chore(deps): update helm release renovate to 46.58.*

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "docker/oxicloud/OxiCloud"]
+	path = docker/oxicloud/OxiCloud
+	url = git@github.com:DioCrafts/OxiCloud.git

docker/backrest/docker-compose.yml

@@ -0,0 +1,19 @@
+---
+services:
+  backrest:
+    image: garethgeorge/backrest:v1.11.2
+    container_name: backrest
+    hostname: backrest
+    volumes:
+      - ${DATA2BACKUP_DIR:-/mnt/zeruel}:/data2backup
+      - ${BACKREST_DATA_DIR:-/mnt/zeruel/nas1/shared/backrest/data}:/data
+      - ${BACKREST_CONFIG_DIR:-/mnt/zeruel/nas1/shared/backrest/config}:/config
+      - ${BACKREST_CACHE_DIR:-/mnt/zeruel/nas1/shared/backrest}:/cache
+    environment:
+      - BACKREST_DATA=/data
+      - BACKREST_CONFIG=/config/config.json
+      - XDG_CACHE_HOME=/cache
+      - TZ=Europe/Madrid
+    restart: unless-stopped
+    ports:
+      - "9898:9898"

docker/minecraft/docker-compose.yml

@@ -0,0 +1,39 @@
+---
+services:
+  mc:
+    image: itzg/minecraft-server:java23-graalvm
+    restart: unless-stopped
+    tty: true
+    stdin_open: true
+    ports:
+      - "25565:25565"
+    environment:
+      EULA: "TRUE"
+      MEMORY: ${MEMORY:-"6G"}
+      TZ: "Europe/Madrid"
+      VERSION: 1.21.1
+      ENABLE_ROLLING_LOGS: true
+      USE_AIKAR_FLAGS: true
+      MOTD: "Huesoperrers Minecraft Episodio 3: La venganza de los huesos"
+      MAX_PLAYERS: 10
+      MAX_WORLD_SIZE: 10000
+      SEED: huesoperrers3
+      MODE: survival
+      ONLINE_MODE: false
+      ALLOW_FLIGHT: true
+      SERVER_NAME: Huesoperrers and co.
+      PLAYER_IDLE_TIMEOUT: 15
+      STOP_SERVER_ANNOUNCE_DELAY: 30
+      OPS: ${OPS:-robosap1ens,commandkatt,Malva25}
+      SYNCHRONIZE: true
+      MERGE: true
+      ENFORCE_WHITELIST: true
+      ENABLE_RCON: false
+      MAX_TICK_TIME: -1
+      USER_API_PROVIDER: ${USER_API_PROVIDER:-playerdb}
+      DIFFICULTY: ${DIFFICULTY:-normal}
+      ENABLE_AUTOPAUSE: true
+      DEBUG_AUTOPAUSE: false
+      TYPE: NEOFORGE
+    volumes:
+      - ${MC_DATA_DIR:-/mnt/zeruel/nas1/shared/mc3}:/data

docker/oxicloud/OxiCloud

@@ -0,0 +1 @@
+Subproject commit cf9fe82b5f72f173d140321448ded789c604989a

docker/oxicloud/docker-compose.yml

@@ -0,0 +1,22 @@
+---
+services:
+  oxicloud:
+    image: git.roboces.dev/catalin/fukuops:oxicloud-0.5.2
+    restart: always
+    ports:
+      - "8086:8086"
+    environment:
+      OXICLOUD_DB_CONNECTION_STRING: ${OXICLOUD_DB_CONNECTION_STRING:-postgres://postgres:postgres@postgres/oxicloud}
+      OXICLOUD_OIDC_ENABLED: ${OXICLOUD_OIDC_ENABLED:-true}
+      OXICLOUD_OIDC_ISSUER_URL: ${OXICLOUD_OIDC_ISSUER_URL:-https://auth.fukurokuju.dev/application/o/ganymede/}
+      OXICLOUD_OIDC_CLIENT_ID: ${OXICLOUD_OIDC_CLIENT_ID}
+      OXICLOUD_OIDC_CLIENT_SECRET: ${OXICLOUD_OIDC_CLIENT_SECRET}
+      OXICLOUD_OIDC_REDIRECT_URI: ${OXICLOUD_OIDC_REDIRECT_URI:-https://cloud.roboces.dev/api/auth/oidc/callback}
+      OXICLOUD_OIDC_FRONTEND_URL: ${OXICLOUD_OIDC_FRONTEND_URL:-https://cloud.roboces.dev}
+      OXICLOUD_OIDC_ADMIN_GROUPS: ${OXICLOUD_OIDC_ADMIN_GROUPS:-""}
+      OXICLOUD_OIDC_SCOPES: ${OXICLOUD_OIDC_SCOPES:-offline_access openid profile email}
+      OXICLOUD_OIDC_PROVIDER_NAME: ${OXICLOUD_OIDC_PROVIDER_NAME:-Authentik}
+      OXICLOUD_OIDC_AUTO_PROVISION: ${OXICLOUD_OIDC_AUTO_PROVISION:-true}
+      RUST_LOG: debug
+    volumes:
+      - ${OXICLOUD_DATA_VOLUME:-/mnt/zeruel/nas1/shared/storage/data}:/app/storage

docker/oxicloud/sample.env

@@ -0,0 +1,10 @@
+OXICLOUD_DB_CONNECTION_STRING=
+OXICLOUD_OIDC_ENABLED=
+OXICLOUD_OIDC_ISSUER_URL=
+OXICLOUD_OIDC_CLIENT_ID=
+OXICLOUD_OIDC_CLIENT_SECRET=
+OXICLOUD_OIDC_REDIRECT_URI=
+OXICLOUD_OIDC_FRONTEND_URL=
+OXICLOUD_OIDC_ADMIN_GROUPS=""
+OXICLOUD_OIDC_PROVIDER_NAME=
+OXICLOUD_OIDC_SCOPES=offline_access openid profile email

docker/rustical/docker-compose.yml

@@ -2,6 +2,7 @@
 services:
   rustical:
     image: ghcr.io/lennart-k/rustical:0.12.9
+    restart: unless-stopped
     ports:
       - '4000:4000'
     volumes:

k8s/argo-apps/authentik.yaml

@@ -26,7 +26,7 @@ spec:
               timeout: 30
               from: auth@fukurokuju.dev
             postgresql:
-              host: psql15-postgres.apps-fuku.svc.cluster.local
+              host: 192.168.1.3
               port: 5432
               name: auth
               user: file:///authentik-creds/pg_username

k8s/argo-apps/kubetail.yaml

@@ -1,38 +0,0 @@
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: kubetail
-  namespace: argocd
-spec:
-  destination:
-    name: ''
-    namespace: apps-fuku
-    server: https://kubernetes.default.svc
-  sources:
-    - chart: kubetail
-      repoURL: https://kubetail-org.github.io/helm-charts/
-      targetRevision: 0.18.0
-      helm:
-        valuesObject:
-          kubetail:
-            dashboard:
-              ingress:
-                enabled: true
-                className: traefik
-                tls: []
-                rules:
-                  - host: logs.fuku
-                    http:
-                      paths:
-                        - path: /
-                          pathType: Prefix
-                          backend:
-                            service:
-                              name: kubetail-dashboard
-                              port:
-                                number: 8080
-
-  project: fuku
-  syncPolicy:
-    automated: {}

k8s/argo-apps/psql.yaml

@@ -1,26 +0,0 @@
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: psql15
-  namespace: argocd
-spec:
-  destination:
-    namespace: apps-fuku
-    server: 'https://kubernetes.default.svc'
-  sources:
-    - chart: postgres
-      targetRevision: 1.3.6
-      repoURL: https://groundhog2k.github.io/helm-charts/
-      helm:
-        valuesObject:
-          service:
-            type: LoadBalancer
-          storage:
-            accessModes:
-              - ReadWriteMany
-            className: truenas-nfs-csi
-            requestedSize: 150Gi
-  project: fuku
-  syncPolicy:
-    automated: {}

k8s/argo-apps/pulse.yaml

@@ -1,43 +0,0 @@
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: pulse
-  namespace: argocd
-spec:
-  destination:
-    name: ''
-    namespace: apps-fuku
-    server: https://kubernetes.default.svc
-  project: fuku
-  syncPolicy:
-    automated: {}
-  sources:
-    - repoURL: https://rcourtman.github.io/Pulse
-      chart: pulse
-      targetRevision: 5.1.*
-      helm:
-        valuesObject:
-          persistence:
-            enabled: true
-            size: 10Gi
-            storageClass: truenas-nfs-csi
-            accessModes:
-              - ReadWriteMany
-          service:
-            type: LoadBalancer
-          ingress:
-            enabled: true
-            hosts:
-              - host: pulse.fukurokuju.dev
-                paths:
-                  - path: /
-                    pathType: Prefix
-            tls: []
-          monitoring:
-            serviceMonitor:
-              enabled: true
-
-    - path: k8s/services/pulse
-      repoURL: https://git.roboces.dev/catalin/fukuops.git
-      targetRevision: main

k8s/argo-apps/redis.yaml

@@ -1,32 +0,0 @@
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: redis
-  namespace: argocd
-spec:
-  destination:
-    name: ''
-    namespace: apps-fuku
-    server: https://kubernetes.default.svc
-  sources:
-    - chart: redis
-      repoURL: registry-1.docker.io/cloudpirates
-      targetRevision: "0.9.*"
-      helm:
-        valuesObject:
-          auth:
-            existingSecret: secrets-redis
-            existingSecretPasswordKey: redis-password
-          persistence:
-            storageClass: truenas-nfs-csi
-            size: 10Gi
-            accessMode: ReadWriteMany
-          service:
-            type: LoadBalancer
-    - repoURL: https://git.roboces.dev/catalin/fukuops.git
-      path: k8s/services/redis
-      targetRevision: main
-  project: fuku
-  syncPolicy:
-    automated: {}

k8s/argo-apps/renovate.yaml

@@ -13,7 +13,7 @@ spec:
   sources:
     - chart: renovate
       repoURL: https://docs.renovatebot.com/helm-charts
-      targetRevision: 46.57.*
+      targetRevision: 46.58.*
       helm:
         valuesObject:
           renovate:

k8s/argo-apps/vaultwarden-secrets-manager.yaml

@@ -0,0 +1,64 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vaultwarden-secrets-manager
+  namespace: argocd
+spec:
+  destination:
+    name: ''
+    namespace: apps-fuku
+    server: https://kubernetes.default.svc
+  sources:
+    - chart: vaultwarden-kubernetes-secrets
+      repoURL: ghcr.io/antoniolago/charts
+      targetRevision: 1.2.8
+      helm:
+        valuesObject:
+          api:
+            enabled: true
+            service:
+              type: LoadBalancer
+            persistence:
+              storageClass: truenas-nfs-csi
+          dashboard:
+            enabled: true
+            service:
+              type: LoadBalancer
+          ingress:
+            enabled: true
+            className: traefik
+            hosts:
+              - host: vault-secrets.fuku
+                paths:
+                  - path: /
+                    pathType: Prefix
+                    backend: dashboard
+                    port: 80
+                  - path: /api
+                    pathType: Prefix
+                    backend: api
+                    port: 8080
+          env:
+            config:
+              VAULTWARDEN__SERVERURL: "https://vault.roboces.dev"
+            secrets:
+              BW_CLIENTID:
+                secretName: "vaultwarden-kubernetes-secrets"
+                secretKey: "BW_CLIENTID"
+              BW_CLIENTSECRET:
+                secretName: "vaultwarden-kubernetes-secrets"
+                secretKey: "BW_CLIENTSECRET"
+              VAULTWARDEN__MASTERPASSWORD:
+                secretName: "vaultwarden-kubernetes-secrets"
+                secretKey: "VAULTWARDEN__MASTERPASSWORD"
+    - path: k8s/services/vaultwarden-kubernetes-secrets
+      repoURL: https://git.roboces.dev/catalin/fukuops.git
+      targetRevision: main
+  project: fuku
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

k8s/services/argo/project-fuku.yaml

@@ -33,3 +33,4 @@ spec:
         - https://vmware-tanzu.github.io/helm-charts/
         - https://helm.runix.net
         - https://rcourtman.github.io/Pulse
+        - ghcr.io/antoniolago/charts

k8s/services/forgejo/sealedsecrets.yaml

@@ -102,17 +102,15 @@ spec:
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
-  creationTimestamp: null
   name: gitea-ini-redis
   namespace: apps-roboces
 spec:
   encryptedData:
-    cache: AgAd4e8faLRBWaHzBxEF8VQbPQ1Kg6d4jfSwesrdJVijhmvE+ruGfbiwL0FXhn0XLfVAB1f99+Wvus93fOwfeh3RA95L1AZK/7+QntNHQe6LP2+ydZaPQfAOdkQBf+7ZQG04QiTqr3Ckkh3eNIvAyFMIrmaYf9qY5BwVMYrjg8iNi0jRgfgSBm5w3Dd3V0G3ry3yI4aawQN7pj9PuhA3pSqq3ynK4qXdf/6nEqvA5+7m/Ys0xWSOJwAgWHUVT2KLQ7rvI4y1TiCciWEpFvhIbwtE+bc+lOARJBBUCmRcDKOD5N3qXYX4846XUTTm3W8LhO7e9cIE0saPsPkS/qKkMgW51hh2r70hgTKi9/174I6tVYU4t208UScrNlF3AkGqHzXsisI8Yw28OApLrwxkFbh/y9zbci/KmQGpw2RZYdFeXuS1RGzGDDaiCwZIUONChchAPxb0PGpDZpGrW/MOAdJFj700YW+Abzihr0GV0bSnKHf/uYdXn+3+Oz2Uk35B+Vwc+tqKCHpSzoa4SRNlwGlQ71ysEKx6zUmcPEalqKnNHMmVOocRuQuxGnRasj62tNwZmg9hC/1IriMEJJkdEcymlo7pQqQ8YXmkKAUu3w69S5v9LKBG/DGzhxUagqhErM8KSMOjXmfoNIZEVE3ey9sUDtRZTnLgDj2rl9avAAnGo7+qF6etPNuKGFknK+xTegy3DwyzBEjXzgNaKhkBqvDS+Iggko+CEspBdUqerjIydU2dXwdiY2t+wm5gztDAimROvgouW5GqwUFK50s4tcSJjvsiw4OsOBZp6r/61lejlggk
+    cache: AgBfhhRVgy0VonwvXF+qqhh1x9+Z1e0o/OJCI11srR6XLVCf+SIBejOSYyoYChS8HYgBdIuqKNS7Un5bdws5NF1HC0gbf8/XRCfivocceoXVta2MugJxz7Y0+9Ro3RH9uEKi6KVqAyHcev1oOW0eqmkNqHust06+VKa5Bw8F4NHa/3a1Rl9b9xaMwrJLxVMKZMyAIl2/WISUovKFPTjPU1HK9ftEaXwzj5HG/s2jm/MjrrvcoA5z1OGUm02xjqyooUNM6gsuNy8LTXDQybeav+PxlQztcOfNaqipTUkHLjmGWiste/Yl6ik05Dkh7BKmL2czY0KPhxtNGcUq4e2oE+b6DKGcJpbuSVxZLSqTKhg6Jing1GwNyembfRE3nwsvYgj9nzit1SZoQXWnIuBjxlfWGjGJeaj6PmcG1YK4wvwFFqBKIhUGH6fhWjxDl7y1FPsxxGvFg9Fnvcjex34K4J6UmnGO3G2Dts/V4pgJTGx5lp6wpvYVtr7U9ENRTym8GM5oVZ3DT0lONKcfZXRH4EDcMHKMfJ/nDnpQWJC+lihcTRVeSznxu8I073hk6MMAZ8Ho5/28rOCOdJc2HI807ipe39BzTn4U+ows34uFG55GgaTdfbbeFwLjrcVc9ht1WaApkdj8Bnt9inmFPsI14Zwb4Ap/gSSO+ztwhnwrA2rWD7fko53INLJLUb4/49H1xRpMeqEkjoUb76zpdnazuF0ksqs1zhPOUTpnQniduotkwZZrtdU2WPRxVzHXTaZD6/1oTrmFBoBOLnkBPz1CXY/rxMoxHrFoS3zdUtLYWXKqVZy5
-    queue: AgC2LtW2jJPhh062ezMvWLLIAlyUNYO084VrSHsJ/K9UvZNVhFc6CnUrgcrvT/AIQflMYTm4RHKJgt4P5slzmKzHT/hc8RqB3L5FIhBsnmy/w55bXkrsohwcwzmw867a7bmnbAlyUglsAkKraMSpasTW4rOiMoCwXYKVtGcsDn1JLUj9Hp62BPXkQJ1Cr36lK/6Z4dHUwStVmq+wYAnm9sp1axnlwAqPgZ3mfqndKh9qZYjI2CIMuQ46HFDiwZGUSgspaVezMb7nkCk9CaoUTi1zHxsbCBMVv/abdvTPmZjqgXzR88EsAGTZMSpljc2ZB8zU9zwkkEBA5TPV4kVUNHTpDJirFvlofc7gST7CkCeoBhQ6P+vgokPa2AhcWeXVgR0PUoecpqpIqdFkAOluS7Gcu3GNu43IRzR6+9oHgbL/SHebQvK/hzVVq3yGAKaGmIXTLJS1wMm4k2KBqqaT1MpWFwO4YowRuKrOMXf634WzPsU3zOpkSbHEke6vvU2glDEdSwOGs1zPbO6Xzhqj5kTtDIiCs70mnxk1Zwve/1kYhBE/JZTi6QcQbG1uEDq8bsygj1qJZbGQMekUHQzIIfGTeOuXfoBch77MEMHu4h/2F+IC5O487FiPrQ64uBZ4I6gRM1PsiPxWnvmtNEXtLt+mMNp+l8Uuk5mvET5i0RpIH62/JYinhheDNgxwubXVEFuUClSzXomNt3GWy0KNAWsxouZEh0CQDfxmw4lTnjPcGegcZtrIqncDpe6/6gTIblOs7L41LEkOyOmBSHROQBeA11fVvE4Y
+    queue: AgC1CxaTdBFeP3M4x8TMJKK2QsWydXC/eAslML9T1yzl4ZStKioMh8QJKbhj6oY3KTLyqBHpLZSGFuhtX/y9Z4JvkFhihfsKtlYL8OrNvO3kxjzku5l3vR6tJ5vCQfIi27hUjVKHN4L/6DGsegbgBGIidCsN5kHRv4C5ToAw/EvxgbHIRILIo+KOBALT1kqKIF+Zdd4fQGbIExwclhFl5SgzumXPh+/j1NUZ1peYYFRnvr5G9aeKPpgJ2wK4eMPQ3ZyaAcRCtxdEhZUF1DF0ESBQ++Nr/gU4GMoron/wSr5cUFmNjSoUTJA3xJeEROyoSGaaH45mLDYH5QZdeA/av8e6vaiMIuWr/UgV7wONFKsJLf0q9Fcr726maJwGiMmIjeCwLq4k+ZI+N6S8/xNe2sTrRUmwjWtbL82ZmafvoUwv0lmxxXpmFqZmG/Zy/KCx9QSDaBJBCStoCgMZZ04HdnxnxFdFj2DMXyshVxH3wqEFAKY0oDfrnIBxzngOEXxu0APp7rlMvFq++HMJ7+JC+JBLG6zfNSfpQyuXEwfSkvowA1i9uhAQVb3D7nSS39xKF7oK8aYDVK4j9QL3w9qxOkYW7bHVd4zDgtiidKDAFWoloMnjPYQDwJojc/dc52+SxJGH8qpYJ8cn7BOy80cvmkwQ2ITGGPo9FXyvMttD0hUmFRouNb4t4PHdmKauuml6hcfF3dqLqrvBhJ0H7tKRJMCK+rHehIQt8VNPhp2JN7n5/KKt5vtMFDUDpc/BbHiDqg3qnICTMESzWZD752tOucW7TJAA89JU
-    session: AgAwlEuCZq+5T0AXDJ8PXllX5lzaiBK0nlZsMlvJQKl+FNgGhuZkqZhQQSPq53W9KlJbVkRr5KFAkLY0p0CznGoI2xPaxbZ3z6c/kVU1mBqmTOF8HJ2oKBhjRKaZhlwFARpbgrqYkZRS5syb6SwtNT48NPuTKwRgzu3xxwUBkfuyHxZX4IP7/9GtEAWK1nqYXU3rxLYbRq/utSuQYnOd3Uu3ZYjQZz0din0R8VTHp01STMHgGzbX08PEwz2JH/C4Q6CUC/GcXSgSajg0PJECbibGoGEJXTVT1HWucWH7B0CQSAMYzosqPZV3JwTN+4HESZ2H9YBRHbGWpp5KGBicT+rleQ36+jva6qWmwfcXXZgsYDUCx+kb8e+b7cBZhPHDf9w9ZEzXe2OUUoKZQBt5LbjTSRtt//PhWQy16mxi0996zGAWUwshVefWsbdSFZiKOI+lL/i0yVZUn3R/olmP7de9b4iapZ7TUzvovm7ZTFU+5SgCLRk125NJNoUXdrh7Y1Hym8xlMSnajHGDjuMxrwtAU/Nq7JN9WQr5XFSEdiuP38sLdQzHdXaht4lXJn5KUf8H55ie0JNVvspwtZ2fQGo/dJXBf9EMa6s6qW/Lf9O2JVU/0sSCAl/jz2tMI9VZ4scHzOlpscmKyBFcoGFb7JtYzkPTCQn7Hz7RlgUeLLir6D6+q3vLXrz+oMbwNChlENlBS1M1Ho1BKwZgBRj75nog3k5EOEi3ym6B/g3xc2YWnlZkL+ZM0TFuTFy2y36RMKb90744tAVXNXHaVz0i85ATJJ8Vs/OogMDN8yKHBPaqlZQ=
+    session: AgA+o9DsObwNhAaDpkgh7ZJ9Vx+xzjex+JG2k4yfv1EbLFDpdrSnKOl5BzEZyvydxoWG7Jtlhf/QoWKPUMBMgoRS+cMAH4R3C1FHxFbiEzh/olQBH2DyGnK5d+hAy3RmTC+Kgwgh4sdePWJ3KxwbaAa18tsju9fThQOBD+TOw5khZi2YUehDiviqCV3VGH+caJgDxAmXtut1mHaFLB4QXLzX9vPoULGmxGMARiMSrEqMruTRff17dZ3s0VPeu/s/Lau5yP7oPeMjhNw8P9W8QP/KnW28y0QETtXZyvmNQGCwxyVp7sHfDgo1slxWsgjDpep/jXiyfVeV8KL2AWE2pekGD0CVaCWPOV/MOrU+pe8xBrEcaXQMpWLT5d4/Unu8TLZ7RdEdgrOI8bOVrl9TO51itw0V7EorfeaKxB6j/flRMd8vU0i29+/UOTbEeRtxuHoyH4zy+v7h49b5ODN88z7f6uEp7diuS3WEHs30EHYtXRSMA6V6+H1aaUMEM0lWG6CXtccgAToqlw3k/+Mod8kVagPNQnJ6YB7BFqu74nHo/3lGKHT6+jRfLWUhbJ5teG0pLTutNN0jIqEUY4NfeLVtKhab5Nkxr6UFSUltQwO/dwVD2mqC80yXjf1Bhq07YGIV/M5DYf7oV1+z6UWoQwALcjCdZNgPkbyGqznfGsBpafJwv3MCmZwt50r8FH4ksb8P8lo28Eqepcf+vVL6C+tJGwm3F0CbawhU9mTLb0ksiYXrY3VYmYzUZVWHsosWI05bhQgN2g+B4+ANYX0SXtEc0/YbD8HusQvnoXWbj3CkQd0=
   template:
     metadata:
-      creationTimestamp: null
       name: gitea-ini-redis
       namespace: apps-roboces
     type: Opaque
@@ -120,15 +118,13 @@ spec:
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
-  creationTimestamp: null
   name: secrets-forgejo-db
   namespace: apps-roboces
 spec:
   encryptedData:
-    database: AgCPUgtry8Pctkfr+pQvJ8TQpj2YJ9TwUBaRXo7JP4MMsWOXazfVxd8A7sqnNicpmXJ5hx3OMwfxTFg3KcyGWGbTxTGkwJj0Lxwo92sDxhd59NORadlqQYOx19z8foQ+3HSdkhPAEAHzNq2IBgUcTPRZTKuAXyIsrSVbgaAEwWz8fCkwP/CEJvgC7xztQA0MzrPagH2hlbD4MZ0E7mBhrpo9YTQfvSEDQo0dNKsh/4xvXQoriayDtxoRq2mF8jc3f4f6wmbNWrGsdOv84KAXgLm7bzmffTwqCM1dTbuOCLtxvt1M5r39HQTAsBp1H5yWCFsx4paWyhdVh9t3sjDzEYZNYSLrga/bLJ2+CaQWaLpLJBC9u8r4ANHs+KqwdiMyo1RXqlJsfg1gn/udBpXelzpwtWIWIMtsvNrWxOBhOFsWCFnVvxJWwdcxLoe5wmH75OhbP6Ewl7SddL/4kyXqgZfQi1DsbK5VftWdo7aDEVrwTa4Jq4WF7TbTX9GwIxUQ6ahuBzq4De+vZ/jCV0rE7WtGBvxLHIXb6pX7sNsJFwGYvy63SIhWnQXadeTjLNdy3Tq9aK/HeQJsqXPOAAm/oc2udBkygWs2D77NM0wEcH0YU8i0wPS5ig6HxLQTrf0qLew3E8KOjNyetar1QHVl3iTqGQ0C4U5TgIke54eh8/X1Vgd11dgZBpRx8JsUWMe7Itm+819FB+0tMwWJqrmoFyCEBL7rLl+VAS+oabIXD/ruHJFc/blgtLRqatLtOTARqDsfVK9Bm0YpcsDjEbqAiRGHmOaK8Qp9ywle9sh+iVUG4ODFun2goVfgwYcsD62B7CUMb80ZYiY04dTmXjcIzYww+zGkjhqaIPmB/OHovw==
+    database: AgBouV3XhCd3Z66sDHDz0nbqbvAfip94yr9R90stLz2H/vJFGyx4xumE/9xe3b5GUd9aYQbTonhzHFl+zP3yoeTsGIGAbuvpeDimDKUIdnI6MJ2oGVHSn08QY/eu2vuj4nUODCeWPE7W5EFqxCxCq1YxZZpoBLzE3zBuIf8R48KAxs7aau8k4WPPSBxHgXuIeUWR/fNtQrA032f1wS5p6bae8403ro4aithq7J6DiOz69MXIQWwqufay+krsEEqIoE8CioQP993w+AUH1q2tk6O7WQLuzKt4T0mZm6F3cWyNbpCV9GT7q5LtejFn1NAwsmM4UG2toZfuWe9NgiSwyqNNUW7IjzfW/+CF3UfAtkgDfn7IAFu1Wg0yzufsnJuazFy2FiVDYNiHYS3Rq1iboKQl84svuq6oYdgvK6kf4IUfU2j02TgCyYc79/sLFqlbLOsZI07fAg/tDIzRkWQyG5P1HreIiDYZdgm50BgAzyEsvLjguKqPUl/c0LLwS6IxleN6RgcxfczCnaf3lezPXol37qCcyTqCqyiYlpI0i0Y45RTpLmTlyATVpzXCiir3IM0yEbK0ff2y2c7czTdoQSaIowAguUD3SamNY5y3530ZQDbZAXF0U4nDq7Pn59tfrlvvlsA8cSGjgyjwGJobGJUCsGWfOtKSbTNV0zd6EFHlqN5ilf15BSaWXU+6g/UbJKxjgk5aNpXH8LHuAQBVAxpRQR6CNlaz6kp87b5CEnLtPCE9nlQGYBXA9sqdvABGSTGdJzf5k57w7Q5LiTLwA6h8x8TCbkRgArl4r5RGEdtfBr3ZBCzKL+EHJGYGHas=
   template:
     metadata:
-      creationTimestamp: null
       name: secrets-forgejo-db
       namespace: apps-roboces
     type: Opaque

k8s/services/pulse/ds.yaml

@@ -1,105 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: pulse-agent
-  namespace: apps-fuku
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: pulse-agent-read
-rules:
-  - apiGroups: [""]
-    resources: ["nodes", "pods"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["apps"]
-    resources: ["deployments"]
-    verbs: ["get", "list", "watch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: pulse-agent-read
-subjects:
-  - kind: ServiceAccount
-    name: pulse-agent
-    namespace: apps-fuku
-roleRef:
-  kind: ClusterRole
-  name: pulse-agent-read
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: pulse-agent
-  namespace: apps-fuku
-spec:
-  selector:
-    matchLabels:
-      app: pulse-agent
-  template:
-    metadata:
-      labels:
-        app: pulse-agent
-    spec:
-      serviceAccountName: pulse-agent
-      containers:
-        - name: pulse-agent
-          image: rcourtman/pulse:5.1.13
-          command: ["/opt/pulse/bin/pulse-agent-linux-amd64"]
-          args:
-            - --enable-kubernetes
-          env:
-            - name: PULSE_URL
-              value: "https://pulse.fukurokuju.dev"
-            - name: PULSE_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: pulse-agent-secrets
-                  key: PULSE_TOKEN
-            - name: PULSE_AGENT_ID
-              value: "k8s-cluster"
-            - name: PULSE_ENABLE_HOST
-              value: "true"
-            - name: HOST_PROC
-              value: "/host/proc"
-            - name: HOST_SYS
-              value: "/host/sys"
-            - name: HOST_ETC
-              value: "/host/etc"
-            - name: PULSE_KUBE_INCLUDE_ALL_PODS
-              value: "true"
-            - name: PULSE_KUBE_INCLUDE_ALL_DEPLOYMENTS
-              value: "true"
-          securityContext:
-            privileged: true
-          resources:
-            requests:
-              cpu: 50m
-              memory: 128Mi
-            limits:
-              memory: 512Mi
-          volumeMounts:
-            - name: host-proc
-              mountPath: /host/proc
-              readOnly: true
-            - name: host-sys
-              mountPath: /host/sys
-              readOnly: true
-            - name: host-root
-              mountPath: /host/root
-              readOnly: true
-      volumes:
-        - name: host-proc
-          hostPath:
-            path: /proc
-        - name: host-sys
-          hostPath:
-            path: /sys
-        - name: host-root
-          hostPath:
-            path: /
-      tolerations:
-        - operator: Exists

k8s/services/pulse/sealedsecrets.yaml

@@ -1,17 +0,0 @@
-# yamllint disable rule:line-length
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: pulse-agent-secrets
-  namespace: apps-fuku
-spec:
-  encryptedData:
-    PULSE_TOKEN: AgBBxrJ80IpJ0RvYKQuN6p3G8vIdSL9nESO9OTAR0NiMjSGZNbNEELKE/a1f2ixQUSsNc/k31c+7GlAi+8PmNC4c7rmRJTe+z3uO/BNNLYeTi7DsEk9/oJZTWn7iOcLogiZJQKxbGozCp/S8zrWisH67N2ZHmzz5UEJAzq57+fBEyAk22/WR0QMfW3oOYHGZFNR5AdAxrdfyRwTvSEOz4R2YlrQKRtOFVIPG/aEaAn42AGYfrq2cLVEiCygjE+8nZQ62TMmQqMiwiCjk5do9uRhhiRimuD78FrNnFU5dSwe/11ji5sSrEPjszPB8O0TBbsCssxfz48cKRm/6IdI9B5pKHYob68Ed8u5UgpRU/ZhUWJLyXuZF/Tgw+WcIsVkQXb3eqQTARBeZueugnA23lnzxh5gjR17wjPw7ePYaLiUWTYikOK5HvgpJyiuB0ev2cjGSqYeeAAn5ewCGM/NODXUAlFdC+N9S7ft1+chJrHoaXgHy8J9LWm/maKW99+yT08a68RvGGoZtFPZNlFjzurNF6EY9SLUFf0RLzShkyq6uuOzLm8gENyDIQ+Ru7wWEwyEcUz4ceAR5I78k0gCIDR1o4Ti22asdbRjMptZdOTbep+PWmu2K1oUvxXtXwgKkn8pvTkJpcdejqehnYPWfRAI3Guxi7LQDf++yShKS1NdXMdjhtFoNLa03xHM/G94sF3/mnJwivNhur1V7iC1yCY5NlruPr4KCd5AgOnKqoreRRvRbCVlFO1mtP6XV4sjqEIhmZyXWFJ76bwAC+hxSlFzL
-  template:
-    metadata:
-      creationTimestamp: null
-      name: pulse-agent-secrets
-      namespace: apps-fuku
-    type: Opaque

k8s/services/redis/sealedsecrets.yaml

@@ -1,17 +0,0 @@
-# yamllint disable rule:line-length
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: secrets-redis
-  namespace: apps-fuku
-spec:
-  encryptedData:
-    redis-password: AgBqJ2pqIbdtOtbGnmalrdzSEZYBDhkyhZNv3fEsgLmvZ55ehXreELEZGKcOCqgVKCQZnfLTA7X4vyR6oZVhSdvcJeULmHrmO7ynItoyowvmY5njE7jTWTsSKypCXJXS0u81TD8+sF0DCRrALo4fzCfyxHWg2x7qyVOllOfhaWpggFsqqn7fMLUdhumnW2C5bEj2x/8PkW4aLI86osjKlwDiMXTE6nULQ4Fx76zzjuhCDLN0RGG4xTqVzDcbt+F7cpULyTJ9Kvq53UPMMaCq0huIkU/JYmAHMUcXF2Q1HUdh/K/R0KYqhlEN7t9JPJgsi7s7IKpp0EFRHOfvkZAm5bAqG34q0p/1Hce+0ifOZsQYp4nmj/1uEGshXhWETSI7mAw/sEdG+uJvLP6Sz7KkaLXhV8tGHfyXqwNyo+jV6JqIsynOY5UZc8zN170nQXwM5KzQyIsNz1yjDFGBIC4y/gjwaDXioaMGVg+PRxFEUAahssdPPZ8ug3M8EaqqgPlHTye+LwHDVDJZAWmnYJ6ajYWGqeCx7pKw2+vhr8V4ToSyG3hsPEbREwVSO50fKOL/MelRC24Rrzv8uthtHjHniLt1DJzPkXJUAnMaV4UsJ21Ge5PQo7Op0G/RNSnka2LAt3I6CVbUb0UoBhSNPmDVD5/0pn5oM/PSd0oqszUsFdxoIOpCIt3ReZUD6eHOlcuK8H65nwsb7Cbyde8a8GTD9q7SoDo2IQ==
-  template:
-    metadata:
-      creationTimestamp: null
-      name: secrets-redis
-      namespace: apps-fuku
-    type: Opaque

k8s/services/valheim/sealedsecrets.yaml

@@ -1,16 +0,0 @@
-# yamllint disable rule:line-length
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: valheim-secrets
-  namespace: apps-fuku
-spec:
-  encryptedData:
-    server-password: AgBsm7Qg9ej7FtFh5twb4ALyL0I/fzVukURvFg17aweeDX7bM/9p/Yq7S2XG8gbqOYbC1GxknGMHQUnTXqXC9YZ4tZVUAptTCrAsPZHhHiet8bM39KCo2tGa5mCyC7lcmxae26cHuKj8Df6iMQCHL9ZH58A2SU8OIaszkonjwvSnbk6u7/HLCE8UyqP1JjXBMd4wx4BFDrhbauZr10f51tI55ksY+x44QQNrz84QEXmQ/dgwdzGAWqcPQTf57BebSI+ZKtUIvrMpNtz1ioqGnH3vWlb7QnqyqcyAYri3W3j8DB03EpfI2QjYi5Rs1NaJoO8L5HFdHW5p+rmttuwRxiEUPmURftH25o6Mgv/EcWGsB1TpyyFXM8JNU01lWJ+Wty316YF1BV3zHqdQeKu82R/wSv+iVm1dYKTfSOLe3YJr+aFnhYX3hCpBup1cB2KeOe/X9wTo2ETdvKhcIJPz8x7TRcXaCerVmVBw6LagmmdtMsCL4AIXw2gdkBeGONQmOzR1hDyTBAmpTv59WYzAJcCPZRE6gGxCPqH32G36E7WGEI4UOsjvT3GkVDnYx4FUDppzSP0ebnHZOwwAPFtXojHUaHg7ZTjZiuXDQa9Hkqt4mIOKa0i1HI0MyPu8eZJjoRXNS4j1yLfDCP2eSuhGjtVNbbyQthaITolitZ0VeUU8St1iKB7rvAGHqhBoPSw9TOBVSsBcHgIAV64oRqto4kM8
-  template:
-    metadata:
-      creationTimestamp: null
-      name: valheim-secrets
-      namespace: apps-fuku

k8s/services/vaultwarden-kubernetes-secrets/sealedsecrets.yaml

@@ -0,0 +1,17 @@
+# yamllint disable rule:line-length
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: vaultwarden-kubernetes-secrets
+  namespace: apps-fuku
+spec:
+  encryptedData:
+    BW_CLIENTID: AgB6UpzjiBqifwHwm4YfevKVQLTt/2JxrTdJ0O29i416TrvPvYlrofG6ihWQDIr7zAROq5RE1YI1mFdczzcHTccMV+/rPPBTY04rdkoypc17/+P5eVLO03dcSldhbcgiMJQYgji+U59SFebPxxPI9gn6GmOss368Wqgdffu/d7V6RtvBNN+qgIu1FjS26FYxKRKi/mEjPmF6GCkkWRHkkpimdjKalVkuQXiu04cwDTSRYNmgePv5ihem/5tP7ZqgQCFpYafpia6CnQwhHNoPP4Dq+cV5VVPw7AfVdm28HgFLiZhiUWXoGiiFvTZcDwViG4T80gqxtfN/2ur94V7zc/PTGXSsVWBJYM93/jf3zcK7h5wag0nXeYm7nD+NT1JM/2NZguqLVl3iX4qE+f0C83dPTUrBv8+9H3aw0YLI/zgnT8Fdg6VAdbGrXMXrTEqm2IChRZ65/WIgwaRWIH+ETsWPFqUj3mH9Cx8NkNNSRfTqmZS28VEfcCzutSgTJ4zs2VwTYDBBD1QQSMrhUSLrCihWLK3ZTjVTEwAaoUObnaFrYpNBGVZQne9zzWO38/y4NQ2D1Q1YTx0cBP8qcKit9v1GFmOcNDsVG1WCFkZh0qz4j37SOBH0J00sG1lwGvkb05pOjcGVUexjzvHloUjSauFypW+2XQqnVshMbNgKgZYZmZmWbHf8nyq7+wssivbjB5qX5foiCN/Qp2WtIG92k08ZU1+hTq/w/GX8DI/UsbSLU7p/0vpAKMDBuw==
+    BW_CLIENTSECRET: AgBfsr/ECO+lxSojrp1Ailv7SOYMqtGzmQCmXI3g7+K0W+RT7dOHuZOk7VlvYG5l4qVjriXhMo1xGcGYf8WeAebx+OWTs9Y9sRQ7eGnQW/KD7ihV3vCy2+jEdWZas9wEN1coUUt7Lbg09jz+nrt8Di2xFigJWSjuWejyAwmnRC0O0gLSudidf2x1aTeclid1tFvubbKbYUrLbTCLPW1bDuDs8BseRX6sF8/CVR1ZKWbcADUYvP7Amygc4WMElRREMQJjKBiPYNA4OuepvpQDlNVz/wq499XJAnFMDP8BhKxYalwOqTYzWQT0DA4mwBokMnpRE0VJ3erAAKQwzDHqO8pFE5bqhgzjwTWryH0ZmRF96JVLxx5IMetb8jYEPAHA/ymz9GmSUyVDXDRoeyH2xM4vuD/6A2JXc6kgcpfRx+5UJUybajO7urvHBCS/5X5cEiEOyEtqPMqkRdv2LgN1wXMEU88eK2NqpVX7zhLIJgoMusdHtkDmSlS+pFIb3GwGQRmn5khj5xkyQKweMoPvC5Pq+T/F5/2NziJGRj56HYvaiOPfyfzetaw7Zh3I+umMfZ6mtKD7ntYB1EYaqIMhTlAQv8DxS98t19LOke3h5QKcX6SdKeAqAvlqxuYZ5rweNtZsDevtnaFdmDzbve6xbZrtNwAurpZMYC/7tetyH+jFHrcFjDCuMMLdD5t4d8NW50nks71Pofe6KO/8lkzNOjiQwBIUfG+8Y6bAmPiBBr0=
+    VAULTWARDEN__MASTERPASSWORD: AgBlRRDUcWw8Kq8IJ/dBk1RQwA6jg4VtpDTzU9eRtkdZfBoEI+KnQt2QHtGv7ZMmyCHztRAoJcEWyoN25RMdG4dQQN40IOPBiv7D8e036nQv7rQqZWE7mPPs9veskS+8sE+h3HFlwIEytn4721nHw4DNl2Uwbtgo1rTRRyJ3Px2UoCfnCU1xVtimWhj7uLjf2kPkSvWRUFZFfzSkuMWtiAPDxspk7q8CTktdiUHV6ZsuuIcZfJ1mHkuredVGYpOcrKLJcwGE7Auzn382lILNwkSuiZjt0T+O5A0c406SPVGU/ovofbRgdUQmmIbS+q6y17HMDkwLutdmIyJgqMEPJXR0KfebjzdtaNdSbmL68QsdECqCbQm6Az3uMEOJ8TVm9rH5yfZZoXLMVjzHgwtQbV9vBb0ubMUKdqJahD0zUQ/1FqDtYHt9OBv8bLh8SXiTKNxz2GByHjcGFUNZhZac1eTqmtYxxUhk4KNFsqx7FvJNUi0VTfINvHAd9Tjlrd0vQbST3VgdiIEHcuxW5HShdSnl8o5WXKmEtlecMqB3Y/C6IIPF+CZ6HoMgfE59G2dchnNccSwdZRa0n6OWt3BWJi7fuhrBXvTBpa5Zxrqh6o1VX3k5wXDgBRN7a8pZawhuCXbcBcrhcs+wDm7YlK3Gj3F01dIOGc7qMpdMWUHcUxCikC9Wlnp5b+OKB2huiHWr2p8v0IeOu8MfC65GEkx/dInxW1CkitHsGVA=
+  template:
+    metadata:
+      name: vaultwarden-kubernetes-secrets
+      namespace: apps-fuku
+    type: Opaque

tofu/authentik/main.tf

@@ -37,22 +37,6 @@ resource "authentik_group" "arrs" {
   is_superuser = false
 }
 
-resource "authentik_group" "vpn" {
-  name         = "vpn"
-  is_superuser = false
-}
-
-resource "authentik_group" "ftp" {
-  name         = "ftp"
-  is_superuser = false
-}
-
-resource "authentik_group" "mediamanager" {
-  name         = "mediamanager"
-  is_superuser = false
-}
-
-
 module "gitea" {
   source              = "../modules/authentik-oidc"
   app_name            = "Gitea"
@@ -181,30 +165,6 @@ module "prowlarr" {
   internal_host_ssl_validation = false
 }
 
-module "sftpgo" {
-  source              = "../modules/authentik-oidc"
-  app_name            = "SFTPGo"
-  app_slug            = "SFTPGo"
-  client_id           = var.sftpgo_client_id
-  client_secret       = var.sftpgo_client_secret
-  client_type         = "confidential"
-  app_access_group_id = authentik_group.ftp.id
-  redirect_uris = [
-    {
-      matching_mode = "regex",
-      url           = "https://ftp.fukurokuju.dev/.*"
-    }
-  ]
-  extra_property_mappings = [
-
-  ]
-  app_icon              = "https://ftp.fukurokuju.dev/static/img/logo.png"
-  access_token_validity = "days=10"
-  app_url               = "https://ftp.fukurokuju.dev"
-  app_description       = "SFTPGo"
-  sub_mode              = "user_username"
-}
-
 module "rustical" {
   source              = "../modules/authentik-oidc"
   app_name            = "rustical"
@@ -272,3 +232,17 @@ module "pulse" {
   redirect_uris       = [{ matching_mode = "strict", url = "https://pulse.fukurokuju.dev/api/oidc/callback" }]
   app_access_group_id = authentik_group.admins.id
 }
+
+module "cloud" {
+  source        = "../modules/authentik-oidc"
+  app_name      = "Cloud"
+  app_slug      = "cloud"
+  app_url       = "https://cloud.roboces.dev"
+  client_id     = var.oxicloud_client_id
+  client_secret = var.oxicloud_client_secret
+  app_icon      = "https://cloud.roboces.dev/themes/opencloud/assets/favicon.svg"
+  redirect_uris = [{
+    matching_mode = "strict", url = "https://cloud.roboces.dev/api/auth/oidc/callback"
+  }]
+  app_access_group_id = ""
+}

tofu/authentik/sample.env

@@ -18,3 +18,5 @@ TF_VAR_ganymede_client_id=
 TF_VAR_ganymede_client_secret=
 TF_VAR_pulse_client_id=
 TF_VAR_pulse_client_secret=
+TF_VAR_oxicloud_client_id=aef61f77326b813cf8d8ba71d1ac994b5642685ca37e4710ab0079e91d87702d55fd9775d473b05aff45603bf08e78dba26850af3a815f3c3ac171d163368aa0
+TF_VAR_oxicloud_client_secret=a4038df17c9fd06f86372aeaaae8f3fd1374d8978983af7b398d948ef15d1efe522a1faa2fc7652bc410c516d96cd2e4211dad4e05ba6297bdd8d9090460d5fc

tofu/authentik/vars.tf

@@ -88,3 +88,13 @@ variable "pulse_client_secret" {
   description = "Pulse client secret"
   type        = string
 }
+
+variable "oxicloud_client_id" {
+  description = "Oxicloud client ID"
+  type        = string
+}
+
+variable "oxicloud_client_secret" {
+  description = "Oxicloud client secret"
+  type        = string
+}