0.8.0
  #   hooks:
  #     - id: check-flux-helm-values
--- a/.typos.toml
+++ b/.typos.toml
@ -1,10 +0,0 @@
 [default]
 # Ignore
 extend-ignore-re = [
  "-{5}BEGIN PGP MESSAGE-{5}(?:$|[^-]{63,}-{5}END PGP MESSAGE-{5})",
  "-{5}BEGIN PGP PUBLIC KEY BLOCK-{5}(?:$|[^-]{63,}-{5}END PGP PUBLIC KEY BLOCK-{5})",
 ]
 [files]
 # Ignore generated files
 extend-exclude = ["gotk-components.yaml", "gotk-sync.yaml"]
--- a/apps/akri-demo.yaml
+++ b/apps/akri-demo.yaml
@ -16,6 +16,3 @@ spec:
      containers:
        - name: akri-demo
          image: traefik/whoami
          resources:
            limits:
              "{{PLACEHOLDER}}": "1"
--- a/apps/authelia/kustomization.yaml
+++ b/apps/authelia/kustomization.yaml
@ -0,0 +1,12 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: authelia
 resources:
  - ./namespace.yaml
  - ./repository.yaml
  - ./release.yaml
  - ./lldap.yaml
 components:
  - ../../common/postgres
  - ../../common/dragonflydb
--- a/apps/authelia/lldap.yaml
+++ b/apps/authelia/lldap.yaml
@ -0,0 +1,60 @@
 apiVersion: v1
 kind: Secret
 metadata:
    name: authelia-lldap
 type: Opaque
 stringData:
    password: ENC[AES256_GCM,data:t9dCqqJrS0mhJMBXLKTKUgbOpwI3LGN134OlGmIaOsZg1bzWSV4sU0YAQMU=,iv:Bp2hO34VNtqy+7ZnWtqvmUNe2GKUh7KPZmRgXzyFqqA=,tag:qJ8iV6OyuNlVmnrPs13LNg==,type:str]
    user-configs.json: ENC[AES256_GCM,data:7bhp9uWOM1NcfJ8DnnUdYCIFMZeCvmGr8S5gJPzw0kzXfXQfRbI2xfq4X5GdAbOCn9HHM1F+xJLaF6tno1ZmH26NN7FkXUZQCtqK9+yZgjHY8MZYsUZHdZlV40BcaYSCk7qtefGsCrITN2X/DAjrmedNeh0CF9rdov3ZKsi8nSGWGUeLpKcouhOpvbfLRSoEEfYUyUF1r5GscTuunh9uZ8DtoCJvBf8iyQ==,iv:3YuaXKKIHUgzWL07yItqR6rgI+YXbaoTVc4xdiZ/hWU=,tag:hyObOlrQVXgRHgDxcV/R0g==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2024-11-22T04:09:11Z"
    mac: ENC[AES256_GCM,data:3o1AYP26QEIMjCUZ4y6AH+CXevoJoJ+rX3ioMLRf8KAGy0mSOtacaSY9xRdDIjATu9aJgHmFbSw9CHTBpXxmaISZxQdMPMHQAmRxHnSuQiofPRkVtD1TlvCFcDTSgITWbvG3dpUoLdM57Mgd3z7KpI/+gEoDebYfryDaYXCoH3c=,iv:1C8QMJCJtvnGVPpLJE+l0U3hOknEC3XiWTQrPAQsHKc=,tag:fn+cMj1NImJSvNiuyzX5pQ==,type:str]
    pgp:
        - created_at: "2024-11-22T04:09:11Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA7pKPTYH5bqOAQ/+MgqnLWwHCWPxacANbHEEYsPENOyIywmYJnSnRqRLWhAn
            9K0/udCxwO30rnvo+p6/YLF2VSqFfz7pUm/z+MH6ypyY1B83HjCkjsaTQhPR5Q0K
            CmhTR7TrQBNfa/flawhebWOjvmUJ9lJ9uqCnAB16S03Sn+PqDYlGTE6CMJ0oJuSr
            VpxdvdvFZ1gfR7hlVrsKqvn47T3XIYDJohp9l819nQ1O2adTPfevZEN/JLwaWSLT
            YtwJyg+6ogKD3q6UBv7hyyXH9ZlMHFxGWxmo1OXAA3E/vMvOacgmFW6pqoGMqwGU
            D9Ch2x1MBobD342ZPPmsQNiI+34Q5cl+hVJJgL5jWk2kML67itM8pMUTyn+5NtWO
            wWo6zu5q5IfqREwuerZtisocctrLB9QKPVGcjVihWfoenvlkf4yfCRDFzOPSAb0o
            e2K+3fZknZlnb3Qb/rgD7XRiBhcif1zIHZxUQDv/Lq9GyuCM7dk8YKUVCtyeixQ4
            C+WFmp9ED8xzv1jR9lPcQhD+I2Cb7/9jlTXEetFHSzl4riYpKPjhKQedUWZ0YY1A
            u0ORTBaLzcmrXTjGz24PxmWZDBjhV4Kgvn76rchqLrS8lvi1EbXoZB6ERhuhlz5Y
            bm1FwUBxDRG04gFCPwWKV0AvMmhd+hOdyo4KeQbZCO+w3QqXnp/y6b3TtpEeQnPU
            aAEJAhCMqxSAESN99AcEtW56mJsZmRCCi3NsRLwllDczeDfUznF2CSTCnJRDmjsU
            bLf8jVjawLxfRnKmRyKX/cCYbuz9OmIFkOAWoSNVb/teiMrYYFq96kRDLHR1Llxr
            EuX0poghRPqU
            =tI6a
            -----END PGP MESSAGE-----
          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
        - created_at: "2024-11-22T04:09:11Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA51kG++kLewoARAA15aOcSEfAIpEXXhmF4YToynn1NM9OsANHc3PR2uVzAPv
            C4Wi8R1PNhGdV3aTuRN5WpSjkJEE3GNR0kA0Etao7Ip0d1UgXzg1wtwEd1Yyvtdh
            ccK2/z0a4UJu8SMczChT1P18IASNksaxSAm+TOLFGcZeJFwQepsBaQIEfXYO3+hR
            Jw+zcPmFaOzKoqdbAAWzvYhLxD2ocjZl7iiIOhz8fBSqWLO2oeJRp5Lk8Q14olTZ
            708BQ+aLlsVJyLkiV7SzlKfEDIymMDZSe7Q3i4JqOFOyHRIkIM5ZPOLoelqRNcY2
            zQphsk1U/MFp7LsR/d+5IKWBkqV5DYJWFunw+NRFHLg1/6+zmGnGbZ2gZfohvnKV
            5GUrYfWCBACIclpxY7PlVQ7d/aTDf3jdR0iVV3Jh+8Lvze1msPvI+BF67oDNMsTu
            EIbRa6eHzxgSqrq3Za5eeUXd9Gxfg2g4KdkbG+FA9qQI6f5Y1q0tE9cFfOElTiBk
            xTAckrBMHOMGozvx4/6xXHMmAxd80tX0ZjVyBsPBeb64oZGlsGuRngWT1Ob9gF4Q
            sDfyd74kpQ9fHhIYs9XSLrPbH6yzVIFF/sHpMGgri43PCMW6vvnfP4JQgdMNdXRw
            U+RWDxA6BOkP7XvNfGADiumeSGQ+PE/KP0TuUqMD7gr9X/VGH+/1e6zbI1iruhPS
            XgFoSamAXKfYrYz94J9u0vA8D8ne9EKa8Ls6ybicyyZlGLri/qnoHNJAVhLWKdId
            h68ksrI5l25Z1MkAcKVR1xlHUnRCwb2Xdbag0vV07So00wxAl1XNhtPeuQrykk0=
            =V4Gd
            -----END PGP MESSAGE-----
          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
    encrypted_regex: ^(data|stringData)$
    version: 3.9.0
--- a/infra/authelia/authelia/namespace.yaml
+++ b/infra/authelia/authelia/namespace.yaml
--- a/apps/authelia/release.yaml
+++ b/apps/authelia/release.yaml
@ -0,0 +1,87 @@
 kind: HelmRelease
 metadata:
  name: authelia
 spec:
  chart:
    spec:
      chart: authelia
      reconcileStrategy: ChartVersion
      sourceRef:
        kind: HelmRepository
        name: authelia
      version: 0.9.9
  interval: 15m
  values:
    pod:
      replicas: 2
    ingress:
      enabled: true
      tls:
        enabled: true
        secret: ${domain//./-}-tls
      traefikCRD:
        enabled: true
        entryPoints:
          - websecure
    secret:
      additionalSecrets:
        authelia-db-cluster-app:
          key: authelia-db-cluster-app
        authelia-lldap:
          key: authelia-lldap
    configMap:
      authentication_backend:
        ldap:
          enabled: true
          # TODO: Use lldap implementation, see docs
          implementation: custom
          address: ldap://lldap.lldap.svc.cluster.local:3890
          base_dn: dc=huizinga,dc=dev
          additional_users_dn: ou=people
          users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))"
          additional_groups_dn: ou=groups
          groups_filter: "(member={dn})"
          attributes:
            display_name: displayName
            username: uid
            group_name: cn
            mail: mail
          user: uid=authelia,ou=people,dc=huizinga,dc=dev
          password:
            secret_name: authelia-lldap
            path: password
      session:
        cookies:
          - subdomain: login${subdomain}
            domain: ${topdomain}
        redis:
          enabled: true
          host: dragonflydb.authelia
      storage:
        postgres:
          enabled: true
          address: tcp://authelia-db-cluster-rw.authelia:5432
          database: app
          username: app
          password:
            secret_name: authelia-db-cluster-app
            path: password
      notifier:
        filesystem:
          enabled: true
      access_control:
        rules:
          - domain: traefik.${domain}
            policy: one_factor
            subject: "group:lldap_admin"
          - domain: grafana.${domain}
            policy: one_factor
          # Deny by default, mainly a placeholder to allow patching in other rules
          - domain: "*"
            policy: deny
--- a/infra/authelia/authelia/helm-repository.yaml
+++ b/infra/authelia/authelia/helm-repository.yaml
--- a/apps/grafana/access-control-rule.yaml
+++ b/apps/grafana/access-control-rule.yaml
@ -1,7 +0,0 @@
 apiVersion: authelia.huizinga.dev/v1
 kind: AccessControlRule
 metadata:
  name: grafana
 spec:
  domain: grafana.${domain}
  policy: one_factor
--- a/apps/grafana/kustomization.yaml
+++ b/apps/grafana/kustomization.yaml
@ -5,8 +5,9 @@ resources:
  - ./namespace.yaml
  - ./repository.yaml
  - ./release.yaml
-  - ./service-user.yaml
+  - ./lldap.yaml
-  - ./access-control-rule.yaml
+
 components:
  - ../../common/postgres
  - ../../common/dragonflydb
@ -16,4 +17,4 @@ configurations:
 secretGenerator:
  - name: grafana-ldap-toml
    files:
-      - ldap-toml=ldap.toml
+      - ldap-toml
--- a/apps/grafana/ldap-toml
+++ b/apps/grafana/ldap-toml
@ -20,10 +20,10 @@ ssl_skip_verify = false
 # client_key = "/path/to/client.key"
 # Search user bind dn
-bind_dn = "${BIND_DN}"
+bind_dn = "uid=grafana,ou=people,dc=huizinga,dc=dev"
 # Search user bind password
 # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
-bind_password = "${LDAP_PASSWORD}"
+bind_password = """${LDAP_ADMIN_PASSWORD}"""
 # User search filter
 search_filter = "(&(|(uid=%s)(mail=%s))(objectClass=person))"
--- a/apps/grafana/lldap.yaml
+++ b/apps/grafana/lldap.yaml
@ -0,0 +1,60 @@
 apiVersion: v1
 kind: Secret
 metadata:
    name: grafana-lldap
 type: Opaque
 stringData:
    password: ENC[AES256_GCM,data:0QolUQJaul0Hao4qJF/wxmV1APnwuJPMm/JgjdrPSr6edFTjED5jSt9lyio=,iv:faITYBBHrnHEnPn9zAK+y24AfXi9rZDZzu7RO9EBpX0=,tag:SI7sf2ORGYrbU1v3PdRYmw==,type:str]
    user-configs.json: ENC[AES256_GCM,data:oshuHNNLYtNXbtkWw4oSpsxGRLNnOfCOJ9jFhKaPtgwYqCLEiOvw2AoWC7SBBv+gScBHDAbghwWJHP0ff2RSCNT6zGaAOinTOezErwmdpwA8A6JZY+EGh2+qnSkO6Eosy+tbWATUqAfZGmzqLzKlhF1Bleg2pc3pb3q9lzv4RWaizg0sFVKxfxaKJ98BRmq7blH7F47c+ybmkheZL10dBr9JLtfTsQ==,iv:KvJVCDyseQ82CQn2gUB3BM1MFVAMoZGWGqzrt8Tjmcs=,tag:FvyL72NYx4VRXdrzW4abdg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2024-12-30T03:11:38Z"
    mac: ENC[AES256_GCM,data:XIV9UXqKcSkWRyPUBasswbfUFy7PKCjz3xqghmvk0Nin0l2GzrPfXvmiFb9Ytt8HduR7s+a4c609ZXlnXLQPHoM0w7I/4ELYTPzez4jgWPRSB3f4Oz5GDz0zKOzHqXJQec92YULhbUKeuQdBnTlMl+JMLuMX2C7t16HlI+WgWvA=,iv:5yfI/pBYYNNE5B5JICGUnk1t045abQaQYDJObZbXflc=,tag:LdU1tMHmelPGTG4bESxPPg==,type:str]
    pgp:
        - created_at: "2024-12-30T03:06:07Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA7pKPTYH5bqOARAAqYYnP/oUVePG0EMSXrEY/IadyZoi49oMzMKVKATJoRti
            CMoDSc9URIe9hW9aVzTj925qfh/e1bU3gYS1ghCxRXINHkVpgFZ7o/iVGL4bdeuU
            QrGYxrm7/IZQUSNy5d4r1vO/n5lEdrcmX57N4LKYDUnF2+Vf/j3DILGzDFBTh3U2
            GnlaFMPtabMzZpDz5U9hfGeLmz+63DKMQeExq4egKoeKf1RIVG3x1S9XpvpwAvvG
            omZSvDaT44winp2T6HF70oqF5nF0ex3mBTrhsEdff+5o/cinT40WfOID239MUmzq
            U7Rafx/tHM9CI4u646C0CIAAY7tS0jB+eud8btA+X1KyfSUegFwAm1FzL5w3ZI3/
            kcGXgV0AbrjprqWCqBbWF8ZWoHN3RgEr7naYuo8Z0wMWLdW6IvW9CBvh+I1K1hDW
            mFZ8fA4cW4kowzSr79wYd32w1lnfjuA8itr/paSzCKpF44GfpkZ470h55KiEwCij
            92ChS+RshTjLGebIzE/5LOmJYGauU1jcJ9HtRvWIajprQ6Y8oJh1fCvendTkVK58
            psGNoVsguj3Jf4OZ7PK8KMvxxG/dceYHDRKlQe78x3VhlwUC3N0jrPqmqzuo1SFT
            07L0tRepxa1MokZzC4Vs+yEFoy7lF1VjMSmXQWkavqzuEkffU9y/3gABnR7UEvrU
            aAEJAhA5mxWyM1zu7f0ppbyTaYd7wqpq7DO6uoCziYza7xE3hZ+fNLMssi/gctd5
            E9O1e7yRtxQui1L4uVtrpW3o7RfE+UqtE2peUFcdW7Uja+URM4/G7kzadgDAQ1fj
            8PqQ49TpHxYC
            =eBq+
            -----END PGP MESSAGE-----
          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
        - created_at: "2024-12-30T03:06:07Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA51kG++kLewoARAApjAXIvzIxzFJgKTynZSQz36hBdz1silLW6iJF2I8rlll
            tdw6Sez7m3ynta3dMU9m2rtA4yVNiDIOyW6HaKtNEAOSkaIfKDVTLt77a3ypZzVi
            /mcJ94DmRqax/a8OInYIFKzKnH07ZF8uZ5NogRRCEd66AuUrymi0okNpKXYa/hw9
            gJXmxzk5tzDqyoaDm4GraUQelE2CAFnML36nguc4HEwJsHvgnD+gEuAagDiLrdIU
            LFNw39s+1wpstSjiWaOwZbl3XG9t+wBnUHpoN830cQE0hjib/XMtiH4D1EnHjxTr
            wSRPEczLbe2Z1kpTHd2Zt/nFNsudtqViy2LgQDAkrlJL2YNbvWqfssMmPkVjDLeH
            qh0cGKWJ3we+ad/pR60DBm2Q8RVzylqojn6o5sdOPlCh+cwI9Tiac6b3cdVYDAop
            el4hbxGPojRw+BWGbrpTvu3H3zaTNA8Xwds1FIoisyTRIEISq9HGkbwFmtCXQGwN
            R4qi151dUiuGDwkJlaVspbAu8uikV0ucZ7xR6+D6f3NUhyCeGiBz6gb48SZDJ0u8
            IfcYu0HOzgeQzMn4X0vluxbFbIA4CxZlyy1I60YwHUSUvDGYFiJ7fDBSOnQeHUT9
            2BSYlMsw0r5o8KZDPQ0vRVOCN7FC0lVZ+O4hSAfYJq7KdzD55HGFNZ1SgncUI3/S
            XgGe/0g5rvyHi2Mc67Sl/6ooLL3AeelzTgOD1deMKO7inzfFfolETn42O09H3RL4
            FVDaqZTgxRTo5vI0xy7tt8WzC2RnnKO04eCU2Fpzz/jORMD1YCOoAGuf5ZDsJbM=
            =9p2Q
            -----END PGP MESSAGE-----
          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
    encrypted_regex: ^(data|stringData)$
    version: 3.9.1
--- a/apps/grafana/release.yaml
+++ b/apps/grafana/release.yaml
@ -23,17 +23,13 @@ spec:
        - secretName: ${domain//./-}-tls
      annotations:
        traefik.ingress.kubernetes.io/router.entryPoints: "websecure"
-        traefik.ingress.kubernetes.io/router.middlewares: "authelia-forwardauth-authelia@kubernetescrd"
+        traefik.ingress.kubernetes.io/router.middlewares: "authelia-forwardauth-authelia@kubernetescrd" # name of your middleware, as defined in your middleware.yml
        traefik.ingress.kubernetes.io/router.tls: "true"
    envValueFrom:
-      BIND_DN:
+      LDAP_ADMIN_PASSWORD:
        secretKeyRef:
-          name: grafana-lldap-credentials
+          name: grafana-lldap
          key: bind_dn
      LDAP_PASSWORD:
        secretKeyRef:
          name: grafana-lldap-credentials
          key: password
    grafana.ini:
@ -65,15 +61,9 @@ spec:
      enabled: true
      existingSecret: grafana-ldap-toml
    sidecar:
      datasources:
        enabled: true
        searchNamespace: ALL
        labelValue: "1"
    extraSecretMounts:
-      - name: postgres-app-mount
+      - name: grafana-db-cluster-app-mount
-        secretName: postgres-app
+        secretName: grafana-db-cluster-app
        defaultMode: 0440
        mountPath: /etc/secrets/db
        readOnly: true
--- a/apps/grafana/service-user.yaml
+++ b/apps/grafana/service-user.yaml
@ -1,5 +0,0 @@
 apiVersion: lldap.huizinga.dev/v1
 kind: ServiceUser
 metadata:
  name: grafana
 spec: {}
--- a/apps/kustomization.yaml
+++ b/apps/kustomization.yaml
@ -1,7 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./lldap
  - ./authelia
  - ./grafana
  - ./traefik-dashboard
  - ./whoami.yaml
  - ./akri-demo.yaml
--- a/apps/lldap/bootstrap/bootstrap-job.yaml
+++ b/apps/lldap/bootstrap/bootstrap-job.yaml
@ -0,0 +1,101 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: lldap-bootstrap
  annotations:
    kustomize.toolkit.fluxcd.io/force: enabled
 spec:
  template:
    spec:
      restartPolicy: OnFailure
      containers:
        - name: lldap-bootstrap
          image: lldap/lldap:v0.5.0
          command:
            - /bootstrap/bootstrap.sh
          env:
            - name: LLDAP_URL
              value: "http://lldap:17170"
            - name: LLDAP_ADMIN_USERNAME
              value: admin
            - name: LLDAP_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: lldap-credentials
                  key: lldap-ldap-user-pass
            - name: DO_CLEANUP
              value: "true"
          volumeMounts:
            - name: bootstrap
              mountPath: /bootstrap/bootstrap.sh
              readOnly: true
              subPath: bootstrap.sh
            - name: user-configs
              mountPath: /bootstrap/user-configs
              readOnly: true
            - name: group-configs
              mountPath: /bootstrap/group-configs
              readOnly: true
            - name: system-users
              mountPath: /bootstrap/system-users
              readOnly: true
      volumes:
        - name: bootstrap
          configMap:
            name: bootstrap
            defaultMode: 0555
            items:
              - key: bootstrap.sh
                path: bootstrap.sh
        - name: user-configs
          projected:
            sources:
              - secret:
                  name: lldap-bootstrap-configs
                  items:
                    - key: user-configs.json
                      path: user-configs.json
              - secret:
                  name: authelia-lldap
                  items:
                    - key: user-configs.json
                      path: authelia-configs.json
              - secret:
                  name: grafana-lldap
                  items:
                    - key: user-configs.json
                      path: grafana-configs.json
        - name: system-users
          projected:
            sources:
              - secret:
                  name: authelia-lldap
                  items:
                    - key: password
                      path: authelia
              - secret:
                  name: grafana-lldap
                  items:
                    - key: password
                      path: grafana
        - name: group-configs
          projected:
            sources:
              - secret:
                  name: lldap-bootstrap-configs
                  items:
                    - key: group-configs.json
                      path: group-configs.json
--- a/apps/lldap/bootstrap/bootstrap.sh
+++ b/apps/lldap/bootstrap/bootstrap.sh
@ -0,0 +1,612 @@
 #!/usr/bin/env bash
 set -e
 set -o pipefail
 LLDAP_URL="${LLDAP_URL:-http://localhost:17170}"
 LLDAP_ADMIN_USERNAME="${LLDAP_ADMIN_USERNAME:-admin}"
 LLDAP_ADMIN_PASSWORD="${LLDAP_ADMIN_PASSWORD:-password}"
 USER_SCHEMAS_DIR="${USER_SCHEMAS_DIR:-/bootstrap/user-schemas}"
 SYSTEM_USERS_DIR="${SYSTEM_USERS_DIR:-/bootstrap/system-users}"
 GROUP_SCHEMAS_DIR="${GROUP_SCHEMAS_DIR:-/bootstrap/group-schemas}"
 USER_CONFIGS_DIR="${USER_CONFIGS_DIR:-/bootstrap/user-configs}"
 GROUP_CONFIGS_DIR="${GROUP_CONFIGS_DIR:-/bootstrap/group-configs}"
 LLDAP_SET_PASSWORD_PATH="${LLDAP_SET_PASSWORD_PATH:-/app/lldap_set_password}"
 DO_CLEANUP="${DO_CLEANUP:-false}"
 # Fallback to support legacy defaults
 if [[ ! -d $USER_CONFIGS_DIR ]] && [[ -d "/user-configs" ]]; then
  USER_CONFIGS_DIR="/user-configs"
 fi
 if [[ ! -d $GROUP_CONFIGS_DIR ]] && [[ -d "/group-configs" ]]; then
  GROUP_CONFIGS_DIR="/group-configs"
 fi
 check_install_dependencies() {
  local commands=('curl' 'jq' 'jo')
  local commands_not_found='false'
  if ! hash "${commands[@]}" 2>/dev/null; then
    if hash 'apk' 2>/dev/null && [[ $EUID -eq 0 ]]; then
      apk add "${commands[@]}"
    elif hash 'apt' 2>/dev/null && [[ $EUID -eq 0 ]]; then
      apt update -yqq
      apt install -yqq "${commands[@]}"
    else
      local command=''
      for command in "${commands[@]}"; do
        if ! hash "$command" 2>/dev/null; then
          printf 'Command not found "%s"\n' "$command"
        fi
      done
      commands_not_found='true'
    fi
  fi
  if [[ "$commands_not_found" == 'true' ]]; then
    return 1
  fi
 }
 check_required_env_vars() {
  local env_var_not_specified='false'
  local dual_env_vars_list=(
    'LLDAP_URL'
    'LLDAP_ADMIN_USERNAME'
    'LLDAP_ADMIN_PASSWORD'
  )
  local dual_env_var_name=''
  for dual_env_var_name in "${dual_env_vars_list[@]}"; do
    local dual_env_var_file_name="${dual_env_var_name}_FILE"
    if [[ -z "${!dual_env_var_name}" ]] && [[ -z "${!dual_env_var_file_name}" ]]; then
      printf 'Please specify "%s" or "%s" variable!\n' "$dual_env_var_name" "$dual_env_var_file_name" >&2
      env_var_not_specified='true'
    else
      if [[ -n "${!dual_env_var_file_name}" ]]; then
        declare -g "$dual_env_var_name"="$(cat "${!dual_env_var_file_name}")"
      fi
    fi
  done
  if [[ "$env_var_not_specified" == 'true' ]]; then
    return 1
  fi
 }
 check_configs_validity() {
  local config_file='' config_invalid='false'
  for config_file in "$@"; do
    local error=''
    if ! error="$(jq '.' -- "$config_file" 2>&1 >/dev/null)"; then
      printf '%s: %s\n' "$config_file" "$error"
      config_invalid='true'
    fi
  done
  if [[ "$config_invalid" == 'true' ]]; then
    return 1
  fi
 }
 auth() {
  local url="$1" admin_username="$2" admin_password="$3"
  local response
  response="$(curl --silent --request POST \
    --url "$url/auth/simple/login" \
    --header 'Content-Type: application/json' \
    --data "$(jo -- username="$admin_username" password="$admin_password")")"
  TOKEN="$(printf '%s' "$response" | jq --raw-output .token)"
 }
 make_query() {
  local query_file="$1" variables_file="$2"
  curl --silent --request POST \
    --url "$LLDAP_URL/api/graphql" \
    --header "Authorization: Bearer $TOKEN" \
    --header 'Content-Type: application/json' \
    --data @<(jq --slurpfile variables "$variables_file" '. + {"variables": $variables[0]}' "$query_file")
 }
 get_group_list() {
  local query='{"query":"query GetGroupList {groups {id displayName}}","operationName":"GetGroupList"}'
  make_query <(printf '%s' "$query") <(printf '{}')
 }
 get_group_array() {
  get_group_list | jq --raw-output '.data.groups[].displayName'
 }
 group_exists() {
  if [[ "$(get_group_list | jq --raw-output --arg displayName "$1" '.data.groups | any(.[]; select(.displayName == $displayName))')" == 'true' ]]; then
    return 0
  else
    return 1
  fi
 }
 get_group_id() {
  get_group_list | jq --raw-output --arg displayName "$1" '.data.groups[] | if .displayName == $displayName then .id else empty end'
 }
 create_group() {
  local group_name="$1"
  if group_exists "$group_name"; then
    printf 'Group "%s" (%s) already exists\n' "$group_name" "$(get_group_id "$group_name")"
    return
  fi
  # shellcheck disable=SC2016
  local query='{"query":"mutation CreateGroup($name: String!) {createGroup(name: $name) {id displayName}}","operationName":"CreateGroup"}'
  local response='' error=''
  response="$(make_query <(printf '%s' "$query") <(jo -- name="$group_name"))"
  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
  if [[ -n "$error" ]]; then
    printf '%s\n' "$error"
  else
    printf 'Group "%s" (%s) successfully created\n' "$group_name" "$(printf '%s' "$response" | jq --raw-output '.data.createGroup.id')"
  fi
 }
 delete_group() {
  local group_name="$1" id=''
  if ! group_exists "$group_name"; then
    printf '[WARNING] Group "%s" does not exist\n' "$group_name"
    return
  fi
  id="$(get_group_id "$group_name")"
  # shellcheck disable=SC2016
  local query='{"query":"mutation DeleteGroupQuery($groupId: Int!) {deleteGroup(groupId: $groupId) {ok}}","operationName":"DeleteGroupQuery"}'
  local response='' error=''
  response="$(make_query <(printf '%s' "$query") <(jo -- groupId="$id"))"
  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
  if [[ -n "$error" ]]; then
    printf '%s\n' "$error"
  else
    printf 'Group "%s" (%s) successfully deleted\n' "$group_name" "$id"
  fi
 }
 get_user_details() {
  local id="$1"
  # shellcheck disable=SC2016
  local query='{"query":"query GetUserDetails($id: String!) {user(userId: $id) {id email displayName firstName lastName creationDate uuid groups {id displayName}}}","operationName":"GetUserDetails"}'
  make_query <(printf '%s' "$query") <(jo -- id="$id")
 }
 user_in_group() {
  local user_id="$1" group_name="$2"
  if ! group_exists "$group_name"; then
    printf '[WARNING] Group "%s" does not exist\n' "$group_name"
    return
  fi
  if ! user_exists "$user_id"; then
    printf 'User "%s" is not exists\n' "$user_id"
    return
  fi
  if [[ "$(get_user_details "$user_id" | jq --raw-output --arg displayName "$group_name" '.data.user.groups | any(.[]; select(.displayName == $displayName))')" == 'true' ]]; then
    return 0
  else
    return 1
  fi
 }
 add_user_to_group() {
  local user_id="$1" group_name="$2" group_id=''
  if ! group_exists "$group_name"; then
    printf '[WARNING] Group "%s" does not exist\n' "$group_name"
    return
  fi
  group_id="$(get_group_id "$group_name")"
  if user_in_group "$user_id" "$group_name"; then
    printf 'User "%s" already in group "%s" (%s)\n' "$user_id" "$group_name" "$group_id"
    return
  fi
  # shellcheck disable=SC2016
  local query='{"query":"mutation AddUserToGroup($user: String!, $group: Int!) {addUserToGroup(userId: $user, groupId: $group) {ok}}","operationName":"AddUserToGroup"}'
  local response='' error=''
  response="$(make_query <(printf '%s' "$query") <(jo -- user="$user_id" group="$group_id"))"
  error="$(printf '%s' "$response" | jq '.errors | if . != null then .[].message else empty end')"
  if [[ -n "$error" ]]; then
    printf '%s\n' "$error"
  else
    printf 'User "%s" successfully added to the group "%s" (%s)\n' "$user_id" "$group_name" "$group_id"
  fi
 }
 remove_user_from_group() {
  local user_id="$1" group_name="$2" group_id=''
  if ! group_exists "$group_name"; then
    printf '[WARNING] Group "%s" does not exist\n' "$group_name"
    return
  fi
  group_id="$(get_group_id "$group_name")"
  # shellcheck disable=SC2016
  local query='{"operationName":"RemoveUserFromGroup","query":"mutation RemoveUserFromGroup($user: String!, $group: Int!) {removeUserFromGroup(userId: $user, groupId: $group) {ok}}"}'
  local response='' error=''
  response="$(make_query <(printf '%s' "$query") <(jo -- user="$user_id" group="$group_id"))"
  error="$(printf '%s' "$response" | jq '.errors | if . != null then .[].message else empty end')"
  if [[ -n "$error" ]]; then
    printf '%s\n' "$error"
  else
    printf 'User "%s" successfully removed from the group "%s" (%s)\n' "$user_id" "$group_name" "$group_id"
  fi
 }
 get_users_list() {
  # shellcheck disable=SC2016
  local query='{"query": "query ListUsersQuery($filters: RequestFilter) {users(filters: $filters) {id email displayName firstName lastName creationDate}}","operationName": "ListUsersQuery"}'
  make_query <(printf '%s' "$query") <(jo -- filters=null)
 }
 user_exists() {
  if [[ "$(get_users_list | jq --raw-output --arg id "$1" '.data.users | any(.[]; .id == $id)')" == 'true' ]]; then
    return 0
  else
    return 1
  fi
 }
 delete_user() {
  local id="$1"
  if ! user_exists "$id"; then
    printf 'User "%s" is not exists\n' "$id"
    return
  fi
  # shellcheck disable=SC2016
  local query='{"query": "mutation DeleteUserQuery($user: String!) {deleteUser(userId: $user) {ok}}","operationName": "DeleteUserQuery"}'
  local response='' error=''
  response="$(make_query <(printf '%s' "$query") <(jo -- user="$id"))"
  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
  if [[ -n "$error" ]]; then
    printf '%s\n' "$error"
  else
    printf 'User "%s" successfully deleted\n' "$id"
  fi
 }
 get_group_property_list() {
  local query='{"query":"query GetGroupAttributesSchema { schema { groupSchema { attributes { name }}}}","operationName":"GetGroupAttributesSchema"}'
  make_query <(printf '%s' "$query") <(printf '{}')
 }
 group_property_exists() {
  if [[ "$(get_group_property_list | jq --raw-output --arg name "$1" '.data.schema.groupSchema.attributes | any(.[]; select(.name == $name))')" == 'true' ]]; then
    return 0
  else
    return 1
  fi
 }
 create_group_schema_property() {
  local name="$1"
  local attributeType="$2"
  local isEditable="$3"
  local isList="$4"
  local isVisible="$5"
  if group_property_exists "$name"; then
    printf 'Group property "%s" already exists\n' "$name"
    return
  fi
  # shellcheck disable=SC2016
  local query='{"query":"mutation CreateGroupAttribute($name: String!, $attributeType: AttributeType!, $isList: Boolean!, $isVisible: Boolean!, $isEditable: Boolean!) {addGroupAttribute(name: $name, attributeType: $attributeType, isList: $isList, isVisible: $isVisible, isEditable: $isEditable) {ok}}","operationName":"CreateGroupAttribute"}'
  local response='' error=''
  response="$(make_query <(printf '%s' "$query") <(jo -- name="$name" attributeType="$attributeType" isEditable="$isEditable" isList="$isList" isVisible="$isVisible"))"
  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
  if [[ -n "$error" ]]; then
    printf '%s\n' "$error"
  else
    printf 'Group attribute "%s" successfully created\n' "$name"
  fi
 }
 get_user_property_list() {
  local query='{"query":"query GetUserAttributesSchema { schema { userSchema { attributes { name }}}}","operationName":"GetUserAttributesSchema"}'
  make_query <(printf '%s' "$query") <(printf '{}')
 }
 user_property_exists() {
  if [[ "$(get_user_property_list | jq --raw-output --arg name "$1" '.data.schema.userSchema.attributes | any(.[]; select(.name == $name))')" == 'true' ]]; then
    return 0
  else
    return 1
  fi
 }
 create_user_schema_property() {
  local name="$1"
  local attributeType="$2"
  local isEditable="$3"
  local isList="$4"
  local isVisible="$5"
  if user_property_exists "$name"; then
    printf 'User property "%s" already exists\n' "$name"
    return
  fi
  # shellcheck disable=SC2016
  local query='{"query":"mutation CreateUserAttribute($name: String!, $attributeType: AttributeType!, $isList: Boolean!, $isVisible: Boolean!, $isEditable: Boolean!) {addUserAttribute(name: $name, attributeType: $attributeType, isList: $isList, isVisible: $isVisible, isEditable: $isEditable) {ok}}","operationName":"CreateUserAttribute"}'
  local response='' error=''
  response="$(make_query <(printf '%s' "$query") <(jo -- name="$name" attributeType="$attributeType" isEditable="$isEditable" isList="$isList" isVisible="$isVisible"))"
  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
  if [[ -n "$error" ]]; then
    printf '%s\n' "$error"
  else
    printf 'User attribute "%s" successfully created\n' "$name"
  fi
 }
 __common_user_mutation_query() {
  local \
    query="$1" \
    id="${2:-null}" \
    email="${3:-null}" \
    displayName="${4:-null}" \
    firstName="${5:-null}" \
    lastName="${6:-null}" \
    avatar_file="${7:-null}" \
    avatar_url="${8:-null}" \
    gravatar_avatar="${9:-false}" \
    weserv_avatar="${10:-false}"
  local variables_arr=(
    '-s' "id=$id"
    '-s' "email=$email"
    '-s' "displayName=$displayName"
    '-s' "firstName=$firstName"
    '-s' "lastName=$lastName"
  )
  local temp_avatar_file=''
  if [[ "$gravatar_avatar" == 'true' ]]; then
    avatar_url="https://gravatar.com/avatar/$(printf '%s' "$email" | sha256sum | cut -d ' ' -f 1)?size=512"
  fi
  if [[ "$avatar_url" != 'null' ]]; then
    temp_avatar_file="${TMP_AVATAR_DIR}/$(printf '%s' "$avatar_url" | md5sum | cut -d ' ' -f 1)"
    if ! [[ -f "$temp_avatar_file" ]]; then
      if [[ "$weserv_avatar" == 'true' ]]; then
        avatar_url="https://wsrv.nl/?url=$avatar_url&output=jpg"
      fi
      curl --silent --location --output "$temp_avatar_file" "$avatar_url"
    fi
    avatar_file="$temp_avatar_file"
  fi
  if [[ "$avatar_file" == 'null' ]]; then
    variables_arr+=('-s' 'avatar=null')
  else
    variables_arr+=("avatar=%$avatar_file")
  fi
  make_query <(printf '%s' "$query") <(jo -- user=:<(jo -- "${variables_arr[@]}"))
 }
 create_user() {
  local id="$1"
  if user_exists "$id"; then
    printf 'User "%s" already exists\n' "$id"
    return
  fi
  # shellcheck disable=SC2016
  local query='{"query":"mutation CreateUser($user: CreateUserInput!) {createUser(user: $user) {id creationDate}}","operationName":"CreateUser"}'
  local response='' error=''
  response="$(__common_user_mutation_query "$query" "$@")"
  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
  if [[ -n "$error" ]]; then
    printf '%s\n' "$error"
  else
    printf 'User "%s" successfully created\n' "$id"
  fi
 }
 update_user() {
  local id="$1"
  if ! user_exists "$id"; then
    printf 'User "%s" is not exists\n' "$id"
    return
  fi
  # shellcheck disable=SC2016
  local query='{"query":"mutation UpdateUser($user: UpdateUserInput!) {updateUser(user: $user) {ok}}","operationName":"UpdateUser"}'
  local response='' error=''
  response="$(__common_user_mutation_query "$query" "$@")"
  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
  if [[ -n "$error" ]]; then
    printf '%s\n' "$error"
  else
    printf 'User "%s" successfully updated\n' "$id"
  fi
 }
 create_update_user() {
  local id="$1"
  if user_exists "$id"; then
    update_user "$@"
  else
    create_user "$@"
  fi
 }
 main() {
  check_install_dependencies
  check_required_env_vars
  local user_config_files=("${USER_CONFIGS_DIR}"/*.json)
  local group_config_files=("${GROUP_CONFIGS_DIR}"/*.json)
  local user_schema_files=()
  local group_schema_files=()
  local file=''
  [[ -d "$USER_SCHEMAS_DIR" ]] && for file in "${USER_SCHEMAS_DIR}"/*.json; do
    user_schema_files+=("$file")
  done
  [[ -d "$GROUP_SCHEMAS_DIR" ]] && for file in "${GROUP_SCHEMAS_DIR}"/*.json; do
    group_schema_files+=("$file")
  done
  [[ -d "$SYSTEM_USERS_DIR" ]] && for file in "${SYSTEM_USERS_DIR}"/*; do
 	  printf -- "$(basename $file) => $(cat $file)\n"
  done
  create_user_schema_property "managed" "integer" "false" "false" "false"
  if ! check_configs_validity "${group_config_files[@]}" "${user_config_files[@]}" "${group_schema_files[@]}" "${user_schema_files[@]}"; then
    exit 1
  fi
  until curl --silent -o /dev/null "$LLDAP_URL"; do
    printf 'Waiting lldap to start...\n'
    sleep 10
  done
  auth "$LLDAP_URL" "$LLDAP_ADMIN_USERNAME" "$LLDAP_ADMIN_PASSWORD"
  printf -- '\n--- group schemas ---\n'
  local group_schema_config_row=''
  [[ ${#group_schema_files[@]} -gt 0 ]] && while read -r group_schema_config_row; do
    local field='' name='' attributeType='' isEditable='' isList='' isVisible=''
    for field in 'name' 'attributeType' 'isEditable' 'isList' 'isVisible'; do
      declare "$field"="$(printf '%s' "$group_schema_config_row" | jq --raw-output --arg field "$field" '.[$field]')"
    done
    create_group_schema_property "$name" "$attributeType" "$isEditable" "$isList" "$isVisible"
  done < <(jq --compact-output '.[]' -- "${group_schema_files[@]}")
  printf -- '--- group schemas ---\n'
  printf -- '\n--- user schemas ---\n'
  local user_schema_config_row=''
  [[ ${#user_schema_files[@]} -gt 0 ]] && while read -r user_schema_config_row; do
    local field='' name='' attributeType='' isEditable='' isList='' isVisible=''
    for field in 'name' 'attributeType' 'isEditable' 'isList' 'isVisible'; do
      declare "$field"="$(printf '%s' "$user_schema_config_row" | jq --raw-output --arg field "$field" '.[$field]')"
    done
    create_user_schema_property "$name" "$attributeType" "$isEditable" "$isList" "$isVisible"
  done < <(jq --compact-output '.[]' -- "${user_schema_files[@]}")
  printf -- '--- user schemas ---\n'
  local redundant_groups=''
  redundant_groups="$(get_group_list | jq '[ .data.groups[].displayName ]' | jq --compact-output '. - ["lldap_admin","lldap_password_manager","lldap_strict_readonly"]')"
  printf -- '\n--- groups ---\n'
  local group_config=''
  while read -r group_config; do
    local group_name=''
    group_name="$(printf '%s' "$group_config" | jq --raw-output '.name')"
    create_group "$group_name"
    redundant_groups="$(printf '%s' "$redundant_groups" | jq --compact-output --arg name "$group_name" '. - [$name]')"
  done < <(jq --compact-output '.' -- "${group_config_files[@]}")
  printf -- '--- groups ---\n'
  printf -- '\n--- redundant groups ---\n'
  if [[ "$redundant_groups" == '[]' ]]; then
    printf 'There are no redundant groups\n'
  else
    local group_name=''
    while read -r group_name; do
      if [[ "$DO_CLEANUP" == 'true' ]]; then
        delete_group "$group_name"
      else
        printf '[WARNING] Group "%s" is not declared in config files\n' "$group_name"
      fi
    done < <(printf '%s' "$redundant_groups" | jq --raw-output '.[]')
  fi
  printf -- '--- redundant groups ---\n'
  local redundant_users=''
  redundant_users="$(get_users_list | jq '[ .data.users[].id ]' | jq --compact-output --arg admin_id "$LLDAP_ADMIN_USERNAME" '. - [$admin_id]')"
  TMP_AVATAR_DIR="$(mktemp -d)"
  local user_config=''
  while read -r user_config; do
    local field='' id='' email='' displayName='' firstName='' lastName='' avatar_file='' avatar_url='' gravatar_avatar='' weserv_avatar='' password=''
    for field in 'id' 'email' 'displayName' 'firstName' 'lastName' 'avatar_file' 'avatar_url' 'gravatar_avatar' 'weserv_avatar' 'password'; do
      declare "$field"="$(printf '%s' "$user_config" | jq --raw-output --arg field "$field" '.[$field]')"
    done
    printf -- '\n--- %s ---\n' "$id"
    create_update_user "$id" "$email" "$displayName" "$firstName" "$lastName" "$avatar_file" "$avatar_url" "$gravatar_avatar" "$weserv_avatar"
    redundant_users="$(printf '%s' "$redundant_users" | jq --compact-output --arg id "$id" '. - [$id]')"
    if [[ "$password" != 'null' ]] && [[ "$password" != '""' ]]; then
      "$LLDAP_SET_PASSWORD_PATH" --base-url "$LLDAP_URL" --token "$TOKEN" --username "$id" --password "$password"
    fi
    local redundant_user_groups=''
    redundant_user_groups="$(get_user_details "$id" | jq '[ .data.user.groups[].displayName ]')"
    local group=''
    while read -r group; do
      if [[ -n "$group" ]]; then
        add_user_to_group "$id" "$group"
        redundant_user_groups="$(printf '%s' "$redundant_user_groups" | jq --compact-output --arg group "$group" '. - [$group]')"
      fi
    done < <(printf '%s' "$user_config" | jq --raw-output '.groups | if . == null then "" else .[] end')
    local user_group_name=''
    while read -r user_group_name; do
      if [[ "$DO_CLEANUP" == 'true' ]]; then
        remove_user_from_group "$id" "$user_group_name"
      else
        printf '[WARNING] User "%s" is not declared as member of the "%s" group in the config files\n' "$id" "$user_group_name"
      fi
    done < <(printf '%s' "$redundant_user_groups" | jq --raw-output '.[]')
    printf -- '--- %s ---\n' "$id"
  done < <(jq --compact-output '.' -- "${user_config_files[@]}")
  rm -r "$TMP_AVATAR_DIR"
  printf -- '\n--- redundant users ---\n'
  if [[ "$redundant_users" == '[]' ]]; then
    printf 'There are no redundant users\n'
  else
    local id=''
    while read -r id; do
      if [[ "$DO_CLEANUP" == 'true' ]]; then
        delete_user "$id"
      else
        printf '[WARNING] User "%s" is not declared in config files\n' "$id"
      fi
    done < <(printf '%s' "$redundant_users" | jq --raw-output '.[]')
  fi
  printf -- '--- redundant users ---\n'
 }
 main "$@"
--- a/apps/lldap/bootstrap/group-configs.json
+++ b/apps/lldap/bootstrap/group-configs.json
--- a/apps/lldap/bootstrap/kustomization.yaml
+++ b/apps/lldap/bootstrap/kustomization.yaml
@ -0,0 +1,20 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./bootstrap-job.yaml
  - ../../authelia/lldap.yaml
  - ../../grafana/lldap.yaml
 configMapGenerator:
  - name: bootstrap
    options:
      annotations:
        kustomize.toolkit.fluxcd.io/substitute: disabled
    files:
      - bootstrap.sh
 secretGenerator:
  - name: lldap-bootstrap-configs
    files:
      - user-configs.json
      - group-configs.json
--- a/apps/lldap/bootstrap/user-configs.json
+++ b/apps/lldap/bootstrap/user-configs.json
@ -0,0 +1,8 @@
 {
  "id": "dreaded_x",
  "email": "tim@huizinga.dev",
  "password": "JustATest",
  "displayName": "Tim Huizinga",
  "firstName": "Tim",
  "lastName": "Huizinga"
 }
--- a/infra/lldap/lldap/deployment.yaml
+++ b/infra/lldap/lldap/deployment.yaml
@ -1,11 +1,21 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    lldap: https://github.com/nitnelave/lldap
    k8s: https://github.com/Evantage-WS/lldap-kubernetes
  labels:
    app: lldap
  name: lldap
 spec:
  replicas: 2
  topologySpreadConstraints:
    - maxSkew: 1
      topologyKey: kubernetes.io/hostname
      whenUnsatisfiable: ScheduleAnyway
      labelSelector:
        matchLabels:
          type: dummy
  selector:
    matchLabels:
      app: lldap
@ -13,16 +23,12 @@ spec:
    type: Recreate
  template:
    metadata:
      annotations:
        lldap: https://github.com/nitnelave/lldap
        k8s: https://github.com/Evantage-WS/lldap-kubernetes
      labels:
        app: lldap
    spec:
      topologySpreadConstraints:
        - maxSkew: 1
          topologyKey: kubernetes.io/hostname
          whenUnsatisfiable: DoNotSchedule
          labelSelector:
            matchLabels:
              app: lldap
      containers:
        - env:
            - name: GID
@ -42,7 +48,7 @@ spec:
            - name: LLDAP_DATABASE_URL
              valueFrom:
                secretKeyRef:
-                  name: postgres-app
+                  name: lldap-db-cluster-app
                  key: uri
            - name: TZ
              value: CET
--- a/infra/lldap/lldap/ingress-route.yaml
+++ b/infra/lldap/lldap/ingress-route.yaml
--- a/infra/lldap/lldap/kustomization.yaml
+++ b/infra/lldap/lldap/kustomization.yaml
@ -3,8 +3,11 @@ kind: Kustomization
 namespace: lldap
 resources:
  - ./namespace.yaml
-  - ./secret-lldap-credentials.yaml
+  - ./secret.yaml
  - ./deployment.yaml
  - ./service.yaml
-  - ./ingress-route.yaml
+  - ./ingress.yaml
-  - ../../../common/postgres
+  - ./bootstrap
 components:
  - ../../common/postgres
--- a/infra/lldap/lldap/namespace.yaml
+++ b/infra/lldap/lldap/namespace.yaml
--- a/infra/lldap/lldap/secret-lldap-credentials.yaml
+++ b/infra/lldap/lldap/secret-lldap-credentials.yaml
@ -12,8 +12,8 @@ sops:
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2025-03-06T23:49:59Z"
+    lastmodified: "2024-11-15T00:11:50Z"
-    mac: ENC[AES256_GCM,data:ZOqHwRCaVup2NvSTgbE74T1tdCQl46pi3HSPCVGJBWpVTEdjjKs++X8g2EgXFPdJtOolhDrKYqx8EGpCeFXDdOvYolTfGNdTEMmddqeVAS9R/TBiga4HWM4cOu5utLSHgIFRVIrXvbcJzpR36zNy6qau9LStsaP4eXQ/U1Z+Ft8=,iv:j3aczsmvBge7i1AQZciVbSK6DU5wSkYamjpLhQYR5Zw=,tag:EZo+cThfGIiWkqGBA5JMow==,type:str]
+    mac: ENC[AES256_GCM,data:OzLVKH3dUInlnYZQV0qRyZqMOIMVAp9FMHf5Dl2abRzYJo67dBLErGqoYGfwSK5G1R6VLrIK0M9ibY6rL2kSHXTk7esjj404YAEBZgkNc7GBCnqLwUTiLu+XDk4lu+vqErP6hriem8/DK0w0E9KQSBsxPzIWJSMfk3vGyr1d+2I=,iv:1MDGsCx021d4Ob82Rq89JieTmkFbX6wxT1+taXI6H7o=,tag:e8LmFvLmB+rJb8xQ+DTFtg==,type:str]
    pgp:
        - created_at: "2024-11-14T23:59:47Z"
          enc: |-
@ -57,4 +57,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
    encrypted_regex: ^(data|stringData)$
-    version: 3.9.1
+    version: 3.9.0
--- a/infra/lldap/lldap/service.yaml
+++ b/infra/lldap/lldap/service.yaml
@ -1,6 +1,9 @@
 apiVersion: v1
 kind: Service
 metadata:
  annotations:
    lldap: https://github.com/nitnelave/lldap
    k8s: https://github.com/Evantage-WS/lldap-kubernetes
  name: lldap
 spec:
  ports:
--- a/apps/traefik-dashboard/ingress.yaml
+++ b/apps/traefik-dashboard/ingress.yaml
@ -0,0 +1,19 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: traefik-dashboard
  namespace: traefik
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`traefik.${domain}`)
      kind: Rule
      middlewares:
        - name: forwardauth-authelia
          namespace: authelia
      services:
        - name: api@internal
          kind: TraefikService
  tls:
    secretName: ${domain//./-}-tls
--- a/infra/traefik/traefik-middleware/kustomization.yaml
+++ b/infra/traefik/traefik-middleware/kustomization.yaml
@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: traefik
 resources:
-  - ./default-headers.yaml
+  - ingress.yaml
--- a/apps/whoami.yaml
+++ b/apps/whoami.yaml
@ -8,6 +8,13 @@ metadata:
 spec:
  replicas: 2
  topologySpreadConstraints:
    - maxSkew: 1
      topologyKey: kubernetes.io/hostname
      whenUnsatisfiable: DoNotSchedule
      labelSelector:
        matchLabels:
          type: dummy
  selector:
    matchLabels:
      app: whoami
@ -16,13 +23,6 @@ spec:
      labels:
        app: whoami
    spec:
      topologySpreadConstraints:
        - maxSkew: 1
          topologyKey: kubernetes.io/hostname
          whenUnsatisfiable: DoNotSchedule
          labelSelector:
            matchLabels:
              app: whoami
      containers:
        - name: whoami
          image: traefik/whoami
--- a/clusters/titan.lan.huizinga.dev/alerts/alert-flux-infra.yaml
+++ b/clusters/titan.lan.huizinga.dev/alerts/alert-flux-infra.yaml
@ -1,14 +0,0 @@
 apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Alert
 metadata:
  name: flux-infra
  namespace: flux-system
 spec:
  providerRef:
    name: flux-infra
  eventSeverity: info
  eventSources:
    - kind: Kustomization
      name: "*"
      matchLabels:
        alert: flux-infra
--- a/clusters/titan.lan.huizinga.dev/alerts/alert-telegram.yaml
+++ b/clusters/titan.lan.huizinga.dev/alerts/alert-telegram.yaml
@ -1,12 +0,0 @@
 apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Alert
 metadata:
  name: telegram
  namespace: flux-system
 spec:
  providerRef:
    name: telegram
  eventSeverity: error
  eventSources:
    - kind: Kustomization
      name: "*"
--- a/clusters/titan.lan.huizinga.dev/alerts/provider-flux-infra.yaml
+++ b/clusters/titan.lan.huizinga.dev/alerts/provider-flux-infra.yaml
@ -1,10 +0,0 @@
 apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Provider
 metadata:
  name: flux-infra
  namespace: flux-system
 spec:
  type: gitea
  address: https://git.huizinga.dev/dreaded_x/flux-infra
  secretRef:
    name: gitea
--- a/clusters/titan.lan.huizinga.dev/alerts/provider-telegram.yaml
+++ b/clusters/titan.lan.huizinga.dev/alerts/provider-telegram.yaml
@ -1,11 +0,0 @@
 apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Provider
 metadata:
  name: telegram
  namespace: flux-system
 spec:
  type: telegram
  address: https://api.telegram.org
  channel: "-4748034121"
  secretRef:
    name: telegram
--- a/clusters/titan.lan.huizinga.dev/alerts/secret-gitea.yaml
+++ b/clusters/titan.lan.huizinga.dev/alerts/secret-gitea.yaml
@ -1,54 +0,0 @@
 apiVersion: v1
 stringData:
    token: ENC[AES256_GCM,data:jn3t5g5fkCmqXf7JEfn7HBigY60nPh3AqYzZ9fkEuj2RjN6ieAfiOg==,iv:b28wHrtETq+p/jH52c3RKYzthh7+IQmvRhVzY/TlnfI=,tag:kr+vdWBGihYN6AklQLYeTw==,type:str]
 kind: Secret
 metadata:
    name: gitea
    namespace: flux-system
 sops:
    lastmodified: "2025-04-22T12:14:43Z"
    mac: ENC[AES256_GCM,data:fb5EyaUv2slDoSNLNJZZPg2ZXwUC5tbdG2vDZEle3PfCDAWxQmEJ36hMQ9RcE8Ec5jfj/Ia6VOP+VOpLSIlQHzGeG3raEW+I/NBTN04KazsDhgzOfAlhTi8COkmu0D5hv3TfFPkWVV/Uw2zIpOsqTv56IoIKyPun+ndt470TgGE=,iv:k754Ju4XGpUCCsdkgQxaE2LEJNEBkQ4lcDIRIqZJnbY=,tag:1t3X7id14qhOvAA9pRw+wQ==,type:str]
    pgp:
        - created_at: "2025-04-22T11:56:49Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA7pKPTYH5bqOARAAioWyCnKFGD/5XeH++ulmfannJcwuFbiJ+jyoYxbmbxZK
            egOXaOg9jkw+FuKy+u/5QNFZAgL4Ju3dMOyeBuZXGAgchVoDuqFANj7sXMhUnBkc
            BuKLs/ob5U2KUD2YU+fFQd4XZfOepPGZF9qNwl4wttUxhawzQ66G49j23B8bxe1E
            0Isddm7SCzF0OJOogaJ1rh9ylfzwlBW0PaBhBaIlNs+PIUJW7URWouDJnWh+jBvE
            qT8brYP7gb+Tl9lNihJdPLG32jiYhQxueIkm6BqSUQlU+yW/q8RUhp4+hLAaSOvC
            vTx1qqhn9ipZWG+EgPatUtV2gW0U9jOPRAstC1/zUe6UljIuQAEDx844j1sfmKxl
            1bPdl1790V2bDDvDX4zeRAR6N6lzNkfYd02ZvWVKkUr3dTCfn/dJ6LM39tfZNeh2
            WKnIN/PoxPL2srD9QRQmVPBqoLJrBKs1v1jWBEfMdT75H8e4CHu69o0FCzxLi/Ty
            /2Hz9zIyBlPsyUA6EHjmccnjE2dVkmgRcaQbhEaYMtM7pyECoCfixGdpgV+7iM6L
            PnYVusFueMVX80HYoNl4/ZXf+1U5/aW3mnSgK8+4uX8m4/MqGi4tvYT/QdOUkEvS
            kXSsfok5yBcYdoqUJl6N/gfP9Z9R6WqrCL4p98t2BiLpcu6TZnsP0ruJlRlzTjLU
            ZgEJAhATXTi3So37vsc8TqTDXqkJjrwxk9k4cGfwd8PWFvuS+xzdKGA/vcU6jXCD
            CQrTnQ2i6jZBi0L5FLunhG86BOSLs5GEhuO6PPjkyyJNbcX/Uh6hjzgwdElr14Qo
            P7QnueJTiw==
            =AMPG
            -----END PGP MESSAGE-----
          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
        - created_at: "2025-04-22T11:56:49Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA51kG++kLewoAQ//b3JTskIOENHA1W8uE5jqsyxPDVMJuXQNoHe2u0264kS8
            i2sC7SZa/Le98J9Gsl97CpA7xXVIcOWhma+6PTzrsaonn//nJyuh8YOfWAb/ZF4o
            ijtd7etTLcA9Hb1iRUek5oD7tXWiGhl+ROR3xd7Al+nzQmTpvHju+HFWJboWA7RC
            6PkusF1UAe39ZhZwxX2Hh8XdFfQdcrtFNIp7+TjMCO2Im54aBTRKLrz7aHlrjrgN
            tie1RAdDwEqZ0Zoh3jezpkQW+9aKtkTtiG5BLmQYhVPUN5GTKMMwKoiYNMEdNUWx
            s9SXiepDc9ZbdjiwGUig9pmuaKrPTSRh6kbmAWHyMKfwG4WZSgbh9gW0sU69rLdQ
            onaGRkIS87If6AgE0dCxOgcNZEiUQE1Rj8Ie/XtR6ufKNUdSAsbJSoKIja4MQdKl
            1BM2YJ5eD52e2J0XJJgLchW0nf7C+3Sil/wIRvU0k/lMniMHvXjWGfY5/v2TUF3Y
            R3Ng6KsaaIRGW5pWzAA5vBDjOlDaPdWYvWd+ZZ96cd0ToxgMpEDLGOBAOhBZGP95
            knqqsVTKswD3vy5h5bwevTxRdrPsmD+g26SbLZDYllRklNasGgfcf0CBydcftUHo
            ePHC1ThKpC0Eb80fxLvAyyW+O8LjqjGWK+q7pVGE8eZ7B5XGQRSfzQRuNmc1aIjS
            XAGtAlz0mJffgqHnOW++8CZjiUKWb5iSJuMqBcGPMuqz9nLBAP/n4/vw6nH4irAF
            qL1fkj4yurE7yMmBjYEWi+I+D66g6xpKvEWTyDGeiiqUD8nZXGojT7bWz072
            =zIA5
            -----END PGP MESSAGE-----
          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
    encrypted_regex: ^(data|stringData)$
    version: 3.10.1
--- a/clusters/titan.lan.huizinga.dev/alerts/secret-telegram.yaml
+++ b/clusters/titan.lan.huizinga.dev/alerts/secret-telegram.yaml
@ -1,54 +0,0 @@
 apiVersion: v1
 stringData:
    token: ENC[AES256_GCM,data:GgQ/uMKwKKxkEaqVlqH6RlhNTXE+9iM9C5seH0Vjsv/Rwb4aonM6Fy9lQUtiwg==,iv:xKKiRxMu0myMmT73XvUy69qt216TNbeJ4Y/0oUAK87s=,tag:ib0nLm2HkaB91vSllRPSWg==,type:str]
 kind: Secret
 metadata:
    name: telegram
    namespace: flux-system
 sops:
    lastmodified: "2025-04-22T14:43:42Z"
    mac: ENC[AES256_GCM,data:wiq7VPKe+PBXLbiL9VVJ0gjtAb0g0f5qJgZaDkFaeIn5KfXYauzX1MyoXxy0qSi5rBesKCmhhDhLHRW/SA7KJyaWO1GIdP9Obppm+l83zJ6FVn2XvDZQkP+IoEBCPUgooT4RBvvJUJJeA9BDuPV3ig43sYZM+47Vc/WFZrx1238=,iv:KqDkIbKqrv1087PQC10jNUfkeGvzaC9ZvwYwhLd3CcA=,tag:Tb6mKFaK3+3BmiuFfEXgQw==,type:str]
    pgp:
        - created_at: "2025-04-22T11:56:49Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA7pKPTYH5bqOARAAioWyCnKFGD/5XeH++ulmfannJcwuFbiJ+jyoYxbmbxZK
            egOXaOg9jkw+FuKy+u/5QNFZAgL4Ju3dMOyeBuZXGAgchVoDuqFANj7sXMhUnBkc
            BuKLs/ob5U2KUD2YU+fFQd4XZfOepPGZF9qNwl4wttUxhawzQ66G49j23B8bxe1E
            0Isddm7SCzF0OJOogaJ1rh9ylfzwlBW0PaBhBaIlNs+PIUJW7URWouDJnWh+jBvE
            qT8brYP7gb+Tl9lNihJdPLG32jiYhQxueIkm6BqSUQlU+yW/q8RUhp4+hLAaSOvC
            vTx1qqhn9ipZWG+EgPatUtV2gW0U9jOPRAstC1/zUe6UljIuQAEDx844j1sfmKxl
            1bPdl1790V2bDDvDX4zeRAR6N6lzNkfYd02ZvWVKkUr3dTCfn/dJ6LM39tfZNeh2
            WKnIN/PoxPL2srD9QRQmVPBqoLJrBKs1v1jWBEfMdT75H8e4CHu69o0FCzxLi/Ty
            /2Hz9zIyBlPsyUA6EHjmccnjE2dVkmgRcaQbhEaYMtM7pyECoCfixGdpgV+7iM6L
            PnYVusFueMVX80HYoNl4/ZXf+1U5/aW3mnSgK8+4uX8m4/MqGi4tvYT/QdOUkEvS
            kXSsfok5yBcYdoqUJl6N/gfP9Z9R6WqrCL4p98t2BiLpcu6TZnsP0ruJlRlzTjLU
            ZgEJAhATXTi3So37vsc8TqTDXqkJjrwxk9k4cGfwd8PWFvuS+xzdKGA/vcU6jXCD
            CQrTnQ2i6jZBi0L5FLunhG86BOSLs5GEhuO6PPjkyyJNbcX/Uh6hjzgwdElr14Qo
            P7QnueJTiw==
            =AMPG
            -----END PGP MESSAGE-----
          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
        - created_at: "2025-04-22T11:56:49Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA51kG++kLewoAQ//b3JTskIOENHA1W8uE5jqsyxPDVMJuXQNoHe2u0264kS8
            i2sC7SZa/Le98J9Gsl97CpA7xXVIcOWhma+6PTzrsaonn//nJyuh8YOfWAb/ZF4o
            ijtd7etTLcA9Hb1iRUek5oD7tXWiGhl+ROR3xd7Al+nzQmTpvHju+HFWJboWA7RC
            6PkusF1UAe39ZhZwxX2Hh8XdFfQdcrtFNIp7+TjMCO2Im54aBTRKLrz7aHlrjrgN
            tie1RAdDwEqZ0Zoh3jezpkQW+9aKtkTtiG5BLmQYhVPUN5GTKMMwKoiYNMEdNUWx
            s9SXiepDc9ZbdjiwGUig9pmuaKrPTSRh6kbmAWHyMKfwG4WZSgbh9gW0sU69rLdQ
            onaGRkIS87If6AgE0dCxOgcNZEiUQE1Rj8Ie/XtR6ufKNUdSAsbJSoKIja4MQdKl
            1BM2YJ5eD52e2J0XJJgLchW0nf7C+3Sil/wIRvU0k/lMniMHvXjWGfY5/v2TUF3Y
            R3Ng6KsaaIRGW5pWzAA5vBDjOlDaPdWYvWd+ZZ96cd0ToxgMpEDLGOBAOhBZGP95
            knqqsVTKswD3vy5h5bwevTxRdrPsmD+g26SbLZDYllRklNasGgfcf0CBydcftUHo
            ePHC1ThKpC0Eb80fxLvAyyW+O8LjqjGWK+q7pVGE8eZ7B5XGQRSfzQRuNmc1aIjS
            XAGtAlz0mJffgqHnOW++8CZjiUKWb5iSJuMqBcGPMuqz9nLBAP/n4/vw6nH4irAF
            qL1fkj4yurE7yMmBjYEWi+I+D66g6xpKvEWTyDGeiiqUD8nZXGojT7bWz072
            =zIA5
            -----END PGP MESSAGE-----
          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
    encrypted_regex: ^(data|stringData)$
    version: 3.10.1
--- a/clusters/titan.lan.huizinga.dev/apps.yaml
+++ b/clusters/titan.lan.huizinga.dev/apps.yaml
@ -3,18 +3,9 @@ kind: Kustomization
 metadata:
  name: apps
  namespace: flux-system
  labels:
    alert: flux-infra
 spec:
  dependsOn:
-    - name: traefik
+    - name: infra-configs
    - name: authelia-controller
    - name: lldap-controller
    - name: cnpg
    - name: dragonflydb
    - name: rook-ceph-cluster
    - name: akri
    - name: lldap
  decryption:
    provider: sops
    secretRef:
@ -25,11 +16,11 @@ spec:
    kind: GitRepository
    name: flux-system
  postBuild:
-    substituteFrom:
+    substitute:
-      - kind: ConfigMap
+      domain: staging.huizinga.dev
-        name: domain-vars
+      # Specifically for authelia
      subdomain: .staging
      topdomain: huizinga.dev
  path: ./apps
  prune: true
  wait: true
  # Uncomment this in case of disaster recovery
  # suspend: true
--- a/clusters/titan.lan.huizinga.dev/apps/siranga.yaml
+++ b/clusters/titan.lan.huizinga.dev/apps/siranga.yaml
@ -1,75 +0,0 @@
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: OCIRepository
 metadata:
  name: siranga
  namespace: flux-system
 spec:
  interval: 15m0s
  url: oci://git.huizinga.dev/dreaded_x/siranga/manifests
  ref:
    tag: latest
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: siranga
  namespace: flux-system
 spec:
  interval: 15m
  dependsOn:
    - name: traefik
    - name: letsencrypt
    - name: lldap-controller
    - name: authelia-controller
  prune: true
  timeout: 2m
  sourceRef:
    kind: OCIRepository
    name: siranga
  wait: true
  postBuild:
    substituteFrom:
      - kind: ConfigMap
        name: domain-vars
  decryption:
    provider: sops
    secretRef:
      name: sops-gpg
 ---
 apiVersion: notification.toolkit.fluxcd.io/v1
 kind: Receiver
 metadata:
  name: siranga
  namespace: flux-system
 spec:
  type: generic
  secretRef:
    name: receiver
  resources:
    - apiVersion: source.toolkit.fluxcd.io/v1beta2
      kind: OCIRepository
      name: siranga
 ---
 apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Provider
 metadata:
  name: siranga
  namespace: flux-system
 spec:
  type: gitea
  address: https://git.huizinga.dev/dreaded_x/siranga
  secretRef:
    name: gitea
 ---
 apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Alert
 metadata:
  name: siranga
  namespace: flux-system
 spec:
  providerRef:
    name: siranga
  eventSeverity: info
  eventSources:
    - kind: Kustomization
      name: siranga
--- a/clusters/titan.lan.huizinga.dev/apps/test-app.yaml
+++ b/clusters/titan.lan.huizinga.dev/apps/test-app.yaml
@ -1,30 +0,0 @@
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: OCIRepository
 metadata:
  name: test-app
  namespace: flux-system
 spec:
  interval: 1m0s
  url: oci://git.huizinga.dev/dreaded_x/test-app/manifests
  ref:
    tag: latest
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: test-app
  namespace: flux-system
 spec:
  interval: 15m
  dependsOn:
    - name: traefik
  prune: true
  timeout: 2m
  sourceRef:
    kind: OCIRepository
    name: test-app
  wait: true
  postBuild:
    substituteFrom:
      - kind: ConfigMap
        name: domain-vars
--- a/clusters/titan.lan.huizinga.dev/flux-system/config-map-domain-vars.yaml
+++ b/clusters/titan.lan.huizinga.dev/flux-system/config-map-domain-vars.yaml
@ -1,10 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: domain-vars
  namespace: flux-system
 data:
  domain: staging.huizinga.dev
  # Specifically for authelia
  subdomain: .staging
  topdomain: huizinga.dev
--- a/clusters/titan.lan.huizinga.dev/flux-system/gotk-components.yaml
+++ b/clusters/titan.lan.huizinga.dev/flux-system/gotk-components.yaml
--- a/clusters/titan.lan.huizinga.dev/flux-system/ingress.yaml
+++ b/clusters/titan.lan.huizinga.dev/flux-system/ingress.yaml
@ -1,23 +0,0 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: flux-webhook
  namespace: flux-system
  annotations:
    traefik.ingress.kubernetes.io/router.entryPoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
  ingressClassName: traefik
  rules:
    - host: flux.${domain}
      http:
        paths:
          - backend:
              service:
                name: webhook-receiver
                port:
                  number: 80
            path: /
            pathType: Prefix
  tls:
    - secretName: ${domain//./-}-tls
--- a/clusters/titan.lan.huizinga.dev/flux-system/kustomization.yaml
+++ b/clusters/titan.lan.huizinga.dev/flux-system/kustomization.yaml
@ -1,11 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./gotk-components.yaml
+  - gotk-components.yaml
-  - ./gotk-sync.yaml
+  - gotk-sync.yaml
  - ./config-map-domain-vars.yaml
  - ./ingress.yaml
  - ./secret-receiver.yaml
  - ./receiver.yaml
 patches:
-  - path: patches.yaml
+  - path: sops-overlay.yaml
--- a/clusters/titan.lan.huizinga.dev/flux-system/receiver.yaml
+++ b/clusters/titan.lan.huizinga.dev/flux-system/receiver.yaml
@ -1,16 +0,0 @@
 apiVersion: notification.toolkit.fluxcd.io/v1
 kind: Receiver
 metadata:
  name: flux-infra
  namespace: flux-system
 spec:
  type: github
  events:
    - "ping"
    - "push"
  secretRef:
    name: receiver
  resources:
    - apiVersion: source.toolkit.fluxcd.io/v1
      kind: GitRepository
      name: flux-system
--- a/clusters/titan.lan.huizinga.dev/flux-system/secret-receiver.yaml
+++ b/clusters/titan.lan.huizinga.dev/flux-system/secret-receiver.yaml
@ -1,54 +0,0 @@
 apiVersion: v1
 data:
    token: ENC[AES256_GCM,data:Nd4t7LkkCe9pd/ilITlwZpmpF+oRmMfIbgbEiAzTK+OWUb4q37bBzGvhc3V70soS7XmpU13lJwo=,iv:qMoW9dsDauSEsw7GjuCSmsCy3k54jt5x/nngSdGiErg=,tag:ZTkP8IGT+DOJLfO+gIX2xg==,type:str]
 kind: Secret
 metadata:
    name: receiver
    namespace: flux-system
 sops:
    lastmodified: "2025-04-23T17:01:23Z"
    mac: ENC[AES256_GCM,data:blRYui9FBvet9nuOUEPaMLLzD6CvX7pDZQEtQV5jLfKqLWEBFXUA13zqTrxtH1slGOzif1xshGqjOgsxREvEdb4Y8uSfoWSPuhkPI4WuRESjyYsVHUlP0fOIdE/CNc/xT4wTxxsvZ46ShGCMZ/QN29XsQ04nwHaEsTmYMqtgsBM=,iv:Km0FIruKN+N0Hsat4QaTBCCAHMQz5IiYkTKG2IGILUI=,tag:A1v4kEs46vz2Cm9ZN5Qw1g==,type:str]
    pgp:
        - created_at: "2025-04-23T17:01:23Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA7pKPTYH5bqOARAAwZ69AwI2iTOboLpzZmW41EngGkhPKGghGFssiyfWbXqR
            dtNG+wG371TF9nUMoLagJEqTUGRVX8xznG7R68QhVd85C1iswrNJjZ55nnJKf0IN
            aRcLp3xsZuWPefOFadaJglRtgLnmCtPNur1TmPXR4V94ycOe1wBTSbvheTs73h6M
            LBfRBruv2ttJsrcmI2az57KgOrIQnPu/z/NSEbc2GM3CU7/Z9ChWt+b5WEyv/7Sp
            Sp0ohmC9HputBFGueC6Hw08+152C8yn3BpJhMhiWcCEryNiwKawf/n2UFJ8gk86/
            5CkRX1CWRtz8nRIfmiwU5IBd5aMXhK684/1lTtdshHGEhSbaGA9N6lK70vdrfVl+
            euaQkqyCy2sFkhz0EvcK+PTGxnueQ4UuO01l5yRG/ZUdjzYVh9fpx3RoMnJaBctx
            l63LUG+xXSwR0xy4JIkrWyFDwIyGAebxbtQ8QUeLkmMzHyUx8tOL0qfKd8qkEFwg
            eJWh0guYllSldgP5h7bJXOTej3ZrP9yC1WY3z2wHu+415/eCpwucFCu/A5QnJXnA
            YLTE2CIwdDpj5XjjwQwmTNpBgfQ/csHJua40CURJbsYhk4HfqbHNdjEc5kkem/3L
            PrtA/d59iwy3Vjkn1xmrcX+od3qXRFVDwMjaCleAXi3dnsfN619j8PrZh2bkUyHU
            aAEJAhD1hSP/yZbfctLVNBCXT3HE8bLlAp82zYsqwx7UJWOhv4saodU1Zm13CWdk
            nlbN8v3w5o19Xo85rt4YB091dGliTAAQ2CfvsCLRO4ZjO6N2F4KSCSTO0jLSJkce
            hly9/ZsJAtXB
            =GCZA
            -----END PGP MESSAGE-----
          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
        - created_at: "2025-04-23T17:01:23Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA51kG++kLewoARAA5IO7TXG5xkv+mlSwFBDbldn5jPy9E1+HbZHp+4CmRquI
            ONPEeDZgh3n+Fr87OMUKMKfgdEpjdE+l80rCmF7zgaVNqLscRcLJ17k14XfbpsrG
            wsp5gsvymGh6sllUopetugvzd6gdxEianuhKU6DYJMM+X/nPTDsa5wHazRzPQxS/
            8zp9tlPWt0HkZelBKXmLoYofZBakZOqZstQvhB0SSjC0BVpQN5WIfh1ES6uoBxhY
            ddA0R34r1jwXWDE2UqD1Rx12H3TzUxdPGGw5rQKsEZSuEwxfxqjUAsn29ARR88qU
            FlvSsy+FW7/6HeTcxwS1IMyZfNwRKQYLkzcwqf+OsrrjqTSBPCt8rcMoDVH3vxdf
            wazu/vqoM1mwkUlogEF/M/SITEO9nJzrkAihAr6OJgfTJqi8RJffxoXQ8gAfan2J
            wYMkcTxPNnskyZMUr2onotdnqdVSMgR2vwnsvIfSWUSx4eMpK8wO2xQm60hAXNHx
            QCVcTz7sMDu6nD3xsvJs5D67YnkrLuqnuNeHQqSsREPv132kKIpEhAZop0MYk8ld
            798jafK8xCzasbIZqDRzSqUUK/Z/J4EN8A4zRY5EtcbXdKHpKkUYuX/Sb7y2FAQR
            JMV3uqLxJoz4mqUM0VJBt77Del5YQ5LeqE8aHMBDNtfjAdmK/2xg7BuGuromZYzS
            XgFxwGfX791vSkUJ/z+7Nf3QmAKBXOuEYaYJbcZ5pFbKKdcfI8iEfL7utVQ59U2k
            4BLB7aChrp8J795YQna+YgPybK5NR00FX6qLJiZAp56MdcvncJ8s42/epRWRusk=
            =8ak0
            -----END PGP MESSAGE-----
          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
    encrypted_regex: ^(data|stringData)$
    version: 3.10.1
--- a/clusters/titan.lan.huizinga.dev/flux-system/sops-overlay.yaml
+++ b/clusters/titan.lan.huizinga.dev/flux-system/sops-overlay.yaml
@ -3,14 +3,8 @@ kind: Kustomization
 metadata:
  name: flux-system
  namespace: flux-system
  labels:
    alert: flux-infra
 spec:
  decryption:
    provider: sops
    secretRef:
      name: sops-gpg
  postBuild:
    substituteFrom:
      - kind: ConfigMap
        name: domain-vars
--- a/clusters/titan.lan.huizinga.dev/infra/kustomization.yaml
+++ b/clusters/titan.lan.huizinga.dev/infra/kustomization.yaml
@ -1,21 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./../../../infra/akri
  - ./../../../infra/authelia
  - ./../../../infra/cert-manager
  - ./../../../infra/cnpg
  - ./../../../infra/descheduler.yaml
  - ./../../../infra/dragonflydb.yaml
  - ./../../../infra/external-snapshotter.yaml
  - ./../../../infra/intel-device-plugins.yaml
  - ./../../../infra/kube-vip
  - ./../../../infra/kyverno
  - ./../../../infra/lldap
  - ./../../../infra/loki
  - ./../../../infra/node-feature-discovery
  - ./../../../infra/rook-ceph
  - ./../../../infra/topolvm
  - ./../../../infra/traefik
  - ./../../../infra/velero
--- a/clusters/titan.lan.huizinga.dev/infrastructure.yaml
+++ b/clusters/titan.lan.huizinga.dev/infrastructure.yaml
@ -0,0 +1,50 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: infra-controllers
  namespace: flux-system
 spec:
  decryption:
    provider: sops
    secretRef:
      name: sops-gpg
  interval: 1h
  retryInterval: 1m
  timeout: 5m
  sourceRef:
    kind: GitRepository
    name: flux-system
  path: ./infrastructure/controllers
  prune: true
  wait: true
  patches:
    - patch: |
        - op: add
          path: /spec/values/service/spec/loadBalancerIP
          value: 10.0.2.2
      target:
        kind: HelmRelease
        name: traefik
        namespace: traefik
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: infra-configs
  namespace: flux-system
 spec:
  dependsOn:
    - name: infra-controllers
  decryption:
    provider: sops
    secretRef:
      name: sops-gpg
  interval: 1h
  retryInterval: 1m
  timeout: 5m
  sourceRef:
    kind: GitRepository
    name: flux-system
  path: ./infrastructure/configs
  prune: true
  wait: true
--- a/clusters/titan.lan.huizinga.dev/kube-vip/kube-vip.app.enp2s0.yaml
+++ b/clusters/titan.lan.huizinga.dev/kube-vip/kube-vip.app.enp2s0.yaml
@ -1,19 +1,22 @@
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  creationTimestamp: null
  labels:
-    app.kubernetes.io/name: kube-vip
+    app.kubernetes.io/name: kube-vip-ds
-    app.kubernetes.io/version: v0.9.0
+    app.kubernetes.io/version: v0.8.3
-  name: kube-vip
+  name: kube-vip-ds-enp2s0
  namespace: kube-system
 spec:
  selector:
    matchLabels:
-      app.kubernetes.io/name: kube-vip
+      app.kubernetes.io/name: kube-vip-ds
  template:
    metadata:
      creationTimestamp: null
      labels:
-        app.kubernetes.io/name: kube-vip
+        app.kubernetes.io/name: kube-vip-ds
-        app.kubernetes.io/version: v0.9.0
+        app.kubernetes.io/version: v0.8.3
    spec:
      affinity:
        nodeAffinity:
@ -25,9 +28,8 @@ spec:
              - matchExpressions:
                  - key: node-role.kubernetes.io/control-plane
                    operator: Exists
-              - matchExpressions:
+      nodeSelector:
-                  - key: feature.node.kubernetes.io/network-adapter
+        vip_interface: enp2s0
                    operator: Exists
      containers:
        - args:
            - manager
@ -41,10 +43,8 @@ spec:
                fieldRef:
                  fieldPath: spec.nodeName
            - name: vip_interface
-              valueFrom:
+              value: enp2s0
-                fieldRef:
+            - name: vip_cidr
                  fieldPath: metadata.annotations['feature.node.kubernetes.io/network-adapter']
            - name: vip_subnet
              value: "32"
            - name: dns_mode
              value: first
@ -72,9 +72,7 @@ spec:
              value: 10.0.2.1
            - name: prometheus_server
              value: :2112
-            - name: enableUPNP
+          image: ghcr.io/kube-vip/kube-vip:v0.8.3
              value: "true"
          image: ghcr.io/kube-vip/kube-vip:v0.9.0
          imagePullPolicy: IfNotPresent
          name: kube-vip
          resources: {}
@ -83,8 +81,6 @@ spec:
              add:
                - NET_ADMIN
                - NET_RAW
              drop:
                - ALL
      hostNetwork: true
      serviceAccountName: kube-vip
      tolerations:
--- a/clusters/titan.lan.huizinga.dev/kube-vip/kube-vip.app.enp3s0.yaml
+++ b/clusters/titan.lan.huizinga.dev/kube-vip/kube-vip.app.enp3s0.yaml
@ -0,0 +1,91 @@
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  creationTimestamp: null
  labels:
    app.kubernetes.io/name: kube-vip-ds
    app.kubernetes.io/version: v0.8.3
  name: kube-vip-ds-enp3s0
  namespace: kube-system
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: kube-vip-ds
  template:
    metadata:
      creationTimestamp: null
      labels:
        app.kubernetes.io/name: kube-vip-ds
        app.kubernetes.io/version: v0.8.3
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: node-role.kubernetes.io/master
                    operator: Exists
              - matchExpressions:
                  - key: node-role.kubernetes.io/control-plane
                    operator: Exists
      nodeSelector:
        vip_interface: enp3s0
      containers:
        - args:
            - manager
          env:
            - name: vip_arp
              value: "true"
            - name: port
              value: "6443"
            - name: vip_nodename
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
            - name: vip_interface
              value: enp3s0
            - name: vip_cidr
              value: "32"
            - name: dns_mode
              value: first
            - name: cp_enable
              value: "true"
            - name: cp_namespace
              value: kube-system
            - name: svc_enable
              value: "true"
            - name: svc_election
              value: "true"
            - name: svc_leasename
              value: plndr-svcs-lock
            - name: vip_leaderelection
              value: "true"
            - name: vip_leasename
              value: plndr-cp-lock
            - name: vip_leaseduration
              value: "5"
            - name: vip_renewdeadline
              value: "3"
            - name: vip_retryperiod
              value: "1"
            - name: address
              value: 10.0.2.1
            - name: prometheus_server
              value: :2112
          image: ghcr.io/kube-vip/kube-vip:v0.8.3
          imagePullPolicy: IfNotPresent
          name: kube-vip
          resources: {}
          securityContext:
            capabilities:
              add:
                - NET_ADMIN
                - NET_RAW
      hostNetwork: true
      serviceAccountName: kube-vip
      tolerations:
        - effect: NoSchedule
          operator: Exists
        - effect: NoExecute
          operator: Exists
  updateStrategy: {}
--- a/clusters/titan.lan.huizinga.dev/kube-vip/kube-vip.config.yaml
+++ b/clusters/titan.lan.huizinga.dev/kube-vip/kube-vip.config.yaml
@ -0,0 +1,9 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: kubevip
  namespace: kube-system
 data:
  # 10.0.2.1 is reserved for control plane
  # 10.0.2.2 is reserved for traefik
  range-global: 10.0.2.3-10.0.2.254
--- a/clusters/titan.lan.huizinga.dev/kube-vip/kube-vip.rbac.yaml
+++ b/clusters/titan.lan.huizinga.dev/kube-vip/kube-vip.rbac.yaml
@ -1,3 +1,9 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: kube-vip
  namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@ -10,13 +16,26 @@ rules:
    verbs: ["update"]
  - apiGroups: [""]
    resources: ["services", "endpoints"]
-    verbs: ["list", "get", "watch", "update"]
+    verbs: ["list","get","watch", "update"]
  - apiGroups: [""]
    resources: ["nodes"]
-    verbs: ["list", "get", "watch", "update", "patch"]
+    verbs: ["list","get","watch", "update", "patch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["list", "get", "watch", "update", "create"]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["endpointslices"]
-    verbs: ["list", "get", "watch", "update"]
+    verbs: ["list","get","watch", "update"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: system:kube-vip-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:kube-vip-role
 subjects:
 - kind: ServiceAccount
  name: kube-vip
  namespace: kube-system
--- a/clusters/titan.lan.huizinga.dev/kube-vip/kustomization.yaml
+++ b/clusters/titan.lan.huizinga.dev/kube-vip/kustomization.yaml
@ -0,0 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - kube-vip.rbac.yaml
  - kube-vip.app.enp3s0.yaml
  - kube-vip.app.enp2s0.yaml
  - https://raw.githubusercontent.com/kube-vip/kube-vip-cloud-provider/refs/tags/v0.0.10/manifest/kube-vip-cloud-controller.yaml
  - kube-vip.config.yaml
--- a/common/dragonflydb/kustomization.yaml
+++ b/common/dragonflydb/kustomization.yaml
@ -1,4 +1,4 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
+apiVersion: kustomize.config.k8s.io/v1alpha1
-kind: Kustomization
+kind: Component
 resources:
  - ./database.yaml
--- a/common/name-reference/helm-release.yaml
+++ b/common/name-reference/helm-release.yaml
@ -1,7 +0,0 @@
 # This makes sure the field in the HelmRelease is recognized as a ConfigMap
 nameReference:
  - kind: ConfigMap
    version: v1
    fieldSpecs:
      - path: spec/valuesFrom/name
        kind: HelmRelease
--- a/common/postgres/b2-access-key.yaml
+++ b/common/postgres/b2-access-key.yaml
@ -0,0 +1,60 @@
 apiVersion: v1
 kind: Secret
 metadata:
    name: b2-access-key
 type: Opaque
 data:
    ACCESS_KEY_ID: ENC[AES256_GCM,data:YpYkexRxH4mVyufrS/Blw3PSrU9H1eO3O6urN9tCZvYBenp7,iv:1ka5Otp0u4HJ5WC3yj+YJLAQC0Cy8Y2vWGqxLSaAGfM=,tag:8SKOcUoUuOWLm0Na2r7Hfw==,type:str]
    ACCESS_SECRET_KEY: ENC[AES256_GCM,data:8Q2QsCpe/yiWmETVnIROJe0uiY7gMzQF4e8PiaF2vAgqkNq/oT8ku21bWCQ=,iv:635wzxp/XJ0zoxw9n63km38LdqDcebfU/ltLzN/bHPc=,tag:nGfKtpf8qzNyO3bDbbtn/A==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2024-11-15T01:21:23Z"
    mac: ENC[AES256_GCM,data:K8ATLj5nZfibvMPXR3ls7zXav0IVxSajyeFb/Qs/P3pPfHQ1p5ZRWaWTuNAFST04ynZ5BOcZyZCi9niMSZOGYBnDtOiJQAT1t3RxYS6j2X2HDX+nFTW6e4uDSOZMWk1poLP5lgBRvYxjsaco6X9F0hdvF7T7xvm7IHbHY7HAckg=,iv:C/bCoZKYy8gudmH8D/5R/MWlkC1ORlWZIvntjqt2dRk=,tag:yJsg7jj6p066CDzPXntOzA==,type:str]
    pgp:
        - created_at: "2024-10-10T22:08:04Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA7pKPTYH5bqOAQ/+MJi/46q5TyjE0mqUfgmx90mYGchNQCvOHOdZJT2E2s2Z
            DbqyrI5Bx+EauTl4eYhlMS9Xza/mL5I99GX/49FRpgvfmCwbM/aeOdq/CPWE771n
            iylxE6uj0VVQGCazcO84Gg8CUxW3+dtNBbIUQYRxmQST6Pbg/lrmlXF5wDUfEueT
            5FkfOZA7py3TyxUB4tcFA13e10CRFC1a7KHvfZm4ISs/1L97tsr0aZNgwCmHZodO
            5fcm6poWtXEo16N/4XC8CI0z7unqNVRSgvpvVBHCvULkq4abznho2abkForNNkvv
            GaN1Zcq8GIclVexMxaSC0M7BFfOdhmCDXuOdkKP/K1etL9UGGBdo7g5WJ7eqAiKN
            Xs43VRijJsltIrTui/0s8zVIRzLfxTYGR2JtSnLuFaMGkKAijR34RsC9hXol+OB1
            OAxGVzGfAR8wdgmShV9SPSOl3CtT6317YGuzjzkSbryJ2oYqR4zjV9jXgIEtuDZF
            r6RITshhvata0w+e6tHSMYmnsF9YD4LbpGQmLm7r/A5ibBsE/2ZoUGBxNrb68YW1
            vQmD2Ywv/Soe4f2Vj7vXJewrrJ1F0NPV/43sxl9lZB9JVMC6c8pMv7hndVq7dofn
            dbqVXXeGd+Os/5X0P2yjlJYBjrMpFsg2tNi5dA5gUJ9uXqzNtSFx7ma9uJ4sX3zU
            ZgEJAhDRzwccDHXa3D3+FBVJFbwN80G30Z6hS225mpIrBXqkElDH8hGs7KGkdIP5
            O6CcZKt+j2R+40J0iJIcy1s211qgkzzDgtUaM1yAlVM8t3JpnykjhLp8mMzytOC1
            rag4GdeG4Q==
            =9TAG
            -----END PGP MESSAGE-----
          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
        - created_at: "2024-10-10T22:08:04Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA51kG++kLewoAQ//fPw1ZgguXCZSLBnl4J/d4IZok6l4TdnbySDOKTOnZUi0
            xyDusr9kdrEdDb4nYUT3PBrxEC2DsKDIJJSwUgLTZB6moIJgHPa51qermyGgqhKU
            c4vyYCMKAJyS6rOoU5fsPb+kJS52ltBLEmyO7JndM32CFmfyq4iwphNcheJE7qFW
            xBmEtsJBPh4P1ysFQtG0DH8iroAYvsI4HLJw6+pdy/rI3zu3LDmiOnEidGz685BB
            gbYj+bJV2gIBGdSWqsjuAJh37dfP9143Hwvz57raA+uqVPtaTaywGuEyDE7E8B7U
            LdxATRKDdRp9+ytdn+UBeZQPYolKhv2bOgm4tzBq/VGmm/11nZbXyv69vgooOqnf
            YYPg3VGnqpaGmxy94EFuLCWvD0ZO7rMQMOoz0vZRHGNYsye2tUOF/F6eIzhehh3+
            AhGSrGDZa5HM41dLsTrNnb8YbzGKqljVJyWvORfIniW6RONIuFrz3/Pe4jjnM+Dm
            Y8z033SmAm5JT2Jhc/tb9LvYbVQzfrUWImh9qcVGOU5RqvB13VOCaNHmt33crMjg
            KFMhBJ5F3ftqe3JiK+6KOuS9g2wd3M5VM5qLHBLr7qTDb5q/JKsBIY7AcLsVyYNx
            T3OynFuAkiYVTe4CuXCSrbVPXd9XkV/dDdQh+5ZR8nxo0/TkpnAwwGdh9hFsOtLS
            XAEXagTFsM3Cl3T45ehYSPt6oyfx5dwKkQ8wxaqSWIkrvTla/ofOD9xemsBfYNku
            b9vLFfbry8J+p5H9fEtS9/co4xYmajP/Mzq54JflEHqt/ej0MTxnNB5m+a45
            =CFmy
            -----END PGP MESSAGE-----
          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
    encrypted_regex: ^(data|stringData)$
    version: 3.9.0
--- a/common/postgres/cluster.yaml
+++ b/common/postgres/cluster.yaml
@ -1,14 +0,0 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  name: postgres
 spec:
  instances: 2
  storage:
    size: 8Gi
    storageClass: topolvm-provisioner
  affinity:
    topologyKey: kubernetes.io/hostname
    podAntiAffinityType: required
--- a/common/postgres/database.yaml
+++ b/common/postgres/database.yaml
@ -0,0 +1,35 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: -db
 spec:
  chart:
    spec:
      chart: cluster
      reconcileStrategy: ChartVersion
      sourceRef:
        kind: HelmRepository
        name: cnpg
        namespace: cnpg-system
      version: 0.0.11
  interval: 1m0s
  values:
    type: postgresql
    mode: standalone
    cluster:
      instances: 2
      affinity:
        topologyKey: kubernetes.io/hostname
        podAntiAffinityType: required
      storage:
        storageClass: piraeus-storage
    backups:
      enabled: true
      provider: s3
      endpointURL: https://s3.us-west-002.backblazeb2.com
      s3:
        bucket: titan-k3s-backup
        path: /postgres
      secret:
        create: false
        name: b2-access-key
--- a/common/postgres/kustomization.yaml
+++ b/common/postgres/kustomization.yaml
@ -1,4 +1,7 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
+apiVersion: kustomize.config.k8s.io/v1alpha1
-kind: Kustomization
+kind: Component
 resources:
-  - ./cluster.yaml
+  - ./database.yaml
  - ./b2-access-key.yaml
 replacements:
  - path: replacement.yaml
--- a/common/postgres/replacement.yaml
+++ b/common/postgres/replacement.yaml
@ -0,0 +1,12 @@
 source:
  kind: Namespace
  fieldPath: metadata.name
 targets:
  - select:
      kind: HelmRelease
      name: -db
    fieldPaths:
      - metadata.name
    options:
      delimiter: "-"
      index: 0
--- a/infra/akri/akri.yaml
+++ b/infra/akri/akri.yaml
@ -1,16 +0,0 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: akri
  namespace: flux-system
  labels:
    alert: flux-infra
 spec:
  interval: 15m
  path: ./infra/akri/akri
  prune: true
  timeout: 2m
  sourceRef:
    kind: GitRepository
    name: flux-system
  wait: true
--- a/infra/akri/akri/helm-release.yaml
+++ b/infra/akri/akri/helm-release.yaml
@ -1,18 +0,0 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: akri
 spec:
  chart:
    spec:
      chart: akri
      reconcileStrategy: ChartVersion
      sourceRef:
        kind: HelmRepository
        name: akri
      version: 0.13.8
  interval: 15m
  timeout: 5m
  valuesFrom:
    - kind: ConfigMap
      name: akri-values
--- a/infra/akri/akri/helm-repository.yaml
+++ b/infra/akri/akri/helm-repository.yaml
@ -1,8 +0,0 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: akri
 spec:
  interval: 15m
  timeout: 2m
  url: https://project-akri.github.io/akri/
--- a/infra/akri/akri/kustomization.yaml
+++ b/infra/akri/akri/kustomization.yaml
@ -1,15 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: akri
 resources:
  - ./namespace.yaml
  - ./helm-repository.yaml
  - ./helm-release.yaml
 configurations:
  - ../../../common/name-reference/helm-release.yaml
 configMapGenerator:
  - name: akri-values
    files:
      - ./values.yaml
--- a/infra/akri/akri/namespace.yaml
+++ b/infra/akri/akri/namespace.yaml
@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: akri
--- a/infra/akri/akri/values.yaml
+++ b/infra/akri/akri/values.yaml
@ -1,3 +0,0 @@
 udev:
  discovery:
    enabled: true
--- a/infra/akri/kustomization.yaml
+++ b/infra/akri/kustomization.yaml
@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./akri.yaml
--- a/infra/authelia/authelia-controller.yaml
+++ b/infra/authelia/authelia-controller.yaml
@ -1,62 +0,0 @@
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: OCIRepository
 metadata:
  name: authelia-controller
  namespace: flux-system
 spec:
  interval: 15m0s
  url: oci://git.huizinga.dev/dreaded_x/authelia-controller/manifests
  ref:
    tag: edge
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: authelia-controller
  namespace: flux-system
 spec:
  interval: 15m
  prune: true
  timeout: 2m
  sourceRef:
    kind: OCIRepository
    name: authelia-controller
  wait: true
 ---
 apiVersion: notification.toolkit.fluxcd.io/v1
 kind: Receiver
 metadata:
  name: authelia-controller
  namespace: flux-system
 spec:
  type: generic
  secretRef:
    name: receiver
  resources:
    - apiVersion: source.toolkit.fluxcd.io/v1beta2
      kind: OCIRepository
      name: authelia-controller
 ---
 apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Provider
 metadata:
  name: authelia-controller
  namespace: flux-system
 spec:
  type: gitea
  address: https://git.huizinga.dev/dreaded_x/authelia-controller
  secretRef:
    name: gitea
 ---
 apiVersion: notification.toolkit.fluxcd.io/v1beta3
 kind: Alert
 metadata:
  name: authelia-controller
  namespace: flux-system
 spec:
  providerRef:
    name: authelia-controller
  eventSeverity: info
  eventSources:
    - kind: Kustomization
      name: authelia-controller
--- a/infra/authelia/authelia.yaml
+++ b/infra/authelia/authelia.yaml
@ -1,30 +0,0 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: authelia
  namespace: flux-system
  labels:
    alert: flux-infra
 spec:
  interval: 15m
  path: ./infra/authelia/authelia
  dependsOn:
    - name: traefik
    - name: cnpg
    - name: dragonflydb
    - name: kyverno-policies
    - name: lldap-controller
  prune: true
  timeout: 2m
  sourceRef:
    kind: GitRepository
    name: flux-system
  wait: true
  postBuild:
    substituteFrom:
      - kind: ConfigMap
        name: domain-vars
  decryption:
    provider: sops
    secretRef:
      name: sops-gpg
--- a/infra/authelia/authelia/helm-release.yaml
+++ b/infra/authelia/authelia/helm-release.yaml
@ -1,17 +0,0 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: authelia
 spec:
  chart:
    spec:
      chart: authelia
      reconcileStrategy: ChartVersion
      sourceRef:
        kind: HelmRepository
        name: authelia
      version: 0.9.16
  interval: 15m
  valuesFrom:
    - kind: ConfigMap
      name: authelia-values
--- a/infra/authelia/authelia/kustomization.yaml
+++ b/infra/authelia/authelia/kustomization.yaml
@ -1,18 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: authelia
 resources:
  - ./namespace.yaml
  - ./helm-repository.yaml
  - ./helm-release.yaml
  - ./service-user.yaml
  - ../../../common/postgres
  - ../../../common/dragonflydb
 configurations:
  - ../../../common/name-reference/helm-release.yaml
 configMapGenerator:
  - name: authelia-values
    files:
      - ./values.yaml
--- a/infra/authelia/authelia/service-user.yaml
+++ b/infra/authelia/authelia/service-user.yaml
@ -1,5 +0,0 @@
 apiVersion: lldap.huizinga.dev/v1
 kind: ServiceUser
 metadata:
  name: authelia
 spec: {}
--- a/infra/authelia/authelia/values.yaml
+++ b/infra/authelia/authelia/values.yaml
@ -1,69 +0,0 @@
 pod:
  kind: Deployment
  replicas: 2
 ingress:
  enabled: true
  tls:
    enabled: true
    secret: ${domain//./-}-tls
  traefikCRD:
    enabled: true
    entryPoints:
      - websecure
 secret:
  additionalSecrets:
    postgres-app:
      key: postgres-app
    authelia-lldap-credentials:
      key: authelia-lldap-credentials
 configMap:
  log:
    level: debug
  authentication_backend:
    ldap:
      enabled: true
      implementation: lldap
      address: ldap://lldap.lldap.svc.cluster.local:3890
      base_dn: dc=huizinga,dc=dev
      additional_users_dn: ou=people
      users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))"
      additional_groups_dn: ou=groups
      groups_filter: "(member={dn})"
      attributes:
        display_name: displayName
        username: uid
        group_name: cn
        mail: mail
      user: uid=authelia.authelia,ou=people,dc=huizinga,dc=dev
      password:
        secret_name: authelia-lldap-credentials
        path: password
  session:
    cookies:
      - subdomain: login${subdomain}
        domain: ${topdomain}
    redis:
      enabled: true
      host: dragonflydb.authelia
  storage:
    postgres:
      enabled: true
      address: tcp://postgres-rw.authelia:5432
      database: app
      username: app
      password:
        secret_name: postgres-app
        path: password
  notifier:
    filesystem:
      enabled: true
  access_control:
    secret:
      existingSecret: authelia-acl
--- a/infra/authelia/kustomization.yaml
+++ b/infra/authelia/kustomization.yaml
@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./authelia-controller.yaml
  - ./authelia.yaml
--- a/infra/cert-manager/cert-manager.yaml
+++ b/infra/cert-manager/cert-manager.yaml
@ -1,16 +0,0 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: cert-manager
  namespace: flux-system
  labels:
    alert: flux-infra
 spec:
  interval: 15m
  path: ./infra/cert-manager/cert-manager
  prune: true
  timeout: 2m
  sourceRef:
    kind: GitRepository
    name: flux-system
  wait: true
--- a/infra/cert-manager/cert-manager/helm-release.yaml
+++ b/infra/cert-manager/cert-manager/helm-release.yaml
@ -1,18 +0,0 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: cert-manager
 spec:
  chart:
    spec:
      chart: cert-manager
      reconcileStrategy: ChartVersion
      sourceRef:
        kind: HelmRepository
        name: jetstack
      version: v1.16.4
  interval: 15m
  timeout: 5m
  valuesFrom:
    - kind: ConfigMap
      name: cert-manager-values
--- a/infra/cert-manager/cert-manager/helm-repository.yaml
+++ b/infra/cert-manager/cert-manager/helm-repository.yaml
@ -1,8 +0,0 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: jetstack
 spec:
  interval: 15m
  timeout: 2m
  url: https://charts.jetstack.io
--- a/infra/cert-manager/cert-manager/kustomization.yaml
+++ b/infra/cert-manager/cert-manager/kustomization.yaml
@ -1,15 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: cert-manager
 resources:
  - ./namespace.yaml
  - ./helm-repository.yaml
  - ./helm-release.yaml
 configurations:
  - ../../../common/name-reference/helm-release.yaml
 configMapGenerator:
  - name: cert-manager-values
    files:
      - ./values.yaml
--- a/infra/cert-manager/cert-manager/namespace.yaml
+++ b/infra/cert-manager/cert-manager/namespace.yaml
@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: cert-manager
--- a/infra/cert-manager/cert-manager/values.yaml
+++ b/infra/cert-manager/cert-manager/values.yaml
@ -1,14 +0,0 @@
 installCRDs: true
 replicaCount: 2
 webhook:
  replicaCount: 2
 cainjector:
  replicaCount: 2
 extraArgs:
  - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
  - --dns01-recursive-nameservers-only
 podDnsPolicy: None
 podDnsConfig:
  nameservers:
    - "1.1.1.1"
    - "9.9.9.9"
--- a/infra/cert-manager/kustomization.yaml
+++ b/infra/cert-manager/kustomization.yaml
@ -1,5 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./cert-manager.yaml
  - ./letsencrypt.yaml
--- a/infra/cert-manager/letsencrypt.yaml
+++ b/infra/cert-manager/letsencrypt.yaml
@ -1,22 +0,0 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: letsencrypt
  namespace: flux-system
  labels:
    alert: flux-infra
 spec:
  interval: 15m
  path: ./infra/cert-manager/letsencrypt
  dependsOn:
    - name: cert-manager
  prune: true
  timeout: 10m
  sourceRef:
    kind: GitRepository
    name: flux-system
  wait: true
  decryption:
    provider: sops
    secretRef:
      name: sops-gpg
--- a/infra/cert-manager/letsencrypt/certificate-huizinga-dev.yaml
+++ b/infra/cert-manager/letsencrypt/certificate-huizinga-dev.yaml
@ -1,14 +0,0 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: huizinga-dev
  namespace: letsencrypt
 spec:
  secretName: huizinga-dev-tls
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  commonName: "huizinga.dev"
  dnsNames:
    - "huizinga.dev"
    - "*.huizinga.dev"
--- a/infra/cert-manager/letsencrypt/certificate-staging-huizinga-dev.yaml
+++ b/infra/cert-manager/letsencrypt/certificate-staging-huizinga-dev.yaml
@ -1,14 +0,0 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: staging-huizinga-dev
  namespace: letsencrypt
 spec:
  secretName: staging-huizinga-dev-tls
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  commonName: "staging.huizinga.dev"
  dnsNames:
    - "staging.huizinga.dev"
    - "*.staging.huizinga.dev"
--- a/infra/cert-manager/letsencrypt/kustomization.yaml
+++ b/infra/cert-manager/letsencrypt/kustomization.yaml
@ -1,8 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./namespace.yaml
  - ./secret-cloudflare-token.yaml
  - ./cluster-issuer.yaml
  - ./certificate-staging-huizinga-dev.yaml
  - ./certificate-huizinga-dev.yaml
--- a/infra/cert-manager/letsencrypt/namespace.yaml
+++ b/infra/cert-manager/letsencrypt/namespace.yaml
@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: letsencrypt
--- a/infra/cert-manager/letsencrypt/secret-cloudflare-token.yaml
+++ b/infra/cert-manager/letsencrypt/secret-cloudflare-token.yaml
@ -1,60 +0,0 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: cloudflare-token
  namespace: cert-manager
 type: Opaque
 stringData:
  token: ENC[AES256_GCM,data:1QSjQJrky3AOQv9Bf8ifvfgeYCh3DvPtCWNLKEY/eEpzPsJKD7MYwQ==,iv:MbWKNj13K25TiP1MPfJMaM1P3Qpy3TE+dWnbF5Gpr3Y=,tag:IMRRhh2nwT40rjVDAgBhrw==,type:str]
 sops:
  kms: []
  gcp_kms: []
  azure_kv: []
  hc_vault: []
  age: []
  lastmodified: "2025-02-15T21:32:18Z"
  mac: ENC[AES256_GCM,data:hYqyrhnrwpvEcJGMIfjSpbIvQ3NHukCDhRB2Zf7vifKYqQyd0hSmh6aeDPdARwdoiybQIuW6pa3SXOY4V1LgOYx6U36HOsDBe5ENQyXV0z5RID+H/nfZmcqj2pfRE8zpfAUhpcilCT8TMJpJSlaAh5kFl/6Z1feekVJLkxPYg30=,iv:FpZ8rDrvNACc+mgR6JNXmTNFXJt6es896n4xkLKzN/s=,tag:JW/OZHNBD+MEiRnhih1/fg==,type:str]
  pgp:
    - created_at: "2024-09-26T22:20:01Z"
      enc: |-
        -----BEGIN PGP MESSAGE-----
        hQIMA7pKPTYH5bqOARAAl2y4yZJGsWORJ5jd2CopSW6yx8IsHqLKq3khYxHkPamu
        gjItOM/Gqep1QCJr4kxTkO7P0MaYi7ZGinuhishYu4xy1mom8WzJs/rA2cjW1UbF
        m8GoUGypaPtSsR1nQufgrO6JbIch3Tr498wBD7SvXIWTFpooalcERvVB3F4T4CeT
        gXIk+vSjvXkCmx4jgAVhpj249HQOk9nyX35UzcjaSOzYm9/vfs3vFRq8FXNRkGff
        +Ui/os4xTB4GiLgnvQ7t8FYTqvDfMVwgKI6VkOplpnP50mmTdKYRVe79Awvq1+/V
        UkkSHxmw5Zqj7nv8MoKIlYk2g+14NLz57i4zs2vK3cNqDAqezub7r/LRDcm5Haqp
        ZmI8B6VUNhveI7hKjm8ssMlOz6x3s7hvex6e+AWRqvbknusXXCiI9dhL73TXXmeZ
        yceIlg5T67PY2ysbpfuToyg6ihbkMo0bM1m/lQpA94yRx6EKO75AHvBaGxgDggSr
        Q8/DM3J729yqjHvXLL+2YGXVlRSpMlWb+AYi4YLmB/rsT2wBlPWE7m0c3/xQA3ld
        5b/CW/2JOfXlwnooXEMFICr9ExFeiOv4RTnNahOTVscnIsi5jSlYPkhWwKm6ughy
        oahJRi6wb6sJrleoPKRea+Pwh2qdEaQE/nFeBZeMMZxyLySQmkWoXJET7HQR3szU
        aAEJAhBFZF84NkBuqmo+A7z055hz1tEJSnjO6eZ/+jvX9pPkrAv/CqW9C8UeG3vt
        a6/XjnRVr38ZKAtNt3ebFwjzKZDLVyrANycnEp1PV7Pc8QvltJ88VS/wmWSP9Hj0
        BA11vpb7XvkU
        =XmSy
        -----END PGP MESSAGE-----
      fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
    - created_at: "2024-09-26T22:20:01Z"
      enc: |-
        -----BEGIN PGP MESSAGE-----
        hQIMA51kG++kLewoAQ/+M1BLbAVU8kVgx/atZnWwjZtjukEc8vOFw4n9tscq0Dm3
        UzoOpbM1kaq5Hq8+e1mVFXMWLYgHnKjeSwBSiRCmZgFfvzPK63E5c6ZorKniTneZ
        T7BJwxmtEF8JG+N9O2SHmto4cWZcrHvmWS5jJ5ybUFlMiFp6z7fPBuOzhKvTMBsc
        IFHBBF0eMANUGwlpXuYJMTUECnFjvIxu/UXPMVBZ1HWHbIewYTRWXPQXeDxlJyk6
        YgtGChBZ8KRYNqX1kBi5AyIdjWA9+wrMtTVTghC+1eBTOm8TsmN280KBmB512li1
        HgexbmQkgItlJwyOV/7MTo19yzve72yYlqoIv3BSrwYfr0NDaQM0mhLAwcHC2R1R
        IAOzajlHtgbr3XBW0BxWMC4Ch23CatZE4WJlu/CJ07+aMCsSV4L+da7wopt0A9dx
        og0aPjUGq3MFmSet0kJKLJHS1JBSjf0LVnQjB5A451Wmndpoc2gZSpNtM4I2e2+7
        xe6RUB6oYjRyB0t771UMQ3sQrSN3cn2c8yuijLep837yvNqpRBR4bbc2XJdZIOMw
        sKEGIAMyJjCagQJa4c2YY0fksVSnhnYzjklfsx+PAvsW9EiWo26Vldp4zHYsVALD
        7yKAWGupRTTB2mTXg9wvoKRkOY8A3Lb9aG+xnrf967nJt9nCV9hPXs959dVw9+jS
        XgFCzdWtznuFA5wPJA3ko6lqLnE1HCIdgAo5ovQ4y3K9jkoVJsS2ADAnEy9Ac2uk
        uds32S29PQ9o+ReAIQKvTzFNmKSLbcsK/z6rGLh0WdqmqWg6kVidWvktDQHY86E=
        =cW8j
        -----END PGP MESSAGE-----
      fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
  encrypted_regex: ^(data|stringData)$
  version: 3.9.1
--- a/infra/cnpg/cnpg.yaml
+++ b/infra/cnpg/cnpg.yaml
@ -1,18 +0,0 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: cnpg
  namespace: flux-system
  labels:
    alert: flux-infra
 spec:
  interval: 15m
  path: ./infra/cnpg/cnpg
  dependsOn:
    - name: topolvm
  prune: true
  timeout: 2m
  sourceRef:
    kind: GitRepository
    name: flux-system
  wait: true
--- a/infra/cnpg/cnpg/helm-release.yaml
+++ b/infra/cnpg/cnpg/helm-release.yaml
@ -1,18 +0,0 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: cnpg
 spec:
  chart:
    spec:
      chart: cloudnative-pg
      reconcileStrategy: ChartVersion
      sourceRef:
        kind: HelmRepository
        name: cnpg
      version: 0.22.0
  interval: 15m
  timeout: 5m
  valuesFrom:
    - kind: ConfigMap
      name: cnpg-values
--- a/infra/cnpg/cnpg/helm-repository.yaml
+++ b/infra/cnpg/cnpg/helm-repository.yaml
@ -1,8 +0,0 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: cnpg
 spec:
  interval: 15m
  timeout: 2m
  url: https://cloudnative-pg.github.io/charts
--- a/infra/cnpg/cnpg/kustomization.yaml
+++ b/infra/cnpg/cnpg/kustomization.yaml
@ -1,14 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: cnpg-system
 resources:
  - ./namespace.yaml
  - ./helm-repository.yaml
  - ./helm-release.yaml
 configurations:
  - ../../../common/name-reference/helm-release.yaml
 configMapGenerator:
  - name: cnpg-values
    files:
      - ./values.yaml
--- a/infra/cnpg/cnpg/namespace.yaml
+++ b/infra/cnpg/cnpg/namespace.yaml
@ -1,4 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: cnpg-system
--- a/infra/cnpg/cnpg/values.yaml
+++ b/infra/cnpg/cnpg/values.yaml
@ -1 +0,0 @@
 replicaCount: 2
--- a/infra/cnpg/kustomization.yaml
+++ b/infra/cnpg/kustomization.yaml
@ -1,4 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ./cnpg.yaml
--- a/infra/descheduler.yaml
+++ b/infra/descheduler.yaml
@ -1,25 +0,0 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
  name: descheduler
  namespace: flux-system
 spec:
  interval: 15m0s
  ref:
    tag: v0.32.2
  url: https://github.com/kubernetes-sigs/descheduler
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: descheduler
  namespace: flux-system
 spec:
  interval: 15m
  path: ./kubernetes/cronjob
  prune: true
  timeout: 2m
  sourceRef:
    kind: GitRepository
    name: descheduler
  wait: true
--- a/infra/dragonflydb.yaml
+++ b/infra/dragonflydb.yaml
@ -1,28 +0,0 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
  name: dragonflydb
  namespace: flux-system
 spec:
  interval: 15m0s
  ref:
    tag: v1.1.8
  url: https://github.com/dragonflydb/dragonfly-operator
  ignore: |
    /*
    !/manifests/dragonfly-operator.yaml
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: dragonflydb
  namespace: flux-system
 spec:
  interval: 15m
  path: ./manifests
  prune: true
  timeout: 2m
  sourceRef:
    kind: GitRepository
    name: dragonflydb
  wait: true
--- a/infra/external-snapshotter.yaml
+++ b/infra/external-snapshotter.yaml
@ -1,28 +0,0 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
  name: external-snapshotter
  namespace: flux-system
 spec:
  interval: 15m0s
  ref:
    tag: v8.2.0
  url: https://github.com/kubernetes-csi/external-snapshotter
  ignore: |
    /*
    !/client/config/crd/*
    !/deploy/kubernetes/snapshot-controller/*
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: external-snapshotter
  namespace: flux-system
 spec:
  interval: 15m
  prune: true
  timeout: 2m
  sourceRef:
    kind: GitRepository
    name: external-snapshotter
  wait: true
--- a/infra/intel-device-plugins.yaml
+++ b/infra/intel-device-plugins.yaml
@ -1,48 +0,0 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: GitRepository
 metadata:
  name: intel-device-plugins
  namespace: flux-system
 spec:
  interval: 15m0s
  ref:
    tag: v0.32.0
  url: https://github.com/intel/intel-device-plugins-for-kubernetes
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: intel-node-feature-rules
  namespace: flux-system
 spec:
  interval: 15m
  path: ./deployments/nfd/overlays/node-feature-rules
  dependsOn:
    - name: node-feature-discovery
  prune: true
  timeout: 2m
  sourceRef:
    kind: GitRepository
    name: intel-device-plugins
  wait: true
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: intel-device-plugins
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: intel-gpu-plugin
  namespace: flux-system
 spec:
  interval: 15m
  path: ./deployments/gpu_plugin/overlays/nfd_labeled_nodes
  targetNamespace: intel-device-plugins
  prune: true
  timeout: 2m
  sourceRef:
    kind: GitRepository
    name: intel-device-plugins
  wait: true
--- a/infra/kube-vip/kube-vip.yaml
+++ b/infra/kube-vip/kube-vip.yaml
@ -1,18 +0,0 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: kube-vip
  namespace: flux-system
  labels:
    alert: flux-infra
 spec:
  interval: 15m
  path: ./infra/kube-vip/kube-vip
  dependsOn:
    - name: kyverno-policies
  prune: true
  timeout: 2m
  sourceRef:
    kind: GitRepository
    name: flux-system
  wait: true
--- a/infra/kube-vip/kube-vip/cluster-role-binding.yaml
+++ b/infra/kube-vip/kube-vip/cluster-role-binding.yaml
@ -1,12 +0,0 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: system:kube-vip-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:kube-vip-role
 subjects:
  - kind: ServiceAccount
    name: kube-vip
    namespace: kube-system
--- a/Show More
+++ b/Show More