feat: add linkwarden

coder/.gitignore

@@ -0,0 +1 @@
+charts/

coder/config/secrets.enc.yml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: coder-secrets
+type: Opaque
+stringData:
+    OIDC_CLIENT_ID: ENC[AES256_GCM,data:4KD0RPoRdY23wwkwqoXFloAl3VHQsaVJq46psw/tybCic+g6,iv:LQuY/nTVbD8J62Ia4QNRPQq+mP2BX5cOufIOpaqdjHk=,tag:2hB0sZ6fG/Mdi/Mxi123yw==,type:str]
+    OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:8F2gjA8bMyh+g/MPppOtO8pGSvvjoNse2jPAYcH2vyfXNRNR2hn3OF56OkqAQUDgKh3mOMMIlOA=,iv:MSpf7TueXeJ9bJ9gMJAR7m97sbe/GG0GhIsDKOS8U5g=,tag:dJwpuxdG2tjEGSkoynstrg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmNllWNkJSdm8rblRWQWY0
+            U05Bdkw4OUlhTmZTY2VPOXp3UStKMTZpTGpRCmlxRVFlREtuSG85Zk4vb2lIZm1H
+            SG9hTjc5bmppS0ZWNDVkajBHY2FlcnMKLS0tIGVPQTVHTktPbGVORys4Vk9pdEZp
+            ZnhvczRaK09YL0crK0hwYUllZXErSk0K23F5ItL9qHYbuNVuWGzpgaXMN5LNwc+n
+            LAtAoDwhsNhxNFTU+164rtjwHQ+NMp/xNIHiWMeOBz8zSkqCDAhxJg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwaU5ldHg2RjVqdUQxMysv
+            d05jaEFsMXF6QXNlZ2I0SjhGb2pEeHl2WXh3CmtZcG1WZXY3SnBBTTU2cFh6Z1Vo
+            RGd1OGt1cUhXc2VoUmJJaHJhRlQ1QVUKLS0tIEhscmZWU3Y2UFI2UVorbXVoQ2Yz
+            VElCdDBrcEt0amlJUmlldENtSjYyczQK8BueJyu/9pJSqa3eYT/bW705O+Wzd6OF
+            +COLZ8HmD6RFy6K+1uqRqy8ETfSqsaNC06ZdBtH3VKNPOk0ayAuWeg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-21T13:40:45Z"
+    mac: ENC[AES256_GCM,data:nxoSscCX6drScTysPpdPCwNBpJ7IFjIHEDsoVtsMaC2XufxBHNs5iZLv0vc/QfPK4xTRuEjWxhpFq/XiqTkcArpj/19PopKawa9JAKwSjK+9h83rvhK2r0j8QUmKpx9CfRS4uR2e/u2SCLyGtoAFsZD/nwQYFh3o3y0GfpCz3FE=,iv:V/j4zOf2D9SFSJsr7v8/IM8Sor+pJDL520vXSQUwW6w=,tag:lvNKkyw51qVM/j0WB987JA==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.8.1

coder/config/values.coder.yml

@@ -0,0 +1,63 @@
+---
+coder:
+  ingress:
+    enable: true
+    host: ide.icb4dc0.de
+    wildcardHost: "*.ide.icb4dc0.de"
+    annotations:
+      gethomepage.dev/description: Remote IDE
+      gethomepage.dev/enabled: "true"
+      gethomepage.dev/group: Apps
+      gethomepage.dev/icon: coder.png
+      gethomepage.dev/name: Coder
+  env:
+    - name: CODER_WILDCARD_ACCESS_URL
+      value: '*.ide.icb4dc0.de'
+    - name: CODER_ACCESS_URL
+      value: "https://ide.icb4dc0.de"
+    - name: CODER_PG_CONNECTION_URL
+      valueFrom:
+        secretKeyRef:
+          name: default-cluster-pguser-coder
+          key: uri
+    - name: CODER_DISABLE_PASSWORD_AUTH
+      value: "true"
+    - name: CODER_OIDC_ISSUER_URL
+      value: "https://code.icb4dc0.de/"
+    - name: CODER_OIDC_SIGN_IN_TEXT
+      value: "Sign in with Gitea"
+    - name: CODER_OIDC_ICON_URL
+      value: https://gitea.io/images/gitea.png
+    - name: CODER_OIDC_CLIENT_ID
+      valueFrom:
+        secretKeyRef:
+          name: coder-secrets
+          key: OIDC_CLIENT_ID
+    - name: CODER_OIDC_CLIENT_SECRET
+      valueFrom:
+        secretKeyRef:
+          name: coder-secrets
+          key: OIDC_CLIENT_SECRET
+    - name: CODER_GITAUTH_0_ID
+      value: primary-forgejo
+    - name: CODER_GITAUTH_0_TYPE
+      value: gitlab
+    - name: CODER_GITAUTH_0_AUTH_URL
+      value: https://code.icb4dc0.de/login/oauth/authorize
+    - name: CODER_GITAUTH_0_TOKEN_URL
+      value: https://code.icb4dc0.de/login/oauth/access_token
+    - name: CODER_GITAUTH_0_VALIDATE_URL
+      value: https://code.icb4dc0.de/login/oauth/userinfo
+    - name: CODER_GITAUTH_0_CLIENT_ID
+      valueFrom:
+        secretKeyRef:
+          name: coder-secrets
+          key: OIDC_CLIENT_ID
+    - name: CODER_GITAUTH_0_CLIENT_SECRET
+      valueFrom:
+        secretKeyRef:
+          name: coder-secrets
+          key: OIDC_CLIENT_SECRET
+
+  service:
+    type: ClusterIP

coder/kustomization.yaml

@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: coder
+
+resources:
+  - "resources/namespace.yaml"
+
+helmCharts:
+  - name: coder
+    repo: https://helm.coder.com/v2
+    releaseName: coder
+    namespace: coder
+    version: "2.5.1"
+    valuesFile: config/values.coder.yml
+    skipTests: true
+
+generators:
+  - ./secret-generator.yaml

coder/resources/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: coder
+  labels:
+    prometheus: default

coder/secret-generator.yaml

@@ -0,0 +1,10 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: coder-secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+        exec:
+          path: ksops
+files:
+  - ./config/secrets.enc.yml

dragonfly-operator/resources/deployment.yaml

@@ -26,6 +26,14 @@ spec:
     spec:
       affinity:
         nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 1
+              preference:
+                matchExpressions:
+                  - key: kubernetes.io/arch
+                    operator: In
+                    values:
+                      - arm64
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
             - matchExpressions:

hedgedoc/kustomization.yaml

@@ -8,9 +8,11 @@ images:
   newName: quay.io/hedgedoc/hedgedoc
   newTag: "1.9.9"
 
-commonLabels:
+labels:
-  app.kubernetes.io/instance: icb4dc0de
+- includeSelectors: true
-  app.kubernetes.io/managed-by: kustomize
+  pairs:
+    app.kubernetes.io/instance: icb4dc0de
+    app.kubernetes.io/managed-by: kustomize
 
 resources:
   - "resources/namespace.yaml"

hedgedoc/resources/config.enc.yaml

@@ -4,7 +4,6 @@ metadata:
     name: hedgedoc-secret-config
 type: Opaque
 stringData:
-    CMD_DB_URL: ENC[AES256_GCM,data:4nqueG0hIb5fPQbPJll+keWZVODpFxBUhVkeHTKJ2/J8Kpj8DMuU41HLQ1+iGFiUtEdv2LPvbgDOeXT4UR3zjDdGL96SpKbLQIKQlNjPWNfUXeHASkiIiMHh9Y7z3d/s2coopzk9ULTHs5XIMywCUoY8DX4=,iv:drx1hQdbsLbPSojSL79TFop1wni2KxNPJ+KwlOL9WQo=,tag:4JbriWueqRye/n3rnBpSkw==,type:str]
     CMD_MINIO_ACCESS_KEY: ENC[AES256_GCM,data:VqudURssSgmCDVhCRjak2TDG10pwvCNfi0w9FlEh4SI=,iv:VGavO528JfqsUVyvWSAlWkMTXJAmLUablaGZ3VCEtq8=,tag:unvEa2k/9AzfVMEnhCDB1Q==,type:str]
     CMD_MINIO_SECRET_KEY: ENC[AES256_GCM,data:/iQq6wnoH/WwEzApap6szpr7z+KZJ+twcuINgqtbHOMDXeVz9Yi7cjC0hGlqQHZTCO4jR5gp+OwdIkzRk0zDsw==,iv:1OHm8K3AA340q0xkNCF3RsPpcpKmUE5Yibu+IWIZ7+E=,tag:cB/pckdoEZQlzlRVWoYKmA==,type:str]
     CMD_OAUTH2_CLIENT_ID: ENC[AES256_GCM,data:x1zEeQl4WM49dmbx9v159APlimVVmQX4uPUTa0Nwu7jazcD1,iv:eXSk8Js2OhKC6q1M2anzCdC30IqA9YIj7rxmzFRE4bo=,tag:zgutG/3INA7DxUY5PRJoIg==,type:str]
@@ -34,8 +33,8 @@ sops:
             ZXpzNmEzbXhtZDkySFM2L0VQTzZCdTQKh46uRnVtRzzdnnnuCJNwgQo8AeNKpc6B
             WC91My4qyOtvM9J+FJC71DTovfmHrZw0YWbPwXqNRU6XBWHfC/MViA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-08T19:19:28Z"
+    lastmodified: "2023-12-20T20:40:53Z"
-    mac: ENC[AES256_GCM,data:mG1SOLX1AFuPuJ3v8o12ofU+rHD/Iwwp3xFfIoayHp+K/w8btnwZ1rrbzZLRwZfR2nnxF9Rn4UZ2d1v6B9z2Dlz/p4EDc2pDyyhgWFCoJgf1J3w7Gj7b1C9ukoGrxcQ0RaZjhhZrU0XjN5EyfTgxcl1e5UahOrHVUu5OMBukkKg=,iv:2M5gtUdMpsYmLZkuaWXoHGGKPM9pvXwEpqqRjhSN8yo=,tag:ORpppvL5KKXRVgIwAoTOCw==,type:str]
+    mac: ENC[AES256_GCM,data:DcoiksdfIUl5cCC8mSbzAUO9lWTeotr/UNMwIa+Z7aq9s4tzVn3YBbAPh5by5U7PVqAPkutoBjUk1IXCqWykkGXw/k9n7mAZn5AiCweLNY/d0gmKTpCUsGqaTg8gH7gQJy6+TNGxnq+Wm4GQNHAduYMJXS4/UdJcIAAc/id4JXo=,iv:+OYzaUHdJN4daTrAg561LxS0i6lozZ+OylhxubZplYc=,tag:7gElSJeGIaqXzjYTe9OTZQ==,type:str]
     pgp: []
     unencrypted_regex: ^(apiVersion|metadata|kind|type)$
     version: 3.8.1

hedgedoc/resources/deployment.yaml

@@ -15,6 +15,14 @@ spec:
       containers:
       - name: hedgedoc
         image: hedgedoc
+        env:
+          - name: CMD_DB_URL
+            valueFrom:
+              secretKeyRef:
+                name: default-cluster-pguser-hedgedoc
+                key: uri
+          - name: NODE_EXTRA_CA_CERTS
+            value: /certs/ca.crt
         envFrom:
           - secretRef:
               name: hedgedoc-base-config
@@ -27,6 +35,9 @@ spec:
         volumeMounts:
           - name: upload-tmp
             mountPath: /tmp
+          - name: pg-certs
+            mountPath: /certs
+            readOnly: true
         resources:
           requests:
             memory: "168Mi"
@@ -44,7 +55,20 @@ spec:
         runAsUser: 1000
         runAsGroup: 1000
         runAsNonRoot: true
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 1
+              preference:
+                matchExpressions:
+                  - key: kubernetes.io/arch
+                    operator: In
+                    values:
+                      - arm64
       volumes:
         - name: upload-tmp
           emptyDir:
-            sizeLimit: 500Mi
+            sizeLimit: 500Mi
+        - name: pg-certs
+          secret:
+            secretName: default-cluster-cluster-cert

homepage/kustomization.yaml

@@ -11,9 +11,11 @@ images:
   newName: quay.io/oauth2-proxy/oauth2-proxy
   newTag: v7.5.1
 
-commonLabels:
+labels:
-  app.kubernetes.io/instance: icb4dc0de
+- includeSelectors: true
-  app.kubernetes.io/managed-by: kustomize
+  pairs:
+    app.kubernetes.io/instance: icb4dc0de
+    app.kubernetes.io/managed-by: kustomize
 
 resources:
   - "resources/namespace.yaml"

linkwarden/config/secrets.enc.yaml

@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: linkwarden-config
+type: Opaque
+stringData:
+    NEXTAUTH_SECRET: ENC[AES256_GCM,data:qljN/QafFYQwk9tZzfUom864wmLBkOA6sZLezygCqpmTPxo6T7VWP2Z6hoI=,iv:HZHCtzraMHTaTjlTRdSs0T6gaREUVWwg4tst7lGgWjs=,tag:g4WXVJ4zcoH8HcPBprkiiA==,type:str]
+    NEXTAUTH_URL: ENC[AES256_GCM,data:WqEQhQHOgitq66YKbF0SV4iox3rb0713TATzZE+iNxEccm27,iv:urUC/cmks3renR3kkGpw8hHYwVrwz5JXf7QXXQq2ElA=,tag:Vucguui87xJWGCT+M1SaZw==,type:str]
+    NEXT_PUBLIC_DISABLE_REGISTRATION: ENC[AES256_GCM,data:r7mA+g==,iv:hTpGulLYK10DoCAYc3Hp6BlKQBeKHkV3A6BUJku9ZjQ=,tag:5gpMkBYkySIO8RGG4dzaew==,type:str]
+    SPACES_KEY: ENC[AES256_GCM,data:BF1RGNTId/gzEATiHqI4DwAeSSz0QBk1MVtQCs91K84=,iv:4jKC+G/c8MZ/kNyt9n6Hn7YvSYNWegTEzcQ9Z63i6U4=,tag:05l1AVPhFN4H53b5/FM4fw==,type:str]
+    SPACES_SECRET: ENC[AES256_GCM,data:UwWvKzmHsLE4y1+yeZEjP+swVO5+Ss/Dj8YJz/V1xq9sbvI4dyswuUeOJ6xzl4fbPUYW4gMCELhLBYz4s6eOZw==,iv:fvt2J66VPFMY4bLn+18rpxOPFRJi2ynikfQGNSn0PoY=,tag:F4XGCCJq+1uvl1LdBBES1A==,type:str]
+    SPACES_ENDPOINT: ENC[AES256_GCM,data:9V9UgB1YgSqyXQO6VogyDHTRpS++OmDvWdGYEoaAoSHrBMhrDq2YW7mCLSNA8HOpFCLWN5AF9FqbsjA/dB/7Gio=,iv:S3Js7k/hoLJeDIbZWPdPlupdNKaupAaqFoWWiFgHs7Q=,tag:5deMT1/t78VOduFs5pTuxA==,type:str]
+    SPACES_BUCKET_NAME: ENC[AES256_GCM,data:/T9L2eHlrpX74w==,iv:pGzRxFLGYOEf8LeuzOrc7GVTHQ9lbp4YjFWSS03OQNM=,tag:S6iWpQANHebGAK+7lhAqwg==,type:str]
+    SPACES_REGION: ENC[AES256_GCM,data:kP0CGw==,iv:bniAW1+xg7y1qnSqh9qAUM1LG1geVs7AIvbqn+fH/CU=,tag:GyWNCgK8PSJWnUOfDg3X+w==,type:str]
+    SPACES_FORCE_PATH_STYLE: ENC[AES256_GCM,data:JSXD7Q==,iv:JMbqKZO4SdYBglZySpDY56vTiCKDCeBlRjKD4uwFQOg=,tag:6gsT1+BWbGA1Ce05iaK/1Q==,type:str]
+    NEXT_PUBLIC_KEYCLOAK_ENABLED: ENC[AES256_GCM,data:5ePOxQ==,iv:B3Xv/z0Bcv4u2nzNQSHFZGQeuAw6kkZIi4V2gkkGesk=,tag:ZLzKaf55W1DXzXhQ0NRPWQ==,type:str]
+    KEYCLOAK_ISSUER: ENC[AES256_GCM,data:I710NmdNMWyheJD5i+zXgV8I3LCa9dc=,iv:17dX+n20fkq+m98i47WeKeJ+f5l+rg9oq08/Ki8hmg8=,tag:5HdizFf2WM2X9X/rMsZH9Q==,type:str]
+    KEYCLOAK_CLIENT_ID: ENC[AES256_GCM,data:aUrLGjG5Pt6yAdI1sGMS7qmDg70oiUMciLAwfpNsyscMv9nk,iv:29JZfzF8sPmIvyWPw+VjzgTRJr+aSjDN6IGZmt7JFYM=,tag:pX6w2++QHwED/46njtM/Qg==,type:str]
+    KEYCLOAK_CLIENT_SECRET: ENC[AES256_GCM,data:yrz8bwNmEvjl0zeul2EfcyBrvp1VhDJYIVA/2ttIvEVuvB9M0XzOAtV/KHxZXv544mQ+/HsORMY=,iv:GL0vMgvm5zIfV4+zWUmAnTv7FTJvF0jQzfoxqFMB0ho=,tag:jzwQYN2sB6EoS/owF0wNMg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkb2dXQkVHOW9aVGozUkVG
+            QTkyWVBkQ1F4MVVmN0Z2ZGhUVi9oR1puYWpZCm5xcXM1VU9pOE5iR1VUQmZOQlBq
+            V2N0ZG5mWGJMTW43V3ZDWUJhQ2RwVUkKLS0tIDYvSkpQQnkyb2ZvOGwxcXM3ZUVh
+            NnkwcUJna1FSTXpMY1RxS05TV2lCWEUK63y4d4TS0JWdNPy2DCFsrnPVoWF3HaF2
+            hMFBIt7bKNrEMChwJ0IWCtCS4EoatYKrFSwuIQHBGPiDgQuHij90Rg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZQUZFaXFCbFVoVEVNS3hP
+            bmt0YXJhbk9BUDdkT1M1N0h0UXZ3V0dCOEVjCkQ5Wmt6VjMwNTZmUGk2Z0srU2lo
+            OU8waDhDMHE3SDRaOUNxc2pZallnd0UKLS0tIHNkOEhudkR4SmVhRGd1VStQLzBZ
+            aVVYZ3JDSDhKdFZZZXdycnUyTml0VXcKTg087ZASI5RraNAD8rnHa5OUaYEdRte/
+            OyVbfwvYm79jQipgTwoctCmVuL8lMjnoKuDZnMT6UEgV6ziHKrqIZw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-21T12:25:42Z"
+    mac: ENC[AES256_GCM,data:U2rRu3TPyXjt2YnR7cQrsRYvWS41zgDonqglfJPnnrSegoe/JmNn2jIU6iljJEruGmhxNGxh1KE8KHn2mJ2M6GWJ0TMW6JBiQ0Yl6UXBYAnMrw5FYfIThtB8gxvEUtoQ8fES9jCyqneHE5DWe0kbdMqaU9uf/G4nwUMAyWdVAdA=,iv:AejpeLY6pooJ4MOIbXjSAr9d6JjFx7FTkygs8Jy91Ug=,tag:7/RNNFY5ZhkxJ88bL4v55Q==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.8.1

linkwarden/kustomization.yaml

@@ -0,0 +1,23 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: linkwarden
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: icb4dc0de
+    app.kubernetes.io/managed-by: kustomize
+
+images:
+  - name: linkwarden
+    newName: ghcr.io/linkwarden/linkwarden
+    newTag: "v2.3.0"
+
+resources:
+  - "resources/namespace.yaml"
+  - "resources/deployment.yaml"
+  - "resources/service.yaml"
+  - "resources/ingress.yaml"
+
+generators:
+  - ./secret-generator.yaml

linkwarden/resources/deployment.yaml

@@ -0,0 +1,80 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: linkwarden
+  labels:
+    app.kubernetes.io/name: linkwarden
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: linkwarden
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: linkwarden
+    spec:
+      initContainers:
+        - name: install-packages
+          image: linkwarden
+          command: ["/bin/bash", "-c", "npx playwright install"]
+          volumeMounts:
+            - name: node-cache
+              mountPath: /home/node/.cache
+      containers:
+        - name: linkwarden
+          image: linkwarden
+          env:
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: default-cluster-pguser-linkwarden
+                  key: uri
+          envFrom:
+            - secretRef:
+                name: linkwarden-config
+          ports:
+            - containerPort: 3000
+              protocol: TCP
+              name: web
+          volumeMounts:
+            - name: next-cache
+              mountPath: /data/.next/cache
+            - name: node-cache
+              mountPath: /home/node/.cache
+          resources:
+            requests:
+              memory: "384Mi"
+              cpu: "50m"
+            limits:
+              memory: "768Mi"
+              cpu: "500m"
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: false
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              preference:
+                matchExpressions:
+                  - key: kubernetes.io/arch
+                    operator: In
+                    values:
+                      - arm64
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        runAsNonRoot: true
+      volumes:
+        - name: next-cache
+          emptyDir:
+            sizeLimit: 250Mi
+        - name: node-cache
+          emptyDir:
+            sizeLimit: 1500Mi

linkwarden/resources/ingress.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: linkwarden
+  annotations:
+    gethomepage.dev/description: Store links to find them later
+    gethomepage.dev/enabled: "true"
+    gethomepage.dev/group: Apps
+    gethomepage.dev/icon: linkwarden.png
+    gethomepage.dev/name: Linkwarden
+spec:
+  rules:
+    - host: links.icb4dc0.de
+      http:
+        paths:
+          - pathType: Prefix
+            path: /
+            backend:
+              service:
+                name: linkwarden
+                port:
+                  number: 3000

linkwarden/resources/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: linkwarden
+  labels:
+    prometheus: default

linkwarden/resources/service.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: linkwarden
+spec:
+  selector:
+    app.kubernetes.io/name: linkwarden
+  ports:
+    - protocol: TCP
+      port: 3000
+      targetPort: 3000

linkwarden/secret-generator.yaml

@@ -0,0 +1,10 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: linkwarden-secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+        exec:
+          path: ksops
+files:
+  - ./config/secrets.enc.yaml

postgres-operator/kustomization.yaml

@@ -6,18 +6,19 @@ labels:
   pairs:
     app.kubernetes.io/name: pgo
     # The version below should match the version on the PostgresCluster CRD
-    app.kubernetes.io/version: 5.4.3
+    app.kubernetes.io/version: 5.5.0
     postgres-operator.crunchydata.com/control-plane: postgres-operator
 
 images:
 - name: postgres-operator
   newName: registry.developers.crunchydata.com/crunchydata/postgres-operator
-  newTag: ubi8-5.4.3-0 
+  newTag: ubi8-5.5.0-0
 
 resources:
   - resources/namespace.yaml
   - resources/crd/postgresclusters.yaml
   - resources/crd/pgupgrades.yaml
+  - resources/crd/pgadmins.yaml
   - resources/rbac/service_account.yaml
   - resources/rbac/role.yaml
   - resources/rbac/role_binding.yaml

postgres-operator/resources/crd/pgupgrades.yaml

@@ -6,7 +6,7 @@ metadata:
   creationTimestamp: null
   labels:
     app.kubernetes.io/name: pgo
-    app.kubernetes.io/version: 5.4.3
+    app.kubernetes.io/version: 5.5.0
   name: pgupgrades.postgres-operator.crunchydata.com
 spec:
   group: postgres-operator.crunchydata.com
@@ -1072,4 +1072,4 @@ spec:
     served: true
     storage: true
     subresources:
-      status: {}
+      status: {}

postgres-operator/resources/crd/postgresclusters.yaml

@@ -6,7 +6,7 @@ metadata:
   creationTimestamp: null
   labels:
     app.kubernetes.io/name: pgo
-    app.kubernetes.io/version: 5.4.3
+    app.kubernetes.io/version: 5.5.0
   name: postgresclusters.postgres-operator.crunchydata.com
 spec:
   group: postgres-operator.crunchydata.com
@@ -15462,4 +15462,4 @@ spec:
     served: true
     storage: true
     subresources:
-      status: {}
+      status: {}

postgres-operator/resources/db/default-cluster.yaml

@@ -5,7 +5,7 @@ metadata:
   name: default-cluster
   namespace: postgres
 spec:
-  image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-15.4-1
+  image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-15.5-0
   postgresVersion: 15
   users:
     - name: postgres
@@ -27,6 +27,9 @@ spec:
     - name: hedgedoc
       databases:
         - hedgedoc
+    - name: linkwarden
+      databases:
+        - linkwarden
     - name: nextcloud
       databases:
         - nextcloud
@@ -65,7 +68,7 @@ spec:
 
   backups:
     pgbackrest:
-      image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.47-1
+      image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.47-2
       configuration:
       - secret:
           name: pgo-s3-creds

postgres-operator/resources/manager.yaml

@@ -60,4 +60,14 @@ spec:
           capabilities: { drop: [ALL] }
           readOnlyRootFilesystem: true
           runAsNonRoot: true
-      serviceAccountName: pgo
+      serviceAccountName: pgo
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 1
+              preference:
+                matchExpressions:
+                  - key: kubernetes.io/arch
+                    operator: In
+                    values:
+                      - arm64

postgres-operator/resources/rbac/role.yaml

@@ -102,6 +102,7 @@ rules:
 - apiGroups:
   - postgres-operator.crunchydata.com
   resources:
+  - pgadmins
   - pgupgrades
   verbs:
   - get
@@ -110,18 +111,19 @@ rules:
 - apiGroups:
   - postgres-operator.crunchydata.com
   resources:
+  - pgadmins/finalizers
   - pgupgrades/finalizers
+  - postgresclusters/finalizers
   verbs:
-  - patch
   - update
 - apiGroups:
   - postgres-operator.crunchydata.com
   resources:
+  - pgadmins/status
   - pgupgrades/status
+  - postgresclusters/status
   verbs:
-  - get
   - patch
-  - watch
 - apiGroups:
   - postgres-operator.crunchydata.com
   resources:
@@ -131,18 +133,6 @@ rules:
   - list
   - patch
   - watch
-- apiGroups:
-  - postgres-operator.crunchydata.com
-  resources:
-  - postgresclusters/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - postgres-operator.crunchydata.com
-  resources:
-  - postgresclusters/status
-  verbs:
-  - patch
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:

postgres-operator/resources/rbac/role_binding.yaml

@@ -11,5 +11,4 @@ roleRef:
   name: postgres-operator
 subjects:
 - kind: ServiceAccount
-  name: pgo
+  name: pgo
-  namespace: postgres-system

vaultwarden/kustomization.yaml

@@ -3,9 +3,11 @@ kind: Kustomization
 
 namespace: vaultwarden
 
-commonLabels:
+labels:
-  app.kubernetes.io/instance: icb4dc0de
+- includeSelectors: true
-  app.kubernetes.io/managed-by: kustomize
+  pairs:
+    app.kubernetes.io/instance: icb4dc0de
+    app.kubernetes.io/managed-by: kustomize
 
 images:
   - name: vaultwarden

vaultwarden/resources/deployment.yaml

@@ -35,6 +35,16 @@ spec:
         volumeMounts:
           - name: data
             mountPath: /data
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 1
+              preference:
+                matchExpressions:
+                  - key: kubernetes.io/arch
+                    operator: In
+                    values:
+                      - arm64
       volumes:
         - name: data
           persistentVolumeClaim:

vikunja/kustomization.yaml

@@ -11,9 +11,11 @@ images:
     newName: docker.io/vikunja/frontend
     newTag: "0.21.0"
 
-commonLabels:
+labels:
-  app.kubernetes.io/instance: icb4dc0de
+- includeSelectors: true
-  app.kubernetes.io/managed-by: kustomize
+  pairs:
+    app.kubernetes.io/instance: icb4dc0de
+    app.kubernetes.io/managed-by: kustomize
 
 resources:
   - resources/namespace.yaml

zipline/kustomization.yaml

@@ -8,9 +8,11 @@ images:
   newName: ghcr.io/diced/zipline
   newTag: "3.7.7"
 
-commonLabels:
+labels:
-  app.kubernetes.io/instance: icb4dc0de
+- includeSelectors: true
-  app.kubernetes.io/managed-by: kustomize
+  pairs:
+    app.kubernetes.io/instance: icb4dc0de
+    app.kubernetes.io/managed-by: kustomize
 
 resources:
   - "resources/namespace.yaml"