WIP: Working on new lldap bootstrap script

.kcignore

@@ -1 +0,0 @@
-.sops.yaml

.pre-commit-config.yaml

@@ -1,29 +0,0 @@
-repos:
-  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
-    hooks:
-      - id: trailing-whitespace
-      - id: end-of-file-fixer
-      - id: check-yaml
-        args:
-          - --allow-multiple-documents
-      - id: check-added-large-files
-      - id: check-merge-conflict
-
-  - repo: https://github.com/crate-ci/typos
-    rev: v1.30.2
-    hooks:
-      - id: typos
-        args: ["--force-exclude"]
-
-  - repo: git@huizinga.dev:Dreaded_X/cluster-crds.git
-    rev: 951a61836937c443aa9a8d49d973cfc23dd6d219
-    hooks:
-      - id: kubeconform
-
-  # Linting does not work with external values.yaml
-  # TODO: Include url to schema in values.yaml and validate based on that?
-  # - repo: https://github.com/tarioch/flux-check-hook
-  #   rev: v0.8.0
-  #   hooks:
-  #     - id: check-flux-helm-values

.typos.toml

@@ -1,10 +0,0 @@
-[default]
-# Ignore
-extend-ignore-re = [
-  "-{5}BEGIN PGP MESSAGE-{5}(?:$|[^-]{63,}-{5}END PGP MESSAGE-{5})",
-  "-{5}BEGIN PGP PUBLIC KEY BLOCK-{5}(?:$|[^-]{63,}-{5}END PGP PUBLIC KEY BLOCK-{5})",
-]
-
-[files]
-# Ignore generated files
-extend-exclude = ["gotk-components.yaml", "gotk-sync.yaml"]

apps/akri-demo.yaml

@@ -16,6 +16,3 @@ spec:
       containers:
         - name: akri-demo
           image: traefik/whoami
-          resources:
-            limits:
-              "{{PLACEHOLDER}}": "1"

apps/authelia/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: authelia
+resources:
+  - ./namespace.yaml
+  - ./repository.yaml
+  - ./release.yaml
+  - ./lldap.yaml
+
+components:
+  - ../../common/postgres
+  - ../../common/dragonflydb

apps/authelia/lldap.yaml

@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: authelia-lldap
+type: Opaque
+stringData:
+    password: ENC[AES256_GCM,data:t9dCqqJrS0mhJMBXLKTKUgbOpwI3LGN134OlGmIaOsZg1bzWSV4sU0YAQMU=,iv:Bp2hO34VNtqy+7ZnWtqvmUNe2GKUh7KPZmRgXzyFqqA=,tag:qJ8iV6OyuNlVmnrPs13LNg==,type:str]
+    user-configs.json: ENC[AES256_GCM,data:7bhp9uWOM1NcfJ8DnnUdYCIFMZeCvmGr8S5gJPzw0kzXfXQfRbI2xfq4X5GdAbOCn9HHM1F+xJLaF6tno1ZmH26NN7FkXUZQCtqK9+yZgjHY8MZYsUZHdZlV40BcaYSCk7qtefGsCrITN2X/DAjrmedNeh0CF9rdov3ZKsi8nSGWGUeLpKcouhOpvbfLRSoEEfYUyUF1r5GscTuunh9uZ8DtoCJvBf8iyQ==,iv:3YuaXKKIHUgzWL07yItqR6rgI+YXbaoTVc4xdiZ/hWU=,tag:hyObOlrQVXgRHgDxcV/R0g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-11-22T04:09:11Z"
+    mac: ENC[AES256_GCM,data:3o1AYP26QEIMjCUZ4y6AH+CXevoJoJ+rX3ioMLRf8KAGy0mSOtacaSY9xRdDIjATu9aJgHmFbSw9CHTBpXxmaISZxQdMPMHQAmRxHnSuQiofPRkVtD1TlvCFcDTSgITWbvG3dpUoLdM57Mgd3z7KpI/+gEoDebYfryDaYXCoH3c=,iv:1C8QMJCJtvnGVPpLJE+l0U3hOknEC3XiWTQrPAQsHKc=,tag:fn+cMj1NImJSvNiuyzX5pQ==,type:str]
+    pgp:
+        - created_at: "2024-11-22T04:09:11Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7pKPTYH5bqOAQ/+MgqnLWwHCWPxacANbHEEYsPENOyIywmYJnSnRqRLWhAn
+            9K0/udCxwO30rnvo+p6/YLF2VSqFfz7pUm/z+MH6ypyY1B83HjCkjsaTQhPR5Q0K
+            CmhTR7TrQBNfa/flawhebWOjvmUJ9lJ9uqCnAB16S03Sn+PqDYlGTE6CMJ0oJuSr
+            VpxdvdvFZ1gfR7hlVrsKqvn47T3XIYDJohp9l819nQ1O2adTPfevZEN/JLwaWSLT
+            YtwJyg+6ogKD3q6UBv7hyyXH9ZlMHFxGWxmo1OXAA3E/vMvOacgmFW6pqoGMqwGU
+            D9Ch2x1MBobD342ZPPmsQNiI+34Q5cl+hVJJgL5jWk2kML67itM8pMUTyn+5NtWO
+            wWo6zu5q5IfqREwuerZtisocctrLB9QKPVGcjVihWfoenvlkf4yfCRDFzOPSAb0o
+            e2K+3fZknZlnb3Qb/rgD7XRiBhcif1zIHZxUQDv/Lq9GyuCM7dk8YKUVCtyeixQ4
+            C+WFmp9ED8xzv1jR9lPcQhD+I2Cb7/9jlTXEetFHSzl4riYpKPjhKQedUWZ0YY1A
+            u0ORTBaLzcmrXTjGz24PxmWZDBjhV4Kgvn76rchqLrS8lvi1EbXoZB6ERhuhlz5Y
+            bm1FwUBxDRG04gFCPwWKV0AvMmhd+hOdyo4KeQbZCO+w3QqXnp/y6b3TtpEeQnPU
+            aAEJAhCMqxSAESN99AcEtW56mJsZmRCCi3NsRLwllDczeDfUznF2CSTCnJRDmjsU
+            bLf8jVjawLxfRnKmRyKX/cCYbuz9OmIFkOAWoSNVb/teiMrYYFq96kRDLHR1Llxr
+            EuX0poghRPqU
+            =tI6a
+            -----END PGP MESSAGE-----
+          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
+        - created_at: "2024-11-22T04:09:11Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA51kG++kLewoARAA15aOcSEfAIpEXXhmF4YToynn1NM9OsANHc3PR2uVzAPv
+            C4Wi8R1PNhGdV3aTuRN5WpSjkJEE3GNR0kA0Etao7Ip0d1UgXzg1wtwEd1Yyvtdh
+            ccK2/z0a4UJu8SMczChT1P18IASNksaxSAm+TOLFGcZeJFwQepsBaQIEfXYO3+hR
+            Jw+zcPmFaOzKoqdbAAWzvYhLxD2ocjZl7iiIOhz8fBSqWLO2oeJRp5Lk8Q14olTZ
+            708BQ+aLlsVJyLkiV7SzlKfEDIymMDZSe7Q3i4JqOFOyHRIkIM5ZPOLoelqRNcY2
+            zQphsk1U/MFp7LsR/d+5IKWBkqV5DYJWFunw+NRFHLg1/6+zmGnGbZ2gZfohvnKV
+            5GUrYfWCBACIclpxY7PlVQ7d/aTDf3jdR0iVV3Jh+8Lvze1msPvI+BF67oDNMsTu
+            EIbRa6eHzxgSqrq3Za5eeUXd9Gxfg2g4KdkbG+FA9qQI6f5Y1q0tE9cFfOElTiBk
+            xTAckrBMHOMGozvx4/6xXHMmAxd80tX0ZjVyBsPBeb64oZGlsGuRngWT1Ob9gF4Q
+            sDfyd74kpQ9fHhIYs9XSLrPbH6yzVIFF/sHpMGgri43PCMW6vvnfP4JQgdMNdXRw
+            U+RWDxA6BOkP7XvNfGADiumeSGQ+PE/KP0TuUqMD7gr9X/VGH+/1e6zbI1iruhPS
+            XgFoSamAXKfYrYz94J9u0vA8D8ne9EKa8Ls6ybicyyZlGLri/qnoHNJAVhLWKdId
+            h68ksrI5l25Z1MkAcKVR1xlHUnRCwb2Xdbag0vV07So00wxAl1XNhtPeuQrykk0=
+            =V4Gd
+            -----END PGP MESSAGE-----
+          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.0

apps/authelia/release.yaml

@@ -0,0 +1,87 @@
+kind: HelmRelease
+metadata:
+  name: authelia
+spec:
+  chart:
+    spec:
+      chart: authelia
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: authelia
+      version: 0.9.9
+  interval: 15m
+  values:
+    pod:
+      replicas: 2
+    ingress:
+      enabled: true
+      tls:
+        enabled: true
+        secret: ${domain//./-}-tls
+      traefikCRD:
+        enabled: true
+        entryPoints:
+          - websecure
+
+    secret:
+      additionalSecrets:
+        authelia-db-cluster-app:
+          key: authelia-db-cluster-app
+        authelia-lldap:
+          key: authelia-lldap
+
+    configMap:
+      authentication_backend:
+        ldap:
+          enabled: true
+          # TODO: Use lldap implementation, see docs
+          implementation: custom
+          address: ldap://lldap.lldap.svc.cluster.local:3890
+          base_dn: dc=huizinga,dc=dev
+          additional_users_dn: ou=people
+          users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))"
+          additional_groups_dn: ou=groups
+          groups_filter: "(member={dn})"
+          attributes:
+            display_name: displayName
+            username: uid
+            group_name: cn
+            mail: mail
+          user: uid=authelia,ou=people,dc=huizinga,dc=dev
+          password:
+            secret_name: authelia-lldap
+            path: password
+
+      session:
+        cookies:
+          - subdomain: login${subdomain}
+            domain: ${topdomain}
+        redis:
+          enabled: true
+          host: dragonflydb.authelia
+
+      storage:
+        postgres:
+          enabled: true
+          address: tcp://authelia-db-cluster-rw.authelia:5432
+          database: app
+          username: app
+          password:
+            secret_name: authelia-db-cluster-app
+            path: password
+
+      notifier:
+        filesystem:
+          enabled: true
+
+      access_control:
+        rules:
+          - domain: traefik.${domain}
+            policy: one_factor
+            subject: "group:lldap_admin"
+          - domain: grafana.${domain}
+            policy: one_factor
+          # Deny by default, mainly a placeholder to allow patching in other rules
+          - domain: "*"
+            policy: deny

apps/grafana/access-control-rule.yaml

@@ -1,7 +0,0 @@
-apiVersion: authelia.huizinga.dev/v1
-kind: AccessControlRule
-metadata:
-  name: grafana
-spec:
-  domain: grafana.${domain}
-  policy: one_factor

apps/grafana/kustomization.yaml

@@ -5,8 +5,9 @@ resources:
   - ./namespace.yaml
   - ./repository.yaml
   - ./release.yaml
-  - ./service-user.yaml
-  - ./access-control-rule.yaml
+  - ./lldap.yaml
+
+components:
   - ../../common/postgres
   - ../../common/dragonflydb
 
@@ -16,4 +17,4 @@ configurations:
 secretGenerator:
   - name: grafana-ldap-toml
     files:
-      - ldap-toml=ldap.toml
+      - ldap-toml

apps/grafana/ldap-toml

@@ -20,10 +20,10 @@ ssl_skip_verify = false
 # client_key = "/path/to/client.key"
 
 # Search user bind dn
-bind_dn = "${BIND_DN}"
+bind_dn = "uid=grafana,ou=people,dc=huizinga,dc=dev"
 # Search user bind password
 # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
-bind_password = "${LDAP_PASSWORD}"
+bind_password = """${LDAP_ADMIN_PASSWORD}"""
 
 # User search filter
 search_filter = "(&(|(uid=%s)(mail=%s))(objectClass=person))"

apps/grafana/lldap.yaml

@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: grafana-lldap
+type: Opaque
+stringData:
+    password: ENC[AES256_GCM,data:0QolUQJaul0Hao4qJF/wxmV1APnwuJPMm/JgjdrPSr6edFTjED5jSt9lyio=,iv:faITYBBHrnHEnPn9zAK+y24AfXi9rZDZzu7RO9EBpX0=,tag:SI7sf2ORGYrbU1v3PdRYmw==,type:str]
+    user-configs.json: ENC[AES256_GCM,data:oshuHNNLYtNXbtkWw4oSpsxGRLNnOfCOJ9jFhKaPtgwYqCLEiOvw2AoWC7SBBv+gScBHDAbghwWJHP0ff2RSCNT6zGaAOinTOezErwmdpwA8A6JZY+EGh2+qnSkO6Eosy+tbWATUqAfZGmzqLzKlhF1Bleg2pc3pb3q9lzv4RWaizg0sFVKxfxaKJ98BRmq7blH7F47c+ybmkheZL10dBr9JLtfTsQ==,iv:KvJVCDyseQ82CQn2gUB3BM1MFVAMoZGWGqzrt8Tjmcs=,tag:FvyL72NYx4VRXdrzW4abdg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-12-30T03:11:38Z"
+    mac: ENC[AES256_GCM,data:XIV9UXqKcSkWRyPUBasswbfUFy7PKCjz3xqghmvk0Nin0l2GzrPfXvmiFb9Ytt8HduR7s+a4c609ZXlnXLQPHoM0w7I/4ELYTPzez4jgWPRSB3f4Oz5GDz0zKOzHqXJQec92YULhbUKeuQdBnTlMl+JMLuMX2C7t16HlI+WgWvA=,iv:5yfI/pBYYNNE5B5JICGUnk1t045abQaQYDJObZbXflc=,tag:LdU1tMHmelPGTG4bESxPPg==,type:str]
+    pgp:
+        - created_at: "2024-12-30T03:06:07Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7pKPTYH5bqOARAAqYYnP/oUVePG0EMSXrEY/IadyZoi49oMzMKVKATJoRti
+            CMoDSc9URIe9hW9aVzTj925qfh/e1bU3gYS1ghCxRXINHkVpgFZ7o/iVGL4bdeuU
+            QrGYxrm7/IZQUSNy5d4r1vO/n5lEdrcmX57N4LKYDUnF2+Vf/j3DILGzDFBTh3U2
+            GnlaFMPtabMzZpDz5U9hfGeLmz+63DKMQeExq4egKoeKf1RIVG3x1S9XpvpwAvvG
+            omZSvDaT44winp2T6HF70oqF5nF0ex3mBTrhsEdff+5o/cinT40WfOID239MUmzq
+            U7Rafx/tHM9CI4u646C0CIAAY7tS0jB+eud8btA+X1KyfSUegFwAm1FzL5w3ZI3/
+            kcGXgV0AbrjprqWCqBbWF8ZWoHN3RgEr7naYuo8Z0wMWLdW6IvW9CBvh+I1K1hDW
+            mFZ8fA4cW4kowzSr79wYd32w1lnfjuA8itr/paSzCKpF44GfpkZ470h55KiEwCij
+            92ChS+RshTjLGebIzE/5LOmJYGauU1jcJ9HtRvWIajprQ6Y8oJh1fCvendTkVK58
+            psGNoVsguj3Jf4OZ7PK8KMvxxG/dceYHDRKlQe78x3VhlwUC3N0jrPqmqzuo1SFT
+            07L0tRepxa1MokZzC4Vs+yEFoy7lF1VjMSmXQWkavqzuEkffU9y/3gABnR7UEvrU
+            aAEJAhA5mxWyM1zu7f0ppbyTaYd7wqpq7DO6uoCziYza7xE3hZ+fNLMssi/gctd5
+            E9O1e7yRtxQui1L4uVtrpW3o7RfE+UqtE2peUFcdW7Uja+URM4/G7kzadgDAQ1fj
+            8PqQ49TpHxYC
+            =eBq+
+            -----END PGP MESSAGE-----
+          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
+        - created_at: "2024-12-30T03:06:07Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA51kG++kLewoARAApjAXIvzIxzFJgKTynZSQz36hBdz1silLW6iJF2I8rlll
+            tdw6Sez7m3ynta3dMU9m2rtA4yVNiDIOyW6HaKtNEAOSkaIfKDVTLt77a3ypZzVi
+            /mcJ94DmRqax/a8OInYIFKzKnH07ZF8uZ5NogRRCEd66AuUrymi0okNpKXYa/hw9
+            gJXmxzk5tzDqyoaDm4GraUQelE2CAFnML36nguc4HEwJsHvgnD+gEuAagDiLrdIU
+            LFNw39s+1wpstSjiWaOwZbl3XG9t+wBnUHpoN830cQE0hjib/XMtiH4D1EnHjxTr
+            wSRPEczLbe2Z1kpTHd2Zt/nFNsudtqViy2LgQDAkrlJL2YNbvWqfssMmPkVjDLeH
+            qh0cGKWJ3we+ad/pR60DBm2Q8RVzylqojn6o5sdOPlCh+cwI9Tiac6b3cdVYDAop
+            el4hbxGPojRw+BWGbrpTvu3H3zaTNA8Xwds1FIoisyTRIEISq9HGkbwFmtCXQGwN
+            R4qi151dUiuGDwkJlaVspbAu8uikV0ucZ7xR6+D6f3NUhyCeGiBz6gb48SZDJ0u8
+            IfcYu0HOzgeQzMn4X0vluxbFbIA4CxZlyy1I60YwHUSUvDGYFiJ7fDBSOnQeHUT9
+            2BSYlMsw0r5o8KZDPQ0vRVOCN7FC0lVZ+O4hSAfYJq7KdzD55HGFNZ1SgncUI3/S
+            XgGe/0g5rvyHi2Mc67Sl/6ooLL3AeelzTgOD1deMKO7inzfFfolETn42O09H3RL4
+            FVDaqZTgxRTo5vI0xy7tt8WzC2RnnKO04eCU2Fpzz/jORMD1YCOoAGuf5ZDsJbM=
+            =9p2Q
+            -----END PGP MESSAGE-----
+          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.1

apps/grafana/release.yaml

@@ -23,17 +23,13 @@ spec:
         - secretName: ${domain//./-}-tls
       annotations:
         traefik.ingress.kubernetes.io/router.entryPoints: "websecure"
-        traefik.ingress.kubernetes.io/router.middlewares: "authelia-forwardauth-authelia@kubernetescrd"
+        traefik.ingress.kubernetes.io/router.middlewares: "authelia-forwardauth-authelia@kubernetescrd" # name of your middleware, as defined in your middleware.yml
         traefik.ingress.kubernetes.io/router.tls: "true"
 
     envValueFrom:
-      BIND_DN:
+      LDAP_ADMIN_PASSWORD:
         secretKeyRef:
-          name: grafana-lldap-credentials
-          key: bind_dn
-      LDAP_PASSWORD:
-        secretKeyRef:
-          name: grafana-lldap-credentials
+          name: grafana-lldap
           key: password
 
     grafana.ini:
@@ -65,15 +61,9 @@ spec:
       enabled: true
       existingSecret: grafana-ldap-toml
 
-    sidecar:
-      datasources:
-        enabled: true
-        searchNamespace: ALL
-        labelValue: "1"
-
     extraSecretMounts:
-      - name: postgres-app-mount
-        secretName: postgres-app
+      - name: grafana-db-cluster-app-mount
+        secretName: grafana-db-cluster-app
         defaultMode: 0440
         mountPath: /etc/secrets/db
         readOnly: true

apps/grafana/service-user.yaml

@@ -1,5 +0,0 @@
-apiVersion: lldap.huizinga.dev/v1
-kind: ServiceUser
-metadata:
-  name: grafana
-spec: {}

apps/kustomization.yaml

@@ -1,7 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - ./lldap
+  - ./authelia
   - ./grafana
+  - ./traefik-dashboard
 
   - ./whoami.yaml
   - ./akri-demo.yaml

apps/lldap/bootstrap/bootstrap-job.yaml

@@ -0,0 +1,101 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: lldap-bootstrap
+  annotations:
+    kustomize.toolkit.fluxcd.io/force: enabled
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: lldap-bootstrap
+          image: lldap/lldap:v0.5.0
+
+          command:
+            - /bootstrap/bootstrap.sh
+
+          env:
+            - name: LLDAP_URL
+              value: "http://lldap:17170"
+
+            - name: LLDAP_ADMIN_USERNAME
+              value: admin
+
+            - name: LLDAP_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: lldap-credentials
+                  key: lldap-ldap-user-pass
+
+            - name: DO_CLEANUP
+              value: "true"
+
+          volumeMounts:
+            - name: bootstrap
+              mountPath: /bootstrap/bootstrap.sh
+              readOnly: true
+              subPath: bootstrap.sh
+
+            - name: user-configs
+              mountPath: /bootstrap/user-configs
+              readOnly: true
+
+            - name: group-configs
+              mountPath: /bootstrap/group-configs
+              readOnly: true
+
+            - name: system-users
+              mountPath: /bootstrap/system-users
+              readOnly: true
+
+      volumes:
+        - name: bootstrap
+          configMap:
+            name: bootstrap
+            defaultMode: 0555
+            items:
+              - key: bootstrap.sh
+                path: bootstrap.sh
+
+        - name: user-configs
+          projected:
+            sources:
+              - secret:
+                  name: lldap-bootstrap-configs
+                  items:
+                    - key: user-configs.json
+                      path: user-configs.json
+              - secret:
+                  name: authelia-lldap
+                  items:
+                    - key: user-configs.json
+                      path: authelia-configs.json
+              - secret:
+                  name: grafana-lldap
+                  items:
+                    - key: user-configs.json
+                      path: grafana-configs.json
+
+        - name: system-users
+          projected:
+            sources:
+              - secret:
+                  name: authelia-lldap
+                  items:
+                    - key: password
+                      path: authelia
+              - secret:
+                  name: grafana-lldap
+                  items:
+                    - key: password
+                      path: grafana
+
+        - name: group-configs
+          projected:
+            sources:
+              - secret:
+                  name: lldap-bootstrap-configs
+                  items:
+                    - key: group-configs.json
+                      path: group-configs.json

apps/lldap/bootstrap/bootstrap.sh

@@ -0,0 +1,612 @@
+#!/usr/bin/env bash
+
+set -e
+set -o pipefail
+
+LLDAP_URL="${LLDAP_URL:-http://localhost:17170}"
+LLDAP_ADMIN_USERNAME="${LLDAP_ADMIN_USERNAME:-admin}"
+LLDAP_ADMIN_PASSWORD="${LLDAP_ADMIN_PASSWORD:-password}"
+USER_SCHEMAS_DIR="${USER_SCHEMAS_DIR:-/bootstrap/user-schemas}"
+SYSTEM_USERS_DIR="${SYSTEM_USERS_DIR:-/bootstrap/system-users}"
+GROUP_SCHEMAS_DIR="${GROUP_SCHEMAS_DIR:-/bootstrap/group-schemas}"
+USER_CONFIGS_DIR="${USER_CONFIGS_DIR:-/bootstrap/user-configs}"
+GROUP_CONFIGS_DIR="${GROUP_CONFIGS_DIR:-/bootstrap/group-configs}"
+LLDAP_SET_PASSWORD_PATH="${LLDAP_SET_PASSWORD_PATH:-/app/lldap_set_password}"
+DO_CLEANUP="${DO_CLEANUP:-false}"
+
+# Fallback to support legacy defaults
+if [[ ! -d $USER_CONFIGS_DIR ]] && [[ -d "/user-configs" ]]; then
+  USER_CONFIGS_DIR="/user-configs"
+fi
+if [[ ! -d $GROUP_CONFIGS_DIR ]] && [[ -d "/group-configs" ]]; then
+  GROUP_CONFIGS_DIR="/group-configs"
+fi
+
+check_install_dependencies() {
+  local commands=('curl' 'jq' 'jo')
+  local commands_not_found='false'
+
+  if ! hash "${commands[@]}" 2>/dev/null; then
+    if hash 'apk' 2>/dev/null && [[ $EUID -eq 0 ]]; then
+      apk add "${commands[@]}"
+    elif hash 'apt' 2>/dev/null && [[ $EUID -eq 0 ]]; then
+      apt update -yqq
+      apt install -yqq "${commands[@]}"
+    else
+      local command=''
+      for command in "${commands[@]}"; do
+        if ! hash "$command" 2>/dev/null; then
+          printf 'Command not found "%s"\n' "$command"
+        fi
+      done
+      commands_not_found='true'
+    fi
+  fi
+
+  if [[ "$commands_not_found" == 'true' ]]; then
+    return 1
+  fi
+}
+
+check_required_env_vars() {
+  local env_var_not_specified='false'
+  local dual_env_vars_list=(
+    'LLDAP_URL'
+    'LLDAP_ADMIN_USERNAME'
+    'LLDAP_ADMIN_PASSWORD'
+  )
+
+  local dual_env_var_name=''
+  for dual_env_var_name in "${dual_env_vars_list[@]}"; do
+    local dual_env_var_file_name="${dual_env_var_name}_FILE"
+
+    if [[ -z "${!dual_env_var_name}" ]] && [[ -z "${!dual_env_var_file_name}" ]]; then
+      printf 'Please specify "%s" or "%s" variable!\n' "$dual_env_var_name" "$dual_env_var_file_name" >&2
+      env_var_not_specified='true'
+    else
+      if [[ -n "${!dual_env_var_file_name}" ]]; then
+        declare -g "$dual_env_var_name"="$(cat "${!dual_env_var_file_name}")"
+      fi
+    fi
+  done
+
+  if [[ "$env_var_not_specified" == 'true' ]]; then
+    return 1
+  fi
+}
+
+check_configs_validity() {
+  local config_file='' config_invalid='false'
+  for config_file in "$@"; do
+    local error=''
+    if ! error="$(jq '.' -- "$config_file" 2>&1 >/dev/null)"; then
+      printf '%s: %s\n' "$config_file" "$error"
+      config_invalid='true'
+    fi
+  done
+
+  if [[ "$config_invalid" == 'true' ]]; then
+    return 1
+  fi
+}
+
+auth() {
+  local url="$1" admin_username="$2" admin_password="$3"
+
+  local response
+  response="$(curl --silent --request POST \
+    --url "$url/auth/simple/login" \
+    --header 'Content-Type: application/json' \
+    --data "$(jo -- username="$admin_username" password="$admin_password")")"
+
+  TOKEN="$(printf '%s' "$response" | jq --raw-output .token)"
+}
+
+make_query() {
+  local query_file="$1" variables_file="$2"
+
+  curl --silent --request POST \
+    --url "$LLDAP_URL/api/graphql" \
+    --header "Authorization: Bearer $TOKEN" \
+    --header 'Content-Type: application/json' \
+    --data @<(jq --slurpfile variables "$variables_file" '. + {"variables": $variables[0]}' "$query_file")
+}
+
+get_group_list() {
+  local query='{"query":"query GetGroupList {groups {id displayName}}","operationName":"GetGroupList"}'
+  make_query <(printf '%s' "$query") <(printf '{}')
+}
+
+get_group_array() {
+  get_group_list | jq --raw-output '.data.groups[].displayName'
+}
+
+group_exists() {
+  if [[ "$(get_group_list | jq --raw-output --arg displayName "$1" '.data.groups | any(.[]; select(.displayName == $displayName))')" == 'true' ]]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+get_group_id() {
+  get_group_list | jq --raw-output --arg displayName "$1" '.data.groups[] | if .displayName == $displayName then .id else empty end'
+}
+
+create_group() {
+  local group_name="$1"
+
+  if group_exists "$group_name"; then
+    printf 'Group "%s" (%s) already exists\n' "$group_name" "$(get_group_id "$group_name")"
+    return
+  fi
+
+  # shellcheck disable=SC2016
+  local query='{"query":"mutation CreateGroup($name: String!) {createGroup(name: $name) {id displayName}}","operationName":"CreateGroup"}'
+
+  local response='' error=''
+  response="$(make_query <(printf '%s' "$query") <(jo -- name="$group_name"))"
+  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
+  if [[ -n "$error" ]]; then
+    printf '%s\n' "$error"
+  else
+    printf 'Group "%s" (%s) successfully created\n' "$group_name" "$(printf '%s' "$response" | jq --raw-output '.data.createGroup.id')"
+  fi
+}
+
+delete_group() {
+  local group_name="$1" id=''
+
+  if ! group_exists "$group_name"; then
+    printf '[WARNING] Group "%s" does not exist\n' "$group_name"
+    return
+  fi
+
+  id="$(get_group_id "$group_name")"
+
+  # shellcheck disable=SC2016
+  local query='{"query":"mutation DeleteGroupQuery($groupId: Int!) {deleteGroup(groupId: $groupId) {ok}}","operationName":"DeleteGroupQuery"}'
+
+  local response='' error=''
+  response="$(make_query <(printf '%s' "$query") <(jo -- groupId="$id"))"
+  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
+  if [[ -n "$error" ]]; then
+    printf '%s\n' "$error"
+  else
+    printf 'Group "%s" (%s) successfully deleted\n' "$group_name" "$id"
+  fi
+}
+
+get_user_details() {
+  local id="$1"
+
+  # shellcheck disable=SC2016
+  local query='{"query":"query GetUserDetails($id: String!) {user(userId: $id) {id email displayName firstName lastName creationDate uuid groups {id displayName}}}","operationName":"GetUserDetails"}'
+  make_query <(printf '%s' "$query") <(jo -- id="$id")
+}
+
+user_in_group() {
+  local user_id="$1" group_name="$2"
+
+  if ! group_exists "$group_name"; then
+    printf '[WARNING] Group "%s" does not exist\n' "$group_name"
+    return
+  fi
+
+  if ! user_exists "$user_id"; then
+    printf 'User "%s" is not exists\n' "$user_id"
+    return
+  fi
+
+  if [[ "$(get_user_details "$user_id" | jq --raw-output --arg displayName "$group_name" '.data.user.groups | any(.[]; select(.displayName == $displayName))')" == 'true' ]]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+add_user_to_group() {
+  local user_id="$1" group_name="$2" group_id=''
+
+  if ! group_exists "$group_name"; then
+    printf '[WARNING] Group "%s" does not exist\n' "$group_name"
+    return
+  fi
+
+  group_id="$(get_group_id "$group_name")"
+
+  if user_in_group "$user_id" "$group_name"; then
+    printf 'User "%s" already in group "%s" (%s)\n' "$user_id" "$group_name" "$group_id"
+    return
+  fi
+
+  # shellcheck disable=SC2016
+  local query='{"query":"mutation AddUserToGroup($user: String!, $group: Int!) {addUserToGroup(userId: $user, groupId: $group) {ok}}","operationName":"AddUserToGroup"}'
+
+  local response='' error=''
+  response="$(make_query <(printf '%s' "$query") <(jo -- user="$user_id" group="$group_id"))"
+  error="$(printf '%s' "$response" | jq '.errors | if . != null then .[].message else empty end')"
+  if [[ -n "$error" ]]; then
+    printf '%s\n' "$error"
+  else
+    printf 'User "%s" successfully added to the group "%s" (%s)\n' "$user_id" "$group_name" "$group_id"
+  fi
+}
+
+remove_user_from_group() {
+  local user_id="$1" group_name="$2" group_id=''
+
+  if ! group_exists "$group_name"; then
+    printf '[WARNING] Group "%s" does not exist\n' "$group_name"
+    return
+  fi
+
+  group_id="$(get_group_id "$group_name")"
+
+  # shellcheck disable=SC2016
+  local query='{"operationName":"RemoveUserFromGroup","query":"mutation RemoveUserFromGroup($user: String!, $group: Int!) {removeUserFromGroup(userId: $user, groupId: $group) {ok}}"}'
+
+  local response='' error=''
+  response="$(make_query <(printf '%s' "$query") <(jo -- user="$user_id" group="$group_id"))"
+  error="$(printf '%s' "$response" | jq '.errors | if . != null then .[].message else empty end')"
+  if [[ -n "$error" ]]; then
+    printf '%s\n' "$error"
+  else
+    printf 'User "%s" successfully removed from the group "%s" (%s)\n' "$user_id" "$group_name" "$group_id"
+  fi
+}
+
+get_users_list() {
+  # shellcheck disable=SC2016
+  local query='{"query": "query ListUsersQuery($filters: RequestFilter) {users(filters: $filters) {id email displayName firstName lastName creationDate}}","operationName": "ListUsersQuery"}'
+  make_query <(printf '%s' "$query") <(jo -- filters=null)
+}
+
+user_exists() {
+  if [[ "$(get_users_list | jq --raw-output --arg id "$1" '.data.users | any(.[]; .id == $id)')" == 'true' ]]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+delete_user() {
+  local id="$1"
+
+  if ! user_exists "$id"; then
+    printf 'User "%s" is not exists\n' "$id"
+    return
+  fi
+
+  # shellcheck disable=SC2016
+  local query='{"query": "mutation DeleteUserQuery($user: String!) {deleteUser(userId: $user) {ok}}","operationName": "DeleteUserQuery"}'
+
+  local response='' error=''
+  response="$(make_query <(printf '%s' "$query") <(jo -- user="$id"))"
+  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
+  if [[ -n "$error" ]]; then
+    printf '%s\n' "$error"
+  else
+    printf 'User "%s" successfully deleted\n' "$id"
+  fi
+}
+
+get_group_property_list() {
+  local query='{"query":"query GetGroupAttributesSchema { schema { groupSchema { attributes { name }}}}","operationName":"GetGroupAttributesSchema"}'
+  make_query <(printf '%s' "$query") <(printf '{}')
+}
+group_property_exists() {
+  if [[ "$(get_group_property_list | jq --raw-output --arg name "$1" '.data.schema.groupSchema.attributes | any(.[]; select(.name == $name))')" == 'true' ]]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+create_group_schema_property() {
+  local name="$1"
+  local attributeType="$2"
+  local isEditable="$3"
+  local isList="$4"
+  local isVisible="$5"
+
+  if group_property_exists "$name"; then
+    printf 'Group property "%s" already exists\n' "$name"
+    return
+  fi
+
+  # shellcheck disable=SC2016
+  local query='{"query":"mutation CreateGroupAttribute($name: String!, $attributeType: AttributeType!, $isList: Boolean!, $isVisible: Boolean!, $isEditable: Boolean!) {addGroupAttribute(name: $name, attributeType: $attributeType, isList: $isList, isVisible: $isVisible, isEditable: $isEditable) {ok}}","operationName":"CreateGroupAttribute"}'
+
+  local response='' error=''
+  response="$(make_query <(printf '%s' "$query") <(jo -- name="$name" attributeType="$attributeType" isEditable="$isEditable" isList="$isList" isVisible="$isVisible"))"
+  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
+  if [[ -n "$error" ]]; then
+    printf '%s\n' "$error"
+  else
+    printf 'Group attribute "%s" successfully created\n' "$name"
+  fi
+}
+
+get_user_property_list() {
+  local query='{"query":"query GetUserAttributesSchema { schema { userSchema { attributes { name }}}}","operationName":"GetUserAttributesSchema"}'
+  make_query <(printf '%s' "$query") <(printf '{}')
+}
+user_property_exists() {
+  if [[ "$(get_user_property_list | jq --raw-output --arg name "$1" '.data.schema.userSchema.attributes | any(.[]; select(.name == $name))')" == 'true' ]]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+create_user_schema_property() {
+  local name="$1"
+  local attributeType="$2"
+  local isEditable="$3"
+  local isList="$4"
+  local isVisible="$5"
+
+  if user_property_exists "$name"; then
+    printf 'User property "%s" already exists\n' "$name"
+    return
+  fi
+
+  # shellcheck disable=SC2016
+  local query='{"query":"mutation CreateUserAttribute($name: String!, $attributeType: AttributeType!, $isList: Boolean!, $isVisible: Boolean!, $isEditable: Boolean!) {addUserAttribute(name: $name, attributeType: $attributeType, isList: $isList, isVisible: $isVisible, isEditable: $isEditable) {ok}}","operationName":"CreateUserAttribute"}'
+
+  local response='' error=''
+  response="$(make_query <(printf '%s' "$query") <(jo -- name="$name" attributeType="$attributeType" isEditable="$isEditable" isList="$isList" isVisible="$isVisible"))"
+  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
+  if [[ -n "$error" ]]; then
+    printf '%s\n' "$error"
+  else
+    printf 'User attribute "%s" successfully created\n' "$name"
+  fi
+}
+
+__common_user_mutation_query() {
+  local \
+    query="$1" \
+    id="${2:-null}" \
+    email="${3:-null}" \
+    displayName="${4:-null}" \
+    firstName="${5:-null}" \
+    lastName="${6:-null}" \
+    avatar_file="${7:-null}" \
+    avatar_url="${8:-null}" \
+    gravatar_avatar="${9:-false}" \
+    weserv_avatar="${10:-false}"
+
+  local variables_arr=(
+    '-s' "id=$id"
+    '-s' "email=$email"
+    '-s' "displayName=$displayName"
+    '-s' "firstName=$firstName"
+    '-s' "lastName=$lastName"
+  )
+
+  local temp_avatar_file=''
+
+  if [[ "$gravatar_avatar" == 'true' ]]; then
+    avatar_url="https://gravatar.com/avatar/$(printf '%s' "$email" | sha256sum | cut -d ' ' -f 1)?size=512"
+  fi
+
+  if [[ "$avatar_url" != 'null' ]]; then
+    temp_avatar_file="${TMP_AVATAR_DIR}/$(printf '%s' "$avatar_url" | md5sum | cut -d ' ' -f 1)"
+
+    if ! [[ -f "$temp_avatar_file" ]]; then
+      if [[ "$weserv_avatar" == 'true' ]]; then
+        avatar_url="https://wsrv.nl/?url=$avatar_url&output=jpg"
+      fi
+      curl --silent --location --output "$temp_avatar_file" "$avatar_url"
+    fi
+
+    avatar_file="$temp_avatar_file"
+  fi
+
+  if [[ "$avatar_file" == 'null' ]]; then
+    variables_arr+=('-s' 'avatar=null')
+  else
+    variables_arr+=("avatar=%$avatar_file")
+  fi
+
+  make_query <(printf '%s' "$query") <(jo -- user=:<(jo -- "${variables_arr[@]}"))
+}
+
+create_user() {
+  local id="$1"
+
+  if user_exists "$id"; then
+    printf 'User "%s" already exists\n' "$id"
+    return
+  fi
+
+  # shellcheck disable=SC2016
+  local query='{"query":"mutation CreateUser($user: CreateUserInput!) {createUser(user: $user) {id creationDate}}","operationName":"CreateUser"}'
+
+  local response='' error=''
+  response="$(__common_user_mutation_query "$query" "$@")"
+  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
+  if [[ -n "$error" ]]; then
+    printf '%s\n' "$error"
+  else
+    printf 'User "%s" successfully created\n' "$id"
+  fi
+}
+
+update_user() {
+  local id="$1"
+
+  if ! user_exists "$id"; then
+    printf 'User "%s" is not exists\n' "$id"
+    return
+  fi
+
+  # shellcheck disable=SC2016
+  local query='{"query":"mutation UpdateUser($user: UpdateUserInput!) {updateUser(user: $user) {ok}}","operationName":"UpdateUser"}'
+
+  local response='' error=''
+  response="$(__common_user_mutation_query "$query" "$@")"
+  error="$(printf '%s' "$response" | jq --raw-output '.errors | if . != null then .[].message else empty end')"
+  if [[ -n "$error" ]]; then
+    printf '%s\n' "$error"
+  else
+    printf 'User "%s" successfully updated\n' "$id"
+  fi
+}
+
+create_update_user() {
+  local id="$1"
+
+  if user_exists "$id"; then
+    update_user "$@"
+  else
+    create_user "$@"
+  fi
+}
+
+main() {
+  check_install_dependencies
+  check_required_env_vars
+
+  local user_config_files=("${USER_CONFIGS_DIR}"/*.json)
+  local group_config_files=("${GROUP_CONFIGS_DIR}"/*.json)
+  local user_schema_files=()
+  local group_schema_files=()
+
+  local file=''
+  [[ -d "$USER_SCHEMAS_DIR" ]] && for file in "${USER_SCHEMAS_DIR}"/*.json; do
+    user_schema_files+=("$file")
+  done
+  [[ -d "$GROUP_SCHEMAS_DIR" ]] && for file in "${GROUP_SCHEMAS_DIR}"/*.json; do
+    group_schema_files+=("$file")
+  done
+  [[ -d "$SYSTEM_USERS_DIR" ]] && for file in "${SYSTEM_USERS_DIR}"/*; do
+	  printf -- "$(basename $file) => $(cat $file)\n"
+  done
+  create_user_schema_property "managed" "integer" "false" "false" "false"
+
+
+  if ! check_configs_validity "${group_config_files[@]}" "${user_config_files[@]}" "${group_schema_files[@]}" "${user_schema_files[@]}"; then
+    exit 1
+  fi
+
+  until curl --silent -o /dev/null "$LLDAP_URL"; do
+    printf 'Waiting lldap to start...\n'
+    sleep 10
+  done
+
+  auth "$LLDAP_URL" "$LLDAP_ADMIN_USERNAME" "$LLDAP_ADMIN_PASSWORD"
+
+  printf -- '\n--- group schemas ---\n'
+  local group_schema_config_row=''
+  [[ ${#group_schema_files[@]} -gt 0 ]] && while read -r group_schema_config_row; do
+    local field='' name='' attributeType='' isEditable='' isList='' isVisible=''
+    for field in 'name' 'attributeType' 'isEditable' 'isList' 'isVisible'; do
+      declare "$field"="$(printf '%s' "$group_schema_config_row" | jq --raw-output --arg field "$field" '.[$field]')"
+    done
+    create_group_schema_property "$name" "$attributeType" "$isEditable" "$isList" "$isVisible"
+  done < <(jq --compact-output '.[]' -- "${group_schema_files[@]}")
+  printf -- '--- group schemas ---\n'
+
+  printf -- '\n--- user schemas ---\n'
+  local user_schema_config_row=''
+  [[ ${#user_schema_files[@]} -gt 0 ]] && while read -r user_schema_config_row; do
+    local field='' name='' attributeType='' isEditable='' isList='' isVisible=''
+    for field in 'name' 'attributeType' 'isEditable' 'isList' 'isVisible'; do
+      declare "$field"="$(printf '%s' "$user_schema_config_row" | jq --raw-output --arg field "$field" '.[$field]')"
+    done
+    create_user_schema_property "$name" "$attributeType" "$isEditable" "$isList" "$isVisible"
+  done < <(jq --compact-output '.[]' -- "${user_schema_files[@]}")
+  printf -- '--- user schemas ---\n'
+
+  local redundant_groups=''
+  redundant_groups="$(get_group_list | jq '[ .data.groups[].displayName ]' | jq --compact-output '. - ["lldap_admin","lldap_password_manager","lldap_strict_readonly"]')"
+
+  printf -- '\n--- groups ---\n'
+  local group_config=''
+  while read -r group_config; do
+    local group_name=''
+    group_name="$(printf '%s' "$group_config" | jq --raw-output '.name')"
+    create_group "$group_name"
+    redundant_groups="$(printf '%s' "$redundant_groups" | jq --compact-output --arg name "$group_name" '. - [$name]')"
+  done < <(jq --compact-output '.' -- "${group_config_files[@]}")
+  printf -- '--- groups ---\n'
+
+  printf -- '\n--- redundant groups ---\n'
+  if [[ "$redundant_groups" == '[]' ]]; then
+    printf 'There are no redundant groups\n'
+  else
+    local group_name=''
+    while read -r group_name; do
+      if [[ "$DO_CLEANUP" == 'true' ]]; then
+        delete_group "$group_name"
+      else
+        printf '[WARNING] Group "%s" is not declared in config files\n' "$group_name"
+      fi
+    done < <(printf '%s' "$redundant_groups" | jq --raw-output '.[]')
+  fi
+  printf -- '--- redundant groups ---\n'
+
+  local redundant_users=''
+  redundant_users="$(get_users_list | jq '[ .data.users[].id ]' | jq --compact-output --arg admin_id "$LLDAP_ADMIN_USERNAME" '. - [$admin_id]')"
+
+  TMP_AVATAR_DIR="$(mktemp -d)"
+
+  local user_config=''
+  while read -r user_config; do
+    local field='' id='' email='' displayName='' firstName='' lastName='' avatar_file='' avatar_url='' gravatar_avatar='' weserv_avatar='' password=''
+    for field in 'id' 'email' 'displayName' 'firstName' 'lastName' 'avatar_file' 'avatar_url' 'gravatar_avatar' 'weserv_avatar' 'password'; do
+      declare "$field"="$(printf '%s' "$user_config" | jq --raw-output --arg field "$field" '.[$field]')"
+    done
+    printf -- '\n--- %s ---\n' "$id"
+
+    create_update_user "$id" "$email" "$displayName" "$firstName" "$lastName" "$avatar_file" "$avatar_url" "$gravatar_avatar" "$weserv_avatar"
+    redundant_users="$(printf '%s' "$redundant_users" | jq --compact-output --arg id "$id" '. - [$id]')"
+
+    if [[ "$password" != 'null' ]] && [[ "$password" != '""' ]]; then
+      "$LLDAP_SET_PASSWORD_PATH" --base-url "$LLDAP_URL" --token "$TOKEN" --username "$id" --password "$password"
+    fi
+
+    local redundant_user_groups=''
+    redundant_user_groups="$(get_user_details "$id" | jq '[ .data.user.groups[].displayName ]')"
+
+    local group=''
+    while read -r group; do
+      if [[ -n "$group" ]]; then
+        add_user_to_group "$id" "$group"
+        redundant_user_groups="$(printf '%s' "$redundant_user_groups" | jq --compact-output --arg group "$group" '. - [$group]')"
+      fi
+    done < <(printf '%s' "$user_config" | jq --raw-output '.groups | if . == null then "" else .[] end')
+
+    local user_group_name=''
+    while read -r user_group_name; do
+      if [[ "$DO_CLEANUP" == 'true' ]]; then
+        remove_user_from_group "$id" "$user_group_name"
+      else
+        printf '[WARNING] User "%s" is not declared as member of the "%s" group in the config files\n' "$id" "$user_group_name"
+      fi
+    done < <(printf '%s' "$redundant_user_groups" | jq --raw-output '.[]')
+    printf -- '--- %s ---\n' "$id"
+  done < <(jq --compact-output '.' -- "${user_config_files[@]}")
+
+  rm -r "$TMP_AVATAR_DIR"
+
+  printf -- '\n--- redundant users ---\n'
+  if [[ "$redundant_users" == '[]' ]]; then
+    printf 'There are no redundant users\n'
+  else
+    local id=''
+    while read -r id; do
+      if [[ "$DO_CLEANUP" == 'true' ]]; then
+        delete_user "$id"
+      else
+        printf '[WARNING] User "%s" is not declared in config files\n' "$id"
+      fi
+    done < <(printf '%s' "$redundant_users" | jq --raw-output '.[]')
+  fi
+  printf -- '--- redundant users ---\n'
+}
+
+main "$@"

apps/lldap/bootstrap/kustomization.yaml

@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./bootstrap-job.yaml
+  - ../../authelia/lldap.yaml
+  - ../../grafana/lldap.yaml
+
+configMapGenerator:
+  - name: bootstrap
+    options:
+      annotations:
+        kustomize.toolkit.fluxcd.io/substitute: disabled
+    files:
+      - bootstrap.sh
+
+secretGenerator:
+  - name: lldap-bootstrap-configs
+    files:
+      - user-configs.json
+      - group-configs.json

apps/lldap/bootstrap/user-configs.json

@@ -0,0 +1,8 @@
+{
+  "id": "dreaded_x",
+  "email": "tim@huizinga.dev",
+  "password": "JustATest",
+  "displayName": "Tim Huizinga",
+  "firstName": "Tim",
+  "lastName": "Huizinga"
+}

apps/lldap/deployment.yaml

@@ -1,11 +1,21 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
+  annotations:
+    lldap: https://github.com/nitnelave/lldap
+    k8s: https://github.com/Evantage-WS/lldap-kubernetes
   labels:
     app: lldap
   name: lldap
 spec:
   replicas: 2
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: ScheduleAnyway
+      labelSelector:
+        matchLabels:
+          type: dummy
   selector:
     matchLabels:
       app: lldap
@@ -13,16 +23,12 @@ spec:
     type: Recreate
   template:
     metadata:
+      annotations:
+        lldap: https://github.com/nitnelave/lldap
+        k8s: https://github.com/Evantage-WS/lldap-kubernetes
       labels:
         app: lldap
     spec:
-      topologySpreadConstraints:
-        - maxSkew: 1
-          topologyKey: kubernetes.io/hostname
-          whenUnsatisfiable: DoNotSchedule
-          labelSelector:
-            matchLabels:
-              app: lldap
       containers:
         - env:
             - name: GID
@@ -42,7 +48,7 @@ spec:
             - name: LLDAP_DATABASE_URL
               valueFrom:
                 secretKeyRef:
-                  name: postgres-app
+                  name: lldap-db-cluster-app
                   key: uri
             - name: TZ
               value: CET

apps/lldap/kustomization.yaml

@@ -3,8 +3,11 @@ kind: Kustomization
 namespace: lldap
 resources:
   - ./namespace.yaml
-  - ./secret-lldap-credentials.yaml
+  - ./secret.yaml
   - ./deployment.yaml
   - ./service.yaml
-  - ./ingress-route.yaml
-  - ../../../common/postgres
+  - ./ingress.yaml
+  - ./bootstrap
+
+components:
+  - ../../common/postgres

apps/lldap/secret.yaml

@@ -12,8 +12,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2025-03-06T23:49:59Z"
-    mac: ENC[AES256_GCM,data:ZOqHwRCaVup2NvSTgbE74T1tdCQl46pi3HSPCVGJBWpVTEdjjKs++X8g2EgXFPdJtOolhDrKYqx8EGpCeFXDdOvYolTfGNdTEMmddqeVAS9R/TBiga4HWM4cOu5utLSHgIFRVIrXvbcJzpR36zNy6qau9LStsaP4eXQ/U1Z+Ft8=,iv:j3aczsmvBge7i1AQZciVbSK6DU5wSkYamjpLhQYR5Zw=,tag:EZo+cThfGIiWkqGBA5JMow==,type:str]
+    lastmodified: "2024-11-15T00:11:50Z"
+    mac: ENC[AES256_GCM,data:OzLVKH3dUInlnYZQV0qRyZqMOIMVAp9FMHf5Dl2abRzYJo67dBLErGqoYGfwSK5G1R6VLrIK0M9ibY6rL2kSHXTk7esjj404YAEBZgkNc7GBCnqLwUTiLu+XDk4lu+vqErP6hriem8/DK0w0E9KQSBsxPzIWJSMfk3vGyr1d+2I=,iv:1MDGsCx021d4Ob82Rq89JieTmkFbX6wxT1+taXI6H7o=,tag:e8LmFvLmB+rJb8xQ+DTFtg==,type:str]
     pgp:
         - created_at: "2024-11-14T23:59:47Z"
           enc: |-
@@ -57,4 +57,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
     encrypted_regex: ^(data|stringData)$
-    version: 3.9.1
+    version: 3.9.0

apps/lldap/service.yaml

@@ -1,6 +1,9 @@
 apiVersion: v1
 kind: Service
 metadata:
+  annotations:
+    lldap: https://github.com/nitnelave/lldap
+    k8s: https://github.com/Evantage-WS/lldap-kubernetes
   name: lldap
 spec:
   ports:

apps/traefik-dashboard/ingress.yaml

@@ -0,0 +1,19 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+  namespace: traefik
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`traefik.${domain}`)
+      kind: Rule
+      middlewares:
+        - name: forwardauth-authelia
+          namespace: authelia
+      services:
+        - name: api@internal
+          kind: TraefikService
+  tls:
+    secretName: ${domain//./-}-tls

apps/traefik-dashboard/kustomization.yaml

@@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: traefik
 resources:
-  - ./default-headers.yaml
+  - ingress.yaml

apps/whoami.yaml

@@ -8,6 +8,13 @@ metadata:
 
 spec:
   replicas: 2
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: DoNotSchedule
+      labelSelector:
+        matchLabels:
+          type: dummy
   selector:
     matchLabels:
       app: whoami
@@ -16,13 +23,6 @@ spec:
       labels:
         app: whoami
     spec:
-      topologySpreadConstraints:
-        - maxSkew: 1
-          topologyKey: kubernetes.io/hostname
-          whenUnsatisfiable: DoNotSchedule
-          labelSelector:
-            matchLabels:
-              app: whoami
       containers:
         - name: whoami
           image: traefik/whoami

clusters/titan.lan.huizinga.dev/alerts/alert-flux-infra.yaml

@@ -1,14 +0,0 @@
-apiVersion: notification.toolkit.fluxcd.io/v1beta3
-kind: Alert
-metadata:
-  name: flux-infra
-  namespace: flux-system
-spec:
-  providerRef:
-    name: flux-infra
-  eventSeverity: info
-  eventSources:
-    - kind: Kustomization
-      name: "*"
-      matchLabels:
-        alert: flux-infra

clusters/titan.lan.huizinga.dev/alerts/alert-telegram.yaml

@@ -1,12 +0,0 @@
-apiVersion: notification.toolkit.fluxcd.io/v1beta3
-kind: Alert
-metadata:
-  name: telegram
-  namespace: flux-system
-spec:
-  providerRef:
-    name: telegram
-  eventSeverity: error
-  eventSources:
-    - kind: Kustomization
-      name: "*"

clusters/titan.lan.huizinga.dev/alerts/provider-flux-infra.yaml

@@ -1,10 +0,0 @@
-apiVersion: notification.toolkit.fluxcd.io/v1beta3
-kind: Provider
-metadata:
-  name: flux-infra
-  namespace: flux-system
-spec:
-  type: gitea
-  address: https://git.huizinga.dev/dreaded_x/flux-infra
-  secretRef:
-    name: gitea

clusters/titan.lan.huizinga.dev/alerts/provider-telegram.yaml

@@ -1,11 +0,0 @@
-apiVersion: notification.toolkit.fluxcd.io/v1beta3
-kind: Provider
-metadata:
-  name: telegram
-  namespace: flux-system
-spec:
-  type: telegram
-  address: https://api.telegram.org
-  channel: "-4748034121"
-  secretRef:
-    name: telegram

clusters/titan.lan.huizinga.dev/alerts/secret-gitea.yaml

@@ -1,54 +0,0 @@
-apiVersion: v1
-stringData:
-    token: ENC[AES256_GCM,data:jn3t5g5fkCmqXf7JEfn7HBigY60nPh3AqYzZ9fkEuj2RjN6ieAfiOg==,iv:b28wHrtETq+p/jH52c3RKYzthh7+IQmvRhVzY/TlnfI=,tag:kr+vdWBGihYN6AklQLYeTw==,type:str]
-kind: Secret
-metadata:
-    name: gitea
-    namespace: flux-system
-sops:
-    lastmodified: "2025-04-22T12:14:43Z"
-    mac: ENC[AES256_GCM,data:fb5EyaUv2slDoSNLNJZZPg2ZXwUC5tbdG2vDZEle3PfCDAWxQmEJ36hMQ9RcE8Ec5jfj/Ia6VOP+VOpLSIlQHzGeG3raEW+I/NBTN04KazsDhgzOfAlhTi8COkmu0D5hv3TfFPkWVV/Uw2zIpOsqTv56IoIKyPun+ndt470TgGE=,iv:k754Ju4XGpUCCsdkgQxaE2LEJNEBkQ4lcDIRIqZJnbY=,tag:1t3X7id14qhOvAA9pRw+wQ==,type:str]
-    pgp:
-        - created_at: "2025-04-22T11:56:49Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7pKPTYH5bqOARAAioWyCnKFGD/5XeH++ulmfannJcwuFbiJ+jyoYxbmbxZK
-            egOXaOg9jkw+FuKy+u/5QNFZAgL4Ju3dMOyeBuZXGAgchVoDuqFANj7sXMhUnBkc
-            BuKLs/ob5U2KUD2YU+fFQd4XZfOepPGZF9qNwl4wttUxhawzQ66G49j23B8bxe1E
-            0Isddm7SCzF0OJOogaJ1rh9ylfzwlBW0PaBhBaIlNs+PIUJW7URWouDJnWh+jBvE
-            qT8brYP7gb+Tl9lNihJdPLG32jiYhQxueIkm6BqSUQlU+yW/q8RUhp4+hLAaSOvC
-            vTx1qqhn9ipZWG+EgPatUtV2gW0U9jOPRAstC1/zUe6UljIuQAEDx844j1sfmKxl
-            1bPdl1790V2bDDvDX4zeRAR6N6lzNkfYd02ZvWVKkUr3dTCfn/dJ6LM39tfZNeh2
-            WKnIN/PoxPL2srD9QRQmVPBqoLJrBKs1v1jWBEfMdT75H8e4CHu69o0FCzxLi/Ty
-            /2Hz9zIyBlPsyUA6EHjmccnjE2dVkmgRcaQbhEaYMtM7pyECoCfixGdpgV+7iM6L
-            PnYVusFueMVX80HYoNl4/ZXf+1U5/aW3mnSgK8+4uX8m4/MqGi4tvYT/QdOUkEvS
-            kXSsfok5yBcYdoqUJl6N/gfP9Z9R6WqrCL4p98t2BiLpcu6TZnsP0ruJlRlzTjLU
-            ZgEJAhATXTi3So37vsc8TqTDXqkJjrwxk9k4cGfwd8PWFvuS+xzdKGA/vcU6jXCD
-            CQrTnQ2i6jZBi0L5FLunhG86BOSLs5GEhuO6PPjkyyJNbcX/Uh6hjzgwdElr14Qo
-            P7QnueJTiw==
-            =AMPG
-            -----END PGP MESSAGE-----
-          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
-        - created_at: "2025-04-22T11:56:49Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA51kG++kLewoAQ//b3JTskIOENHA1W8uE5jqsyxPDVMJuXQNoHe2u0264kS8
-            i2sC7SZa/Le98J9Gsl97CpA7xXVIcOWhma+6PTzrsaonn//nJyuh8YOfWAb/ZF4o
-            ijtd7etTLcA9Hb1iRUek5oD7tXWiGhl+ROR3xd7Al+nzQmTpvHju+HFWJboWA7RC
-            6PkusF1UAe39ZhZwxX2Hh8XdFfQdcrtFNIp7+TjMCO2Im54aBTRKLrz7aHlrjrgN
-            tie1RAdDwEqZ0Zoh3jezpkQW+9aKtkTtiG5BLmQYhVPUN5GTKMMwKoiYNMEdNUWx
-            s9SXiepDc9ZbdjiwGUig9pmuaKrPTSRh6kbmAWHyMKfwG4WZSgbh9gW0sU69rLdQ
-            onaGRkIS87If6AgE0dCxOgcNZEiUQE1Rj8Ie/XtR6ufKNUdSAsbJSoKIja4MQdKl
-            1BM2YJ5eD52e2J0XJJgLchW0nf7C+3Sil/wIRvU0k/lMniMHvXjWGfY5/v2TUF3Y
-            R3Ng6KsaaIRGW5pWzAA5vBDjOlDaPdWYvWd+ZZ96cd0ToxgMpEDLGOBAOhBZGP95
-            knqqsVTKswD3vy5h5bwevTxRdrPsmD+g26SbLZDYllRklNasGgfcf0CBydcftUHo
-            ePHC1ThKpC0Eb80fxLvAyyW+O8LjqjGWK+q7pVGE8eZ7B5XGQRSfzQRuNmc1aIjS
-            XAGtAlz0mJffgqHnOW++8CZjiUKWb5iSJuMqBcGPMuqz9nLBAP/n4/vw6nH4irAF
-            qL1fkj4yurE7yMmBjYEWi+I+D66g6xpKvEWTyDGeiiqUD8nZXGojT7bWz072
-            =zIA5
-            -----END PGP MESSAGE-----
-          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
-    encrypted_regex: ^(data|stringData)$
-    version: 3.10.1

clusters/titan.lan.huizinga.dev/alerts/secret-telegram.yaml

@@ -1,54 +0,0 @@
-apiVersion: v1
-stringData:
-    token: ENC[AES256_GCM,data:GgQ/uMKwKKxkEaqVlqH6RlhNTXE+9iM9C5seH0Vjsv/Rwb4aonM6Fy9lQUtiwg==,iv:xKKiRxMu0myMmT73XvUy69qt216TNbeJ4Y/0oUAK87s=,tag:ib0nLm2HkaB91vSllRPSWg==,type:str]
-kind: Secret
-metadata:
-    name: telegram
-    namespace: flux-system
-sops:
-    lastmodified: "2025-04-22T14:43:42Z"
-    mac: ENC[AES256_GCM,data:wiq7VPKe+PBXLbiL9VVJ0gjtAb0g0f5qJgZaDkFaeIn5KfXYauzX1MyoXxy0qSi5rBesKCmhhDhLHRW/SA7KJyaWO1GIdP9Obppm+l83zJ6FVn2XvDZQkP+IoEBCPUgooT4RBvvJUJJeA9BDuPV3ig43sYZM+47Vc/WFZrx1238=,iv:KqDkIbKqrv1087PQC10jNUfkeGvzaC9ZvwYwhLd3CcA=,tag:Tb6mKFaK3+3BmiuFfEXgQw==,type:str]
-    pgp:
-        - created_at: "2025-04-22T11:56:49Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7pKPTYH5bqOARAAioWyCnKFGD/5XeH++ulmfannJcwuFbiJ+jyoYxbmbxZK
-            egOXaOg9jkw+FuKy+u/5QNFZAgL4Ju3dMOyeBuZXGAgchVoDuqFANj7sXMhUnBkc
-            BuKLs/ob5U2KUD2YU+fFQd4XZfOepPGZF9qNwl4wttUxhawzQ66G49j23B8bxe1E
-            0Isddm7SCzF0OJOogaJ1rh9ylfzwlBW0PaBhBaIlNs+PIUJW7URWouDJnWh+jBvE
-            qT8brYP7gb+Tl9lNihJdPLG32jiYhQxueIkm6BqSUQlU+yW/q8RUhp4+hLAaSOvC
-            vTx1qqhn9ipZWG+EgPatUtV2gW0U9jOPRAstC1/zUe6UljIuQAEDx844j1sfmKxl
-            1bPdl1790V2bDDvDX4zeRAR6N6lzNkfYd02ZvWVKkUr3dTCfn/dJ6LM39tfZNeh2
-            WKnIN/PoxPL2srD9QRQmVPBqoLJrBKs1v1jWBEfMdT75H8e4CHu69o0FCzxLi/Ty
-            /2Hz9zIyBlPsyUA6EHjmccnjE2dVkmgRcaQbhEaYMtM7pyECoCfixGdpgV+7iM6L
-            PnYVusFueMVX80HYoNl4/ZXf+1U5/aW3mnSgK8+4uX8m4/MqGi4tvYT/QdOUkEvS
-            kXSsfok5yBcYdoqUJl6N/gfP9Z9R6WqrCL4p98t2BiLpcu6TZnsP0ruJlRlzTjLU
-            ZgEJAhATXTi3So37vsc8TqTDXqkJjrwxk9k4cGfwd8PWFvuS+xzdKGA/vcU6jXCD
-            CQrTnQ2i6jZBi0L5FLunhG86BOSLs5GEhuO6PPjkyyJNbcX/Uh6hjzgwdElr14Qo
-            P7QnueJTiw==
-            =AMPG
-            -----END PGP MESSAGE-----
-          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
-        - created_at: "2025-04-22T11:56:49Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA51kG++kLewoAQ//b3JTskIOENHA1W8uE5jqsyxPDVMJuXQNoHe2u0264kS8
-            i2sC7SZa/Le98J9Gsl97CpA7xXVIcOWhma+6PTzrsaonn//nJyuh8YOfWAb/ZF4o
-            ijtd7etTLcA9Hb1iRUek5oD7tXWiGhl+ROR3xd7Al+nzQmTpvHju+HFWJboWA7RC
-            6PkusF1UAe39ZhZwxX2Hh8XdFfQdcrtFNIp7+TjMCO2Im54aBTRKLrz7aHlrjrgN
-            tie1RAdDwEqZ0Zoh3jezpkQW+9aKtkTtiG5BLmQYhVPUN5GTKMMwKoiYNMEdNUWx
-            s9SXiepDc9ZbdjiwGUig9pmuaKrPTSRh6kbmAWHyMKfwG4WZSgbh9gW0sU69rLdQ
-            onaGRkIS87If6AgE0dCxOgcNZEiUQE1Rj8Ie/XtR6ufKNUdSAsbJSoKIja4MQdKl
-            1BM2YJ5eD52e2J0XJJgLchW0nf7C+3Sil/wIRvU0k/lMniMHvXjWGfY5/v2TUF3Y
-            R3Ng6KsaaIRGW5pWzAA5vBDjOlDaPdWYvWd+ZZ96cd0ToxgMpEDLGOBAOhBZGP95
-            knqqsVTKswD3vy5h5bwevTxRdrPsmD+g26SbLZDYllRklNasGgfcf0CBydcftUHo
-            ePHC1ThKpC0Eb80fxLvAyyW+O8LjqjGWK+q7pVGE8eZ7B5XGQRSfzQRuNmc1aIjS
-            XAGtAlz0mJffgqHnOW++8CZjiUKWb5iSJuMqBcGPMuqz9nLBAP/n4/vw6nH4irAF
-            qL1fkj4yurE7yMmBjYEWi+I+D66g6xpKvEWTyDGeiiqUD8nZXGojT7bWz072
-            =zIA5
-            -----END PGP MESSAGE-----
-          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
-    encrypted_regex: ^(data|stringData)$
-    version: 3.10.1

clusters/titan.lan.huizinga.dev/apps.yaml

@@ -3,18 +3,9 @@ kind: Kustomization
 metadata:
   name: apps
   namespace: flux-system
-  labels:
-    alert: flux-infra
 spec:
   dependsOn:
-    - name: traefik
-    - name: authelia-controller
-    - name: lldap-controller
-    - name: cnpg
-    - name: dragonflydb
-    - name: rook-ceph-cluster
-    - name: akri
-    - name: lldap
+    - name: infra-configs
   decryption:
     provider: sops
     secretRef:
@@ -25,11 +16,11 @@ spec:
     kind: GitRepository
     name: flux-system
   postBuild:
-    substituteFrom:
-      - kind: ConfigMap
-        name: domain-vars
+    substitute:
+      domain: staging.huizinga.dev
+      # Specifically for authelia
+      subdomain: .staging
+      topdomain: huizinga.dev
   path: ./apps
   prune: true
   wait: true
-  # Uncomment this in case of disaster recovery
-  # suspend: true

clusters/titan.lan.huizinga.dev/apps/siranga.yaml

@@ -1,75 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: OCIRepository
-metadata:
-  name: siranga
-  namespace: flux-system
-spec:
-  interval: 15m0s
-  url: oci://git.huizinga.dev/dreaded_x/siranga/manifests
-  ref:
-    tag: latest
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: siranga
-  namespace: flux-system
-spec:
-  interval: 15m
-  dependsOn:
-    - name: traefik
-    - name: letsencrypt
-    - name: lldap-controller
-    - name: authelia-controller
-  prune: true
-  timeout: 2m
-  sourceRef:
-    kind: OCIRepository
-    name: siranga
-  wait: true
-  postBuild:
-    substituteFrom:
-      - kind: ConfigMap
-        name: domain-vars
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-gpg
----
-apiVersion: notification.toolkit.fluxcd.io/v1
-kind: Receiver
-metadata:
-  name: siranga
-  namespace: flux-system
-spec:
-  type: generic
-  secretRef:
-    name: receiver
-  resources:
-    - apiVersion: source.toolkit.fluxcd.io/v1beta2
-      kind: OCIRepository
-      name: siranga
----
-apiVersion: notification.toolkit.fluxcd.io/v1beta3
-kind: Provider
-metadata:
-  name: siranga
-  namespace: flux-system
-spec:
-  type: gitea
-  address: https://git.huizinga.dev/dreaded_x/siranga
-  secretRef:
-    name: gitea
----
-apiVersion: notification.toolkit.fluxcd.io/v1beta3
-kind: Alert
-metadata:
-  name: siranga
-  namespace: flux-system
-spec:
-  providerRef:
-    name: siranga
-  eventSeverity: info
-  eventSources:
-    - kind: Kustomization
-      name: siranga

clusters/titan.lan.huizinga.dev/apps/test-app.yaml

@@ -1,30 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: OCIRepository
-metadata:
-  name: test-app
-  namespace: flux-system
-spec:
-  interval: 1m0s
-  url: oci://git.huizinga.dev/dreaded_x/test-app/manifests
-  ref:
-    tag: latest
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: test-app
-  namespace: flux-system
-spec:
-  interval: 15m
-  dependsOn:
-    - name: traefik
-  prune: true
-  timeout: 2m
-  sourceRef:
-    kind: OCIRepository
-    name: test-app
-  wait: true
-  postBuild:
-    substituteFrom:
-      - kind: ConfigMap
-        name: domain-vars

clusters/titan.lan.huizinga.dev/flux-system/config-map-domain-vars.yaml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: domain-vars
-  namespace: flux-system
-data:
-  domain: staging.huizinga.dev
-  # Specifically for authelia
-  subdomain: .staging
-  topdomain: huizinga.dev

clusters/titan.lan.huizinga.dev/flux-system/ingress.yaml

@@ -1,23 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: flux-webhook
-  namespace: flux-system
-  annotations:
-    traefik.ingress.kubernetes.io/router.entryPoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
-spec:
-  ingressClassName: traefik
-  rules:
-    - host: flux.${domain}
-      http:
-        paths:
-          - backend:
-              service:
-                name: webhook-receiver
-                port:
-                  number: 80
-            path: /
-            pathType: Prefix
-  tls:
-    - secretName: ${domain//./-}-tls

clusters/titan.lan.huizinga.dev/flux-system/kustomization.yaml

@@ -1,11 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./gotk-components.yaml
-  - ./gotk-sync.yaml
-  - ./config-map-domain-vars.yaml
-  - ./ingress.yaml
-  - ./secret-receiver.yaml
-  - ./receiver.yaml
+  - gotk-components.yaml
+  - gotk-sync.yaml
 patches:
-  - path: patches.yaml
+  - path: sops-overlay.yaml

clusters/titan.lan.huizinga.dev/flux-system/receiver.yaml

@@ -1,16 +0,0 @@
-apiVersion: notification.toolkit.fluxcd.io/v1
-kind: Receiver
-metadata:
-  name: flux-infra
-  namespace: flux-system
-spec:
-  type: github
-  events:
-    - "ping"
-    - "push"
-  secretRef:
-    name: receiver
-  resources:
-    - apiVersion: source.toolkit.fluxcd.io/v1
-      kind: GitRepository
-      name: flux-system

clusters/titan.lan.huizinga.dev/flux-system/secret-receiver.yaml

@@ -1,54 +0,0 @@
-apiVersion: v1
-data:
-    token: ENC[AES256_GCM,data:Nd4t7LkkCe9pd/ilITlwZpmpF+oRmMfIbgbEiAzTK+OWUb4q37bBzGvhc3V70soS7XmpU13lJwo=,iv:qMoW9dsDauSEsw7GjuCSmsCy3k54jt5x/nngSdGiErg=,tag:ZTkP8IGT+DOJLfO+gIX2xg==,type:str]
-kind: Secret
-metadata:
-    name: receiver
-    namespace: flux-system
-sops:
-    lastmodified: "2025-04-23T17:01:23Z"
-    mac: ENC[AES256_GCM,data:blRYui9FBvet9nuOUEPaMLLzD6CvX7pDZQEtQV5jLfKqLWEBFXUA13zqTrxtH1slGOzif1xshGqjOgsxREvEdb4Y8uSfoWSPuhkPI4WuRESjyYsVHUlP0fOIdE/CNc/xT4wTxxsvZ46ShGCMZ/QN29XsQ04nwHaEsTmYMqtgsBM=,iv:Km0FIruKN+N0Hsat4QaTBCCAHMQz5IiYkTKG2IGILUI=,tag:A1v4kEs46vz2Cm9ZN5Qw1g==,type:str]
-    pgp:
-        - created_at: "2025-04-23T17:01:23Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA7pKPTYH5bqOARAAwZ69AwI2iTOboLpzZmW41EngGkhPKGghGFssiyfWbXqR
-            dtNG+wG371TF9nUMoLagJEqTUGRVX8xznG7R68QhVd85C1iswrNJjZ55nnJKf0IN
-            aRcLp3xsZuWPefOFadaJglRtgLnmCtPNur1TmPXR4V94ycOe1wBTSbvheTs73h6M
-            LBfRBruv2ttJsrcmI2az57KgOrIQnPu/z/NSEbc2GM3CU7/Z9ChWt+b5WEyv/7Sp
-            Sp0ohmC9HputBFGueC6Hw08+152C8yn3BpJhMhiWcCEryNiwKawf/n2UFJ8gk86/
-            5CkRX1CWRtz8nRIfmiwU5IBd5aMXhK684/1lTtdshHGEhSbaGA9N6lK70vdrfVl+
-            euaQkqyCy2sFkhz0EvcK+PTGxnueQ4UuO01l5yRG/ZUdjzYVh9fpx3RoMnJaBctx
-            l63LUG+xXSwR0xy4JIkrWyFDwIyGAebxbtQ8QUeLkmMzHyUx8tOL0qfKd8qkEFwg
-            eJWh0guYllSldgP5h7bJXOTej3ZrP9yC1WY3z2wHu+415/eCpwucFCu/A5QnJXnA
-            YLTE2CIwdDpj5XjjwQwmTNpBgfQ/csHJua40CURJbsYhk4HfqbHNdjEc5kkem/3L
-            PrtA/d59iwy3Vjkn1xmrcX+od3qXRFVDwMjaCleAXi3dnsfN619j8PrZh2bkUyHU
-            aAEJAhD1hSP/yZbfctLVNBCXT3HE8bLlAp82zYsqwx7UJWOhv4saodU1Zm13CWdk
-            nlbN8v3w5o19Xo85rt4YB091dGliTAAQ2CfvsCLRO4ZjO6N2F4KSCSTO0jLSJkce
-            hly9/ZsJAtXB
-            =GCZA
-            -----END PGP MESSAGE-----
-          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
-        - created_at: "2025-04-23T17:01:23Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA51kG++kLewoARAA5IO7TXG5xkv+mlSwFBDbldn5jPy9E1+HbZHp+4CmRquI
-            ONPEeDZgh3n+Fr87OMUKMKfgdEpjdE+l80rCmF7zgaVNqLscRcLJ17k14XfbpsrG
-            wsp5gsvymGh6sllUopetugvzd6gdxEianuhKU6DYJMM+X/nPTDsa5wHazRzPQxS/
-            8zp9tlPWt0HkZelBKXmLoYofZBakZOqZstQvhB0SSjC0BVpQN5WIfh1ES6uoBxhY
-            ddA0R34r1jwXWDE2UqD1Rx12H3TzUxdPGGw5rQKsEZSuEwxfxqjUAsn29ARR88qU
-            FlvSsy+FW7/6HeTcxwS1IMyZfNwRKQYLkzcwqf+OsrrjqTSBPCt8rcMoDVH3vxdf
-            wazu/vqoM1mwkUlogEF/M/SITEO9nJzrkAihAr6OJgfTJqi8RJffxoXQ8gAfan2J
-            wYMkcTxPNnskyZMUr2onotdnqdVSMgR2vwnsvIfSWUSx4eMpK8wO2xQm60hAXNHx
-            QCVcTz7sMDu6nD3xsvJs5D67YnkrLuqnuNeHQqSsREPv132kKIpEhAZop0MYk8ld
-            798jafK8xCzasbIZqDRzSqUUK/Z/J4EN8A4zRY5EtcbXdKHpKkUYuX/Sb7y2FAQR
-            JMV3uqLxJoz4mqUM0VJBt77Del5YQ5LeqE8aHMBDNtfjAdmK/2xg7BuGuromZYzS
-            XgFxwGfX791vSkUJ/z+7Nf3QmAKBXOuEYaYJbcZ5pFbKKdcfI8iEfL7utVQ59U2k
-            4BLB7aChrp8J795YQna+YgPybK5NR00FX6qLJiZAp56MdcvncJ8s42/epRWRusk=
-            =8ak0
-            -----END PGP MESSAGE-----
-          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
-    encrypted_regex: ^(data|stringData)$
-    version: 3.10.1

clusters/titan.lan.huizinga.dev/flux-system/sops-overlay.yaml

@@ -3,14 +3,8 @@ kind: Kustomization
 metadata:
   name: flux-system
   namespace: flux-system
-  labels:
-    alert: flux-infra
 spec:
   decryption:
     provider: sops
     secretRef:
       name: sops-gpg
-  postBuild:
-    substituteFrom:
-      - kind: ConfigMap
-        name: domain-vars

clusters/titan.lan.huizinga.dev/infra/kustomization.yaml

@@ -1,21 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - ./../../../infra/akri
-  - ./../../../infra/authelia
-  - ./../../../infra/cert-manager
-  - ./../../../infra/cnpg
-  - ./../../../infra/descheduler.yaml
-  - ./../../../infra/dragonflydb.yaml
-  - ./../../../infra/external-snapshotter.yaml
-  - ./../../../infra/intel-device-plugins.yaml
-  - ./../../../infra/kube-vip
-  - ./../../../infra/kyverno
-  - ./../../../infra/lldap
-  - ./../../../infra/loki
-  - ./../../../infra/node-feature-discovery
-  - ./../../../infra/rook-ceph
-  - ./../../../infra/topolvm
-  - ./../../../infra/traefik
-  - ./../../../infra/velero

clusters/titan.lan.huizinga.dev/infrastructure.yaml

@@ -0,0 +1,50 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-controllers
+  namespace: flux-system
+spec:
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  interval: 1h
+  retryInterval: 1m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./infrastructure/controllers
+  prune: true
+  wait: true
+  patches:
+    - patch: |
+        - op: add
+          path: /spec/values/service/spec/loadBalancerIP
+          value: 10.0.2.2
+      target:
+        kind: HelmRelease
+        name: traefik
+        namespace: traefik
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-configs
+  namespace: flux-system
+spec:
+  dependsOn:
+    - name: infra-controllers
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  interval: 1h
+  retryInterval: 1m
+  timeout: 5m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./infrastructure/configs
+  prune: true
+  wait: true

clusters/titan.lan.huizinga.dev/kube-vip/kube-vip.app.enp2s0.yaml

@@ -1,19 +1,22 @@
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
+  creationTimestamp: null
   labels:
-    app.kubernetes.io/name: kube-vip
-    app.kubernetes.io/version: v0.9.0
-  name: kube-vip
+    app.kubernetes.io/name: kube-vip-ds
+    app.kubernetes.io/version: v0.8.3
+  name: kube-vip-ds-enp2s0
+  namespace: kube-system
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: kube-vip
+      app.kubernetes.io/name: kube-vip-ds
   template:
     metadata:
+      creationTimestamp: null
       labels:
-        app.kubernetes.io/name: kube-vip
-        app.kubernetes.io/version: v0.9.0
+        app.kubernetes.io/name: kube-vip-ds
+        app.kubernetes.io/version: v0.8.3
     spec:
       affinity:
         nodeAffinity:
@@ -25,9 +28,8 @@ spec:
               - matchExpressions:
                   - key: node-role.kubernetes.io/control-plane
                     operator: Exists
-              - matchExpressions:
-                  - key: feature.node.kubernetes.io/network-adapter
-                    operator: Exists
+      nodeSelector:
+        vip_interface: enp2s0
       containers:
         - args:
             - manager
@@ -41,10 +43,8 @@ spec:
                 fieldRef:
                   fieldPath: spec.nodeName
             - name: vip_interface
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.annotations['feature.node.kubernetes.io/network-adapter']
-            - name: vip_subnet
+              value: enp2s0
+            - name: vip_cidr
               value: "32"
             - name: dns_mode
               value: first
@@ -72,9 +72,7 @@ spec:
               value: 10.0.2.1
             - name: prometheus_server
               value: :2112
-            - name: enableUPNP
-              value: "true"
-          image: ghcr.io/kube-vip/kube-vip:v0.9.0
+          image: ghcr.io/kube-vip/kube-vip:v0.8.3
           imagePullPolicy: IfNotPresent
           name: kube-vip
           resources: {}
@@ -83,8 +81,6 @@ spec:
               add:
                 - NET_ADMIN
                 - NET_RAW
-              drop:
-                - ALL
       hostNetwork: true
       serviceAccountName: kube-vip
       tolerations:

clusters/titan.lan.huizinga.dev/kube-vip/kube-vip.app.enp3s0.yaml

@@ -0,0 +1,91 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/name: kube-vip-ds
+    app.kubernetes.io/version: v0.8.3
+  name: kube-vip-ds-enp3s0
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kube-vip-ds
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/name: kube-vip-ds
+        app.kubernetes.io/version: v0.8.3
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: node-role.kubernetes.io/master
+                    operator: Exists
+              - matchExpressions:
+                  - key: node-role.kubernetes.io/control-plane
+                    operator: Exists
+      nodeSelector:
+        vip_interface: enp3s0
+      containers:
+        - args:
+            - manager
+          env:
+            - name: vip_arp
+              value: "true"
+            - name: port
+              value: "6443"
+            - name: vip_nodename
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: vip_interface
+              value: enp3s0
+            - name: vip_cidr
+              value: "32"
+            - name: dns_mode
+              value: first
+            - name: cp_enable
+              value: "true"
+            - name: cp_namespace
+              value: kube-system
+            - name: svc_enable
+              value: "true"
+            - name: svc_election
+              value: "true"
+            - name: svc_leasename
+              value: plndr-svcs-lock
+            - name: vip_leaderelection
+              value: "true"
+            - name: vip_leasename
+              value: plndr-cp-lock
+            - name: vip_leaseduration
+              value: "5"
+            - name: vip_renewdeadline
+              value: "3"
+            - name: vip_retryperiod
+              value: "1"
+            - name: address
+              value: 10.0.2.1
+            - name: prometheus_server
+              value: :2112
+          image: ghcr.io/kube-vip/kube-vip:v0.8.3
+          imagePullPolicy: IfNotPresent
+          name: kube-vip
+          resources: {}
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+                - NET_RAW
+      hostNetwork: true
+      serviceAccountName: kube-vip
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+  updateStrategy: {}

clusters/titan.lan.huizinga.dev/kube-vip/kube-vip.config.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kubevip
+  namespace: kube-system
+data:
+  # 10.0.2.1 is reserved for control plane
+  # 10.0.2.2 is reserved for traefik
+  range-global: 10.0.2.3-10.0.2.254

clusters/titan.lan.huizinga.dev/kube-vip/kube-vip.rbac.yaml

@@ -1,3 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-vip
+  namespace: kube-system
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -20,3 +26,16 @@ rules:
   - apiGroups: ["discovery.k8s.io"]
     resources: ["endpointslices"]
     verbs: ["list","get","watch", "update"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: system:kube-vip-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:kube-vip-role
+subjects:
+- kind: ServiceAccount
+  name: kube-vip
+  namespace: kube-system

clusters/titan.lan.huizinga.dev/kube-vip/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - kube-vip.rbac.yaml
+  - kube-vip.app.enp3s0.yaml
+  - kube-vip.app.enp2s0.yaml
+  - https://raw.githubusercontent.com/kube-vip/kube-vip-cloud-provider/refs/tags/v0.0.10/manifest/kube-vip-cloud-controller.yaml
+  - kube-vip.config.yaml

common/dragonflydb/kustomization.yaml

@@ -1,4 +1,4 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
 resources:
   - ./database.yaml

common/name-reference/helm-release.yaml

@@ -1,7 +0,0 @@
-# This makes sure the field in the HelmRelease is recognized as a ConfigMap
-nameReference:
-  - kind: ConfigMap
-    version: v1
-    fieldSpecs:
-      - path: spec/valuesFrom/name
-        kind: HelmRelease

common/postgres/b2-access-key.yaml

@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: b2-access-key
+type: Opaque
+data:
+    ACCESS_KEY_ID: ENC[AES256_GCM,data:YpYkexRxH4mVyufrS/Blw3PSrU9H1eO3O6urN9tCZvYBenp7,iv:1ka5Otp0u4HJ5WC3yj+YJLAQC0Cy8Y2vWGqxLSaAGfM=,tag:8SKOcUoUuOWLm0Na2r7Hfw==,type:str]
+    ACCESS_SECRET_KEY: ENC[AES256_GCM,data:8Q2QsCpe/yiWmETVnIROJe0uiY7gMzQF4e8PiaF2vAgqkNq/oT8ku21bWCQ=,iv:635wzxp/XJ0zoxw9n63km38LdqDcebfU/ltLzN/bHPc=,tag:nGfKtpf8qzNyO3bDbbtn/A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-11-15T01:21:23Z"
+    mac: ENC[AES256_GCM,data:K8ATLj5nZfibvMPXR3ls7zXav0IVxSajyeFb/Qs/P3pPfHQ1p5ZRWaWTuNAFST04ynZ5BOcZyZCi9niMSZOGYBnDtOiJQAT1t3RxYS6j2X2HDX+nFTW6e4uDSOZMWk1poLP5lgBRvYxjsaco6X9F0hdvF7T7xvm7IHbHY7HAckg=,iv:C/bCoZKYy8gudmH8D/5R/MWlkC1ORlWZIvntjqt2dRk=,tag:yJsg7jj6p066CDzPXntOzA==,type:str]
+    pgp:
+        - created_at: "2024-10-10T22:08:04Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7pKPTYH5bqOAQ/+MJi/46q5TyjE0mqUfgmx90mYGchNQCvOHOdZJT2E2s2Z
+            DbqyrI5Bx+EauTl4eYhlMS9Xza/mL5I99GX/49FRpgvfmCwbM/aeOdq/CPWE771n
+            iylxE6uj0VVQGCazcO84Gg8CUxW3+dtNBbIUQYRxmQST6Pbg/lrmlXF5wDUfEueT
+            5FkfOZA7py3TyxUB4tcFA13e10CRFC1a7KHvfZm4ISs/1L97tsr0aZNgwCmHZodO
+            5fcm6poWtXEo16N/4XC8CI0z7unqNVRSgvpvVBHCvULkq4abznho2abkForNNkvv
+            GaN1Zcq8GIclVexMxaSC0M7BFfOdhmCDXuOdkKP/K1etL9UGGBdo7g5WJ7eqAiKN
+            Xs43VRijJsltIrTui/0s8zVIRzLfxTYGR2JtSnLuFaMGkKAijR34RsC9hXol+OB1
+            OAxGVzGfAR8wdgmShV9SPSOl3CtT6317YGuzjzkSbryJ2oYqR4zjV9jXgIEtuDZF
+            r6RITshhvata0w+e6tHSMYmnsF9YD4LbpGQmLm7r/A5ibBsE/2ZoUGBxNrb68YW1
+            vQmD2Ywv/Soe4f2Vj7vXJewrrJ1F0NPV/43sxl9lZB9JVMC6c8pMv7hndVq7dofn
+            dbqVXXeGd+Os/5X0P2yjlJYBjrMpFsg2tNi5dA5gUJ9uXqzNtSFx7ma9uJ4sX3zU
+            ZgEJAhDRzwccDHXa3D3+FBVJFbwN80G30Z6hS225mpIrBXqkElDH8hGs7KGkdIP5
+            O6CcZKt+j2R+40J0iJIcy1s211qgkzzDgtUaM1yAlVM8t3JpnykjhLp8mMzytOC1
+            rag4GdeG4Q==
+            =9TAG
+            -----END PGP MESSAGE-----
+          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
+        - created_at: "2024-10-10T22:08:04Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA51kG++kLewoAQ//fPw1ZgguXCZSLBnl4J/d4IZok6l4TdnbySDOKTOnZUi0
+            xyDusr9kdrEdDb4nYUT3PBrxEC2DsKDIJJSwUgLTZB6moIJgHPa51qermyGgqhKU
+            c4vyYCMKAJyS6rOoU5fsPb+kJS52ltBLEmyO7JndM32CFmfyq4iwphNcheJE7qFW
+            xBmEtsJBPh4P1ysFQtG0DH8iroAYvsI4HLJw6+pdy/rI3zu3LDmiOnEidGz685BB
+            gbYj+bJV2gIBGdSWqsjuAJh37dfP9143Hwvz57raA+uqVPtaTaywGuEyDE7E8B7U
+            LdxATRKDdRp9+ytdn+UBeZQPYolKhv2bOgm4tzBq/VGmm/11nZbXyv69vgooOqnf
+            YYPg3VGnqpaGmxy94EFuLCWvD0ZO7rMQMOoz0vZRHGNYsye2tUOF/F6eIzhehh3+
+            AhGSrGDZa5HM41dLsTrNnb8YbzGKqljVJyWvORfIniW6RONIuFrz3/Pe4jjnM+Dm
+            Y8z033SmAm5JT2Jhc/tb9LvYbVQzfrUWImh9qcVGOU5RqvB13VOCaNHmt33crMjg
+            KFMhBJ5F3ftqe3JiK+6KOuS9g2wd3M5VM5qLHBLr7qTDb5q/JKsBIY7AcLsVyYNx
+            T3OynFuAkiYVTe4CuXCSrbVPXd9XkV/dDdQh+5ZR8nxo0/TkpnAwwGdh9hFsOtLS
+            XAEXagTFsM3Cl3T45ehYSPt6oyfx5dwKkQ8wxaqSWIkrvTla/ofOD9xemsBfYNku
+            b9vLFfbry8J+p5H9fEtS9/co4xYmajP/Mzq54JflEHqt/ej0MTxnNB5m+a45
+            =CFmy
+            -----END PGP MESSAGE-----
+          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.0

common/postgres/cluster.yaml

@@ -1,14 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: postgres
-spec:
-  instances: 2
-
-  storage:
-    size: 8Gi
-    storageClass: topolvm-provisioner
-
-  affinity:
-    topologyKey: kubernetes.io/hostname
-    podAntiAffinityType: required

common/postgres/database.yaml

@@ -0,0 +1,35 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: -db
+spec:
+  chart:
+    spec:
+      chart: cluster
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: cnpg
+        namespace: cnpg-system
+      version: 0.0.11
+  interval: 1m0s
+  values:
+    type: postgresql
+    mode: standalone
+    cluster:
+      instances: 2
+      affinity:
+        topologyKey: kubernetes.io/hostname
+        podAntiAffinityType: required
+      storage:
+        storageClass: piraeus-storage
+    backups:
+      enabled: true
+      provider: s3
+      endpointURL: https://s3.us-west-002.backblazeb2.com
+      s3:
+        bucket: titan-k3s-backup
+        path: /postgres
+      secret:
+        create: false
+        name: b2-access-key

common/postgres/kustomization.yaml

@@ -1,4 +1,7 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
 resources:
-  - ./cluster.yaml
+  - ./database.yaml
+  - ./b2-access-key.yaml
+replacements:
+  - path: replacement.yaml

common/postgres/replacement.yaml

@@ -0,0 +1,12 @@
+source:
+  kind: Namespace
+  fieldPath: metadata.name
+targets:
+  - select:
+      kind: HelmRelease
+      name: -db
+    fieldPaths:
+      - metadata.name
+    options:
+      delimiter: "-"
+      index: 0

infra/akri/akri.yaml

@@ -1,16 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: akri
-  namespace: flux-system
-  labels:
-    alert: flux-infra
-spec:
-  interval: 15m
-  path: ./infra/akri/akri
-  prune: true
-  timeout: 2m
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  wait: true

infra/akri/akri/helm-release.yaml

@@ -1,18 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: akri
-spec:
-  chart:
-    spec:
-      chart: akri
-      reconcileStrategy: ChartVersion
-      sourceRef:
-        kind: HelmRepository
-        name: akri
-      version: 0.13.8
-  interval: 15m
-  timeout: 5m
-  valuesFrom:
-    - kind: ConfigMap
-      name: akri-values

infra/akri/akri/helm-repository.yaml

@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: akri
-spec:
-  interval: 15m
-  timeout: 2m
-  url: https://project-akri.github.io/akri/

infra/akri/akri/kustomization.yaml

@@ -1,15 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: akri
-resources:
-  - ./namespace.yaml
-  - ./helm-repository.yaml
-  - ./helm-release.yaml
-
-configurations:
-  - ../../../common/name-reference/helm-release.yaml
-
-configMapGenerator:
-  - name: akri-values
-    files:
-      - ./values.yaml

infra/akri/akri/namespace.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: akri

infra/akri/akri/values.yaml

@@ -1,3 +0,0 @@
-udev:
-  discovery:
-    enabled: true

infra/akri/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./akri.yaml

infra/authelia/authelia-controller.yaml

@@ -1,62 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: OCIRepository
-metadata:
-  name: authelia-controller
-  namespace: flux-system
-spec:
-  interval: 15m0s
-  url: oci://git.huizinga.dev/dreaded_x/authelia-controller/manifests
-  ref:
-    tag: edge
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: authelia-controller
-  namespace: flux-system
-spec:
-  interval: 15m
-  prune: true
-  timeout: 2m
-  sourceRef:
-    kind: OCIRepository
-    name: authelia-controller
-  wait: true
----
-apiVersion: notification.toolkit.fluxcd.io/v1
-kind: Receiver
-metadata:
-  name: authelia-controller
-  namespace: flux-system
-spec:
-  type: generic
-  secretRef:
-    name: receiver
-  resources:
-    - apiVersion: source.toolkit.fluxcd.io/v1beta2
-      kind: OCIRepository
-      name: authelia-controller
----
-apiVersion: notification.toolkit.fluxcd.io/v1beta3
-kind: Provider
-metadata:
-  name: authelia-controller
-  namespace: flux-system
-spec:
-  type: gitea
-  address: https://git.huizinga.dev/dreaded_x/authelia-controller
-  secretRef:
-    name: gitea
----
-apiVersion: notification.toolkit.fluxcd.io/v1beta3
-kind: Alert
-metadata:
-  name: authelia-controller
-  namespace: flux-system
-spec:
-  providerRef:
-    name: authelia-controller
-  eventSeverity: info
-  eventSources:
-    - kind: Kustomization
-      name: authelia-controller

infra/authelia/authelia.yaml

@@ -1,30 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: authelia
-  namespace: flux-system
-  labels:
-    alert: flux-infra
-spec:
-  interval: 15m
-  path: ./infra/authelia/authelia
-  dependsOn:
-    - name: traefik
-    - name: cnpg
-    - name: dragonflydb
-    - name: kyverno-policies
-    - name: lldap-controller
-  prune: true
-  timeout: 2m
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  wait: true
-  postBuild:
-    substituteFrom:
-      - kind: ConfigMap
-        name: domain-vars
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-gpg

infra/authelia/authelia/helm-release.yaml

@@ -1,17 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: authelia
-spec:
-  chart:
-    spec:
-      chart: authelia
-      reconcileStrategy: ChartVersion
-      sourceRef:
-        kind: HelmRepository
-        name: authelia
-      version: 0.9.16
-  interval: 15m
-  valuesFrom:
-    - kind: ConfigMap
-      name: authelia-values

infra/authelia/authelia/kustomization.yaml

@@ -1,18 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: authelia
-resources:
-  - ./namespace.yaml
-  - ./helm-repository.yaml
-  - ./helm-release.yaml
-  - ./service-user.yaml
-  - ../../../common/postgres
-  - ../../../common/dragonflydb
-
-configurations:
-  - ../../../common/name-reference/helm-release.yaml
-
-configMapGenerator:
-  - name: authelia-values
-    files:
-      - ./values.yaml

infra/authelia/authelia/service-user.yaml

@@ -1,5 +0,0 @@
-apiVersion: lldap.huizinga.dev/v1
-kind: ServiceUser
-metadata:
-  name: authelia
-spec: {}

infra/authelia/authelia/values.yaml

@@ -1,69 +0,0 @@
-pod:
-  kind: Deployment
-  replicas: 2
-ingress:
-  enabled: true
-  tls:
-    enabled: true
-    secret: ${domain//./-}-tls
-  traefikCRD:
-    enabled: true
-    entryPoints:
-      - websecure
-
-secret:
-  additionalSecrets:
-    postgres-app:
-      key: postgres-app
-    authelia-lldap-credentials:
-      key: authelia-lldap-credentials
-
-configMap:
-  log:
-    level: debug
-
-  authentication_backend:
-    ldap:
-      enabled: true
-      implementation: lldap
-      address: ldap://lldap.lldap.svc.cluster.local:3890
-      base_dn: dc=huizinga,dc=dev
-      additional_users_dn: ou=people
-      users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))"
-      additional_groups_dn: ou=groups
-      groups_filter: "(member={dn})"
-      attributes:
-        display_name: displayName
-        username: uid
-        group_name: cn
-        mail: mail
-      user: uid=authelia.authelia,ou=people,dc=huizinga,dc=dev
-      password:
-        secret_name: authelia-lldap-credentials
-        path: password
-
-  session:
-    cookies:
-      - subdomain: login${subdomain}
-        domain: ${topdomain}
-    redis:
-      enabled: true
-      host: dragonflydb.authelia
-
-  storage:
-    postgres:
-      enabled: true
-      address: tcp://postgres-rw.authelia:5432
-      database: app
-      username: app
-      password:
-        secret_name: postgres-app
-        path: password
-
-  notifier:
-    filesystem:
-      enabled: true
-
-  access_control:
-    secret:
-      existingSecret: authelia-acl

infra/authelia/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./authelia-controller.yaml
-  - ./authelia.yaml

infra/cert-manager/cert-manager.yaml

@@ -1,16 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: cert-manager
-  namespace: flux-system
-  labels:
-    alert: flux-infra
-spec:
-  interval: 15m
-  path: ./infra/cert-manager/cert-manager
-  prune: true
-  timeout: 2m
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  wait: true

infra/cert-manager/cert-manager/helm-release.yaml

@@ -1,18 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: cert-manager
-spec:
-  chart:
-    spec:
-      chart: cert-manager
-      reconcileStrategy: ChartVersion
-      sourceRef:
-        kind: HelmRepository
-        name: jetstack
-      version: v1.16.4
-  interval: 15m
-  timeout: 5m
-  valuesFrom:
-    - kind: ConfigMap
-      name: cert-manager-values

infra/cert-manager/cert-manager/helm-repository.yaml

@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: jetstack
-spec:
-  interval: 15m
-  timeout: 2m
-  url: https://charts.jetstack.io

infra/cert-manager/cert-manager/kustomization.yaml

@@ -1,15 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: cert-manager
-resources:
-  - ./namespace.yaml
-  - ./helm-repository.yaml
-  - ./helm-release.yaml
-
-configurations:
-  - ../../../common/name-reference/helm-release.yaml
-
-configMapGenerator:
-  - name: cert-manager-values
-    files:
-      - ./values.yaml

infra/cert-manager/cert-manager/namespace.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager

infra/cert-manager/cert-manager/values.yaml

@@ -1,14 +0,0 @@
-installCRDs: true
-replicaCount: 2
-webhook:
-  replicaCount: 2
-cainjector:
-  replicaCount: 2
-extraArgs:
-  - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
-  - --dns01-recursive-nameservers-only
-podDnsPolicy: None
-podDnsConfig:
-  nameservers:
-    - "1.1.1.1"
-    - "9.9.9.9"

infra/cert-manager/kustomization.yaml

@@ -1,5 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./cert-manager.yaml
-  - ./letsencrypt.yaml

infra/cert-manager/letsencrypt.yaml

@@ -1,22 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: letsencrypt
-  namespace: flux-system
-  labels:
-    alert: flux-infra
-spec:
-  interval: 15m
-  path: ./infra/cert-manager/letsencrypt
-  dependsOn:
-    - name: cert-manager
-  prune: true
-  timeout: 10m
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  wait: true
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-gpg

infra/cert-manager/letsencrypt/certificate-huizinga-dev.yaml

@@ -1,14 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: huizinga-dev
-  namespace: letsencrypt
-spec:
-  secretName: huizinga-dev-tls
-  issuerRef:
-    name: letsencrypt
-    kind: ClusterIssuer
-  commonName: "huizinga.dev"
-  dnsNames:
-    - "huizinga.dev"
-    - "*.huizinga.dev"

infra/cert-manager/letsencrypt/certificate-staging-huizinga-dev.yaml

@@ -1,14 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: staging-huizinga-dev
-  namespace: letsencrypt
-spec:
-  secretName: staging-huizinga-dev-tls
-  issuerRef:
-    name: letsencrypt
-    kind: ClusterIssuer
-  commonName: "staging.huizinga.dev"
-  dnsNames:
-    - "staging.huizinga.dev"
-    - "*.staging.huizinga.dev"

infra/cert-manager/letsencrypt/kustomization.yaml

@@ -1,8 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./namespace.yaml
-  - ./secret-cloudflare-token.yaml
-  - ./cluster-issuer.yaml
-  - ./certificate-staging-huizinga-dev.yaml
-  - ./certificate-huizinga-dev.yaml

infra/cert-manager/letsencrypt/namespace.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: letsencrypt

infra/cert-manager/letsencrypt/secret-cloudflare-token.yaml

@@ -1,60 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: cloudflare-token
-  namespace: cert-manager
-type: Opaque
-stringData:
-  token: ENC[AES256_GCM,data:1QSjQJrky3AOQv9Bf8ifvfgeYCh3DvPtCWNLKEY/eEpzPsJKD7MYwQ==,iv:MbWKNj13K25TiP1MPfJMaM1P3Qpy3TE+dWnbF5Gpr3Y=,tag:IMRRhh2nwT40rjVDAgBhrw==,type:str]
-sops:
-  kms: []
-  gcp_kms: []
-  azure_kv: []
-  hc_vault: []
-  age: []
-  lastmodified: "2025-02-15T21:32:18Z"
-  mac: ENC[AES256_GCM,data:hYqyrhnrwpvEcJGMIfjSpbIvQ3NHukCDhRB2Zf7vifKYqQyd0hSmh6aeDPdARwdoiybQIuW6pa3SXOY4V1LgOYx6U36HOsDBe5ENQyXV0z5RID+H/nfZmcqj2pfRE8zpfAUhpcilCT8TMJpJSlaAh5kFl/6Z1feekVJLkxPYg30=,iv:FpZ8rDrvNACc+mgR6JNXmTNFXJt6es896n4xkLKzN/s=,tag:JW/OZHNBD+MEiRnhih1/fg==,type:str]
-  pgp:
-    - created_at: "2024-09-26T22:20:01Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hQIMA7pKPTYH5bqOARAAl2y4yZJGsWORJ5jd2CopSW6yx8IsHqLKq3khYxHkPamu
-        gjItOM/Gqep1QCJr4kxTkO7P0MaYi7ZGinuhishYu4xy1mom8WzJs/rA2cjW1UbF
-        m8GoUGypaPtSsR1nQufgrO6JbIch3Tr498wBD7SvXIWTFpooalcERvVB3F4T4CeT
-        gXIk+vSjvXkCmx4jgAVhpj249HQOk9nyX35UzcjaSOzYm9/vfs3vFRq8FXNRkGff
-        +Ui/os4xTB4GiLgnvQ7t8FYTqvDfMVwgKI6VkOplpnP50mmTdKYRVe79Awvq1+/V
-        UkkSHxmw5Zqj7nv8MoKIlYk2g+14NLz57i4zs2vK3cNqDAqezub7r/LRDcm5Haqp
-        ZmI8B6VUNhveI7hKjm8ssMlOz6x3s7hvex6e+AWRqvbknusXXCiI9dhL73TXXmeZ
-        yceIlg5T67PY2ysbpfuToyg6ihbkMo0bM1m/lQpA94yRx6EKO75AHvBaGxgDggSr
-        Q8/DM3J729yqjHvXLL+2YGXVlRSpMlWb+AYi4YLmB/rsT2wBlPWE7m0c3/xQA3ld
-        5b/CW/2JOfXlwnooXEMFICr9ExFeiOv4RTnNahOTVscnIsi5jSlYPkhWwKm6ughy
-        oahJRi6wb6sJrleoPKRea+Pwh2qdEaQE/nFeBZeMMZxyLySQmkWoXJET7HQR3szU
-        aAEJAhBFZF84NkBuqmo+A7z055hz1tEJSnjO6eZ/+jvX9pPkrAv/CqW9C8UeG3vt
-        a6/XjnRVr38ZKAtNt3ebFwjzKZDLVyrANycnEp1PV7Pc8QvltJ88VS/wmWSP9Hj0
-        BA11vpb7XvkU
-        =XmSy
-        -----END PGP MESSAGE-----
-      fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
-    - created_at: "2024-09-26T22:20:01Z"
-      enc: |-
-        -----BEGIN PGP MESSAGE-----
-
-        hQIMA51kG++kLewoAQ/+M1BLbAVU8kVgx/atZnWwjZtjukEc8vOFw4n9tscq0Dm3
-        UzoOpbM1kaq5Hq8+e1mVFXMWLYgHnKjeSwBSiRCmZgFfvzPK63E5c6ZorKniTneZ
-        T7BJwxmtEF8JG+N9O2SHmto4cWZcrHvmWS5jJ5ybUFlMiFp6z7fPBuOzhKvTMBsc
-        IFHBBF0eMANUGwlpXuYJMTUECnFjvIxu/UXPMVBZ1HWHbIewYTRWXPQXeDxlJyk6
-        YgtGChBZ8KRYNqX1kBi5AyIdjWA9+wrMtTVTghC+1eBTOm8TsmN280KBmB512li1
-        HgexbmQkgItlJwyOV/7MTo19yzve72yYlqoIv3BSrwYfr0NDaQM0mhLAwcHC2R1R
-        IAOzajlHtgbr3XBW0BxWMC4Ch23CatZE4WJlu/CJ07+aMCsSV4L+da7wopt0A9dx
-        og0aPjUGq3MFmSet0kJKLJHS1JBSjf0LVnQjB5A451Wmndpoc2gZSpNtM4I2e2+7
-        xe6RUB6oYjRyB0t771UMQ3sQrSN3cn2c8yuijLep837yvNqpRBR4bbc2XJdZIOMw
-        sKEGIAMyJjCagQJa4c2YY0fksVSnhnYzjklfsx+PAvsW9EiWo26Vldp4zHYsVALD
-        7yKAWGupRTTB2mTXg9wvoKRkOY8A3Lb9aG+xnrf967nJt9nCV9hPXs959dVw9+jS
-        XgFCzdWtznuFA5wPJA3ko6lqLnE1HCIdgAo5ovQ4y3K9jkoVJsS2ADAnEy9Ac2uk
-        uds32S29PQ9o+ReAIQKvTzFNmKSLbcsK/z6rGLh0WdqmqWg6kVidWvktDQHY86E=
-        =cW8j
-        -----END PGP MESSAGE-----
-      fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
-  encrypted_regex: ^(data|stringData)$
-  version: 3.9.1

infra/cnpg/cnpg.yaml

@@ -1,18 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: cnpg
-  namespace: flux-system
-  labels:
-    alert: flux-infra
-spec:
-  interval: 15m
-  path: ./infra/cnpg/cnpg
-  dependsOn:
-    - name: topolvm
-  prune: true
-  timeout: 2m
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  wait: true

infra/cnpg/cnpg/helm-release.yaml

@@ -1,18 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: cnpg
-spec:
-  chart:
-    spec:
-      chart: cloudnative-pg
-      reconcileStrategy: ChartVersion
-      sourceRef:
-        kind: HelmRepository
-        name: cnpg
-      version: 0.22.0
-  interval: 15m
-  timeout: 5m
-  valuesFrom:
-    - kind: ConfigMap
-      name: cnpg-values

infra/cnpg/cnpg/helm-repository.yaml

@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: cnpg
-spec:
-  interval: 15m
-  timeout: 2m
-  url: https://cloudnative-pg.github.io/charts

infra/cnpg/cnpg/kustomization.yaml

@@ -1,14 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: cnpg-system
-resources:
-  - ./namespace.yaml
-  - ./helm-repository.yaml
-  - ./helm-release.yaml
-configurations:
-  - ../../../common/name-reference/helm-release.yaml
-
-configMapGenerator:
-  - name: cnpg-values
-    files:
-      - ./values.yaml

infra/cnpg/cnpg/namespace.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cnpg-system

infra/cnpg/cnpg/values.yaml

@@ -1 +0,0 @@
-replicaCount: 2

infra/cnpg/kustomization.yaml

@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./cnpg.yaml

infra/descheduler.yaml

@@ -1,25 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: GitRepository
-metadata:
-  name: descheduler
-  namespace: flux-system
-spec:
-  interval: 15m0s
-  ref:
-    tag: v0.32.2
-  url: https://github.com/kubernetes-sigs/descheduler
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: descheduler
-  namespace: flux-system
-spec:
-  interval: 15m
-  path: ./kubernetes/cronjob
-  prune: true
-  timeout: 2m
-  sourceRef:
-    kind: GitRepository
-    name: descheduler
-  wait: true

infra/dragonflydb.yaml

@@ -1,28 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: GitRepository
-metadata:
-  name: dragonflydb
-  namespace: flux-system
-spec:
-  interval: 15m0s
-  ref:
-    tag: v1.1.8
-  url: https://github.com/dragonflydb/dragonfly-operator
-  ignore: |
-    /*
-    !/manifests/dragonfly-operator.yaml
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: dragonflydb
-  namespace: flux-system
-spec:
-  interval: 15m
-  path: ./manifests
-  prune: true
-  timeout: 2m
-  sourceRef:
-    kind: GitRepository
-    name: dragonflydb
-  wait: true

infra/external-snapshotter.yaml

@@ -1,28 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: GitRepository
-metadata:
-  name: external-snapshotter
-  namespace: flux-system
-spec:
-  interval: 15m0s
-  ref:
-    tag: v8.2.0
-  url: https://github.com/kubernetes-csi/external-snapshotter
-  ignore: |
-    /*
-    !/client/config/crd/*
-    !/deploy/kubernetes/snapshot-controller/*
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: external-snapshotter
-  namespace: flux-system
-spec:
-  interval: 15m
-  prune: true
-  timeout: 2m
-  sourceRef:
-    kind: GitRepository
-    name: external-snapshotter
-  wait: true

infra/intel-device-plugins.yaml

@@ -1,48 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: GitRepository
-metadata:
-  name: intel-device-plugins
-  namespace: flux-system
-spec:
-  interval: 15m0s
-  ref:
-    tag: v0.32.0
-  url: https://github.com/intel/intel-device-plugins-for-kubernetes
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: intel-node-feature-rules
-  namespace: flux-system
-spec:
-  interval: 15m
-  path: ./deployments/nfd/overlays/node-feature-rules
-  dependsOn:
-    - name: node-feature-discovery
-  prune: true
-  timeout: 2m
-  sourceRef:
-    kind: GitRepository
-    name: intel-device-plugins
-  wait: true
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: intel-device-plugins
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: intel-gpu-plugin
-  namespace: flux-system
-spec:
-  interval: 15m
-  path: ./deployments/gpu_plugin/overlays/nfd_labeled_nodes
-  targetNamespace: intel-device-plugins
-  prune: true
-  timeout: 2m
-  sourceRef:
-    kind: GitRepository
-    name: intel-device-plugins
-  wait: true

infra/kube-vip/kube-vip.yaml

@@ -1,18 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: kube-vip
-  namespace: flux-system
-  labels:
-    alert: flux-infra
-spec:
-  interval: 15m
-  path: ./infra/kube-vip/kube-vip
-  dependsOn:
-    - name: kyverno-policies
-  prune: true
-  timeout: 2m
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  wait: true

infra/kube-vip/kube-vip/cluster-role-binding.yaml

@@ -1,12 +0,0 @@
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: system:kube-vip-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:kube-vip-role
-subjects:
-  - kind: ServiceAccount
-    name: kube-vip
-    namespace: kube-system