diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..a306b2c
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,4 @@
+creation_rules:
+  - encrypted_regex: '^(data|stringData)$'
+    path_regex: \.yaml$
+    pgp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
diff --git a/apps/forgejo-runner/deployment.yaml b/apps/forgejo-runner/deployment.yaml
new file mode 100644
index 0000000..384bb28
--- /dev/null
+++ b/apps/forgejo-runner/deployment.yaml
@@ -0,0 +1,75 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: forgejo-runner
+  namespace: forgejo
+  labels:
+    app: forgejo-runner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: forgejo-runner
+  template:
+    metadata:
+      labels:
+        app: forgejo-runner
+    spec:
+      restartPolicy: Always
+      volumes:
+      - name: docker-certs
+        emptyDir: {}
+      - name: runner-data
+        emptyDir: {}
+      initContainers:
+      - name: runner-config-generation
+        image: code.forgejo.org/forgejo/runner:6.3.1
+        command:
+          [
+            "sh",
+            "-c",
+            "forgejo-runner create-runner-file --instance $FORGEJO_INSTANCE_URL --secret $RUNNER_SECRET --connect"
+          ]
+        env:
+        - name: RUNNER_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: forgejo-runner-token
+              key: token
+        - name: FORGEJO_INSTANCE_URL
+          value: https://git.patanix.de
+        volumeMounts:
+        - name: runner-data
+          mountPath: /data
+      containers:
+      - name: runner
+        image: code.forgejo.org/forgejo/runner:6.3.1
+        command:
+          [
+            "sh",
+            "-c",
+            "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; forgejo-runner daemon"
+          ]
+        env:
+        - name: DOCKER_HOST
+          value: tcp://localhost:2376
+        - name: DOCKER_CERT_PATH
+          value: /certs/client
+        - name: DOCKER_TLS_VERIFY
+          value: "1"
+        volumeMounts:
+        - name: docker-certs
+          mountPath: /certs
+        - name: runner-data
+          mountPath: /data
+      - name: daemon
+        image: docker:23.0.6-dind
+        env:
+        - name: DOCKER_TLS_CERTDIR
+          value: /certs
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: docker-certs
+          mountPath: /certs
+
diff --git a/infrastructure/cnpg/kustomization.yaml b/apps/forgejo-runner/kustomization.yaml
similarity index 50%
rename from infrastructure/cnpg/kustomization.yaml
rename to apps/forgejo-runner/kustomization.yaml
index 9923fdf..48500e1 100644
--- a/infrastructure/cnpg/kustomization.yaml
+++ b/apps/forgejo-runner/kustomization.yaml
@@ -1,6 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - namespace.yaml
-  - helmrepository.yaml
-  - helmrelease-operator.yaml
+  - runner-secret.yaml
+  - deployment.yaml
diff --git a/apps/forgejo-runner/runner-secret.yaml b/apps/forgejo-runner/runner-secret.yaml
new file mode 100644
index 0000000..f2ebe72
--- /dev/null
+++ b/apps/forgejo-runner/runner-secret.yaml
@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: forgejo-runner-token
+    namespace: forgejo
+type: Opaque
+stringData:
+    token: ENC[AES256_GCM,data:e0BsoUOwkfl7qt48/eT8Nvexg8RZ24cG33VeIfjru4NxyVOXUVQDGw==,iv:4My1NRIA5DG1uvgxAki5pYVYJdM/oTNqPu4WEn1IFaI=,tag:dKRwR5q/szl9/Qm/6TFnKQ==,type:str]
+sops:
+    lastmodified: "2025-05-26T16:32:21Z"
+    mac: ENC[AES256_GCM,data:ccBH5XRiXgio3aCEi4O4YRdh7sq46qxN457IMUqgQrCNFBNjk70OJD31ZxalYPr1iTlAQdbtPT8tVcFRd8EvTeRSm9KaWqusVKHbdsWeDUStHNXADjFwLTAoqVOn0yz9H5YTdLFxIHuV61w2HDJkz+sG0bM9uwv6YPkdbnyLtFs=,iv:h9NzKcUGbLwriVBo1Gfkw2Wbqr1dIZ0nevT1p4pHiQs=,tag:TXxb9UxVeTF6lUbSUxP9DQ==,type:str]
+    pgp:
+        - created_at: "2025-05-26T16:32:21Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxd/Yh1BfDklARAArNaDCnZTWLtET2sx73YyUhRSqF4fuc8whg8s6K93llT8
+            oxi/MJNkD8yFa3PgGzFl1Yfdw2xpv5BbdYe0dIclitZe87y4DjMrUbc6ZeYaWr/A
+            W+LgcUcspBiofqgOHS+RGupi0djdjOcQN2upAU2OsbPXI3IhmSyQQmaOU5zbgHRx
+            230KArgUGCpkdnO78tKlSMnyw02omzV/J6qMZ3iV1KyK8kRC5VH4OIWQN8hypEXG
+            4Iaf6bJbTpaLZLNScjGJR4v9FKo0CQ8RSO8UDtGdVajrHBNWuHkogu7Ol8byoCJ5
+            S9+N39YC0wcaRQ0bf9qFr3EcNnCDSxYcPRH7aCLGazyu9qZEf2Azj+i80saY9XBJ
+            787KyHxB7OfNPuG6FAtmJqRxnfc7br/4clQ93phqCBXRAd+AOGAhCuwQCLNsYP17
+            jklZKSnvKw56RgsQ2ANHkDZ9O3RcfWJjj5lZX0Tr8REm849YimL70D5KGPj/YDuO
+            vY1GdJjDTfxWwXuX7crJbROF1m8KBcQdIa3/XUZx2sDHfSJn4Wlklze9P0P6XmVc
+            D4Yc7kZ8z5oEvJkW/+7YUKZjxv/2QkLHQ1qKYse8CeDFQ9plibLd09D6Z83Ycvhx
+            /n9C5LRJS1LZn4h4DMxncALPMDXQjCjoBDXttieLvZz8r3a2Ja1TEsNERZxrBoXU
+            aAEJAhAk/ocgcppH9AALdg47PFam0GTHIVc5ywo6pPVOLJPkDxr/cKYw3a08mQE9
+            B+NUGfLBBhRH39LZdb/HwNB8pqLw/QEtAL/5cxO4jFl48l0WhZ+Gz6DWj+NZ4ttC
+            wsWJRN7WlR4U
+            =cLTV
+            -----END PGP MESSAGE-----
+          fp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2
diff --git a/apps/forgejo/certificate.yaml b/apps/forgejo/certificate.yaml
new file mode 100644
index 0000000..46bb271
--- /dev/null
+++ b/apps/forgejo/certificate.yaml
@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: forgejo-tls
+  namespace: forgejo
+spec:
+  secretName: forgejo-tls
+  issuerRef:
+    name: letsencrypt-dns
+    kind: ClusterIssuer
+  commonName: git.patanix.de
+  dnsNames:
+    - git.patanix.de
diff --git a/apps/forgejo/forgejo-admin-secret.yaml b/apps/forgejo/forgejo-admin-secret.yaml
new file mode 100644
index 0000000..5555a93
--- /dev/null
+++ b/apps/forgejo/forgejo-admin-secret.yaml
@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: forgejo-admin
+    namespace: forgejo
+type: Opaque
+stringData:
+    username: ENC[AES256_GCM,data:5U+NQFI=,iv:Hy4WQ1iSSDGY1/hZeqvUlUmbH2DzrFaIMRXHhPFFNao=,tag:ssIQ38hN5dqBamzKfqOntA==,type:str]
+    email: ENC[AES256_GCM,data:TkA4de0xPhpa6vNh8yqgUDxpTiFnQjbVcg==,iv:BCrKyx52wvCdXXKPDqQpCEt5LL3pe13MAb0SBx4cU2E=,tag:lnjjPIxSOMgqrhAeFCqI/w==,type:str]
+    password: ENC[AES256_GCM,data:m+UcNRE/KjJuZn4=,iv:FHE0gAQo+jJluWyjhDcxqKfxKsh2+MNCnU0oCBZJ15M=,tag:3TBBB9N4l1CkQPovPGzXNw==,type:str]
+sops:
+    lastmodified: "2025-05-26T11:50:42Z"
+    mac: ENC[AES256_GCM,data:QCmUknliiOFBXfVNzYNjdtHMG+ZNC9WyQT7Q6+zhJAeFr2CbpsMmlqHFuKj68c7zlty6ZZpc58ZVMnp6l29n9YTPNKjNlIbtkVYcd3SPnAEOiiYXyxymJdPjWmRwi1XxsfVPkG8Vb0psWtRuHgJxpDsGWEPFMDw9B2pyRITBPEw=,iv:YsX7bSb5Exzb1fs/ZfVQiz5yFUkL1YDTag+1zHSYUk8=,tag:PR3/N9QdJ1X++6Og6FLWLQ==,type:str]
+    pgp:
+        - created_at: "2025-05-26T11:50:42Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxd/Yh1BfDklARAAk/2MvtyJYevYh6DMMdOlj+KwjAifju/T1a9/yEdVZEOA
+            8EC+zq49NIIkrpw3vy18TMSg0Sp4jDUatIjN06zrmPZp6p5x26VDjOcuNiyZIgp+
+            6IFs2yvPk7rqExC/4eOK3BS7YWcBPTrhFCMBLaeWOi+Ku1qmTmPNufogUp7/RcHF
+            Sk9lqtiGcGvV7nQs+SXakgxnI019AJ5y3DBkACJwLaTBZaCc8ebCVJpuBhQpBuql
+            ArtL7l8FEf5Yy8WZny9agK+sRZc3LugFS+XVlVKzfY53tPIanwYqdFQbXCAcKXXp
+            zAqR6f15+lpCIKjoPbBgrmun+OtyGHfFelaQFnLQwefAUFiS2lGlukgHdC8B9yjk
+            iw6uCM3NPAdtzDoHlE5AdkauXF2vfW0yvnaCOzh3ogsMsQG9VbcRXQUXx2SUW+2r
+            BNJUaiGnRMoMFjsms6TSY7EMFT7dnyRGOlhFZLocEDBzfjsCvvuvuOoyrw1gTiJw
+            tgT685+Su80qbtTrfWGx7tewhFn/ERklgLFWa3WrJxXmfajpI4ksardtB5EclnMb
+            b9uV95WroK5C3IbE2q8y2qpt51tizUZCMYHNOr0XdBGgkwkMtPRAdTnXABaiBgfk
+            dNOHL1sMngT7tfVuazPPV5KuCYJ47aKFNjTq7PyDkU+Y/5xqa2yOGn43wSjJXJ7U
+            aAEJAhDXjJgiE9z5Fms0y1Q6PJzZB40EKyOYidhV64YqOeNMb4rEwsr41t+jo5EY
+            x0HAkWPxAtcLGHn31jZtwGN0sMyHQ8wMjNFaGzIOFaLYHGB5mHWKcKPgItMp3rDR
+            5DZ8W+sMt4Df
+            =OK0Y
+            -----END PGP MESSAGE-----
+          fp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2
diff --git a/apps/forgejo/helmrelease.yaml b/apps/forgejo/helmrelease.yaml
new file mode 100644
index 0000000..fe3ee50
--- /dev/null
+++ b/apps/forgejo/helmrelease.yaml
@@ -0,0 +1,43 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: forgejo
+  namespace: forgejo
+spec:
+  interval: 15m
+  chartRef:
+    kind: OCIRepository
+    name: forgejo
+    namespace: flux-system
+  values:
+    persistence:
+      enabled: true
+      size: 40Gi
+      storageClass: local-path
+    ingress:
+      enabled: true
+      className: traefik
+      hosts:
+        - host: git.patanix.de
+          paths:
+            - path: /
+              pathType: Prefix
+      tls:
+        - secretName: forgejo-tls
+          hosts:
+            - git.patanix.de
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-dns
+    admin:
+      existingSecret: forgejo-admin
+      usernameKey: username
+      passwordKey: password
+      emailKey: email
+    redis:
+      enabled: true
+    redis-cluster:
+      enabled: false
+    postgresql-ha:
+      enabled: false
+    postgresql:
+      enabled: true
diff --git a/infrastructure/longhorn/kustomization.yaml b/apps/forgejo/kustomization.yaml
similarity index 69%
rename from infrastructure/longhorn/kustomization.yaml
rename to apps/forgejo/kustomization.yaml
index c454170..9d94b3d 100644
--- a/infrastructure/longhorn/kustomization.yaml
+++ b/apps/forgejo/kustomization.yaml
@@ -2,6 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespace.yaml
-  - helmrepository.yaml
+  - forgejo-admin-secret.yaml
   - helmrelease.yaml
-  - longhorn-ingress.yaml
+  - certificate.yaml
diff --git a/infrastructure/sonarqube/namespace.yaml b/apps/forgejo/namespace.yaml
similarity index 69%
rename from infrastructure/sonarqube/namespace.yaml
rename to apps/forgejo/namespace.yaml
index f18e1e9..6521f89 100644
--- a/infrastructure/sonarqube/namespace.yaml
+++ b/apps/forgejo/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: sonarqube
+  name: forgejo
diff --git a/apps/gitea/certificate.yaml b/apps/gitea/certificate.yaml
new file mode 100644
index 0000000..1aa1971
--- /dev/null
+++ b/apps/gitea/certificate.yaml
@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitea-tls
+  namespace: gitea
+spec:
+  secretName: gitea-tls
+  issuerRef:
+    name: letsencrypt-dns
+    kind: ClusterIssuer
+  commonName: git.patanix.de
+  dnsNames:
+    - git.patanix.de
diff --git a/apps/gitea/gitea-admin-secret.yaml b/apps/gitea/gitea-admin-secret.yaml
new file mode 100644
index 0000000..a260a8b
--- /dev/null
+++ b/apps/gitea/gitea-admin-secret.yaml
@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gitea-admin
+    namespace: gitea
+type: Opaque
+stringData:
+    username: ENC[AES256_GCM,data:ZBxl7DQBLe5fDww=,iv:zTwXtGFqL3yMgAzyDpsGiMAJ8scB32SC1Ehuuhk1pDE=,tag:CZidHkUJizZmEtY6eo6m6w==,type:str]
+    password: ENC[AES256_GCM,data:VyN6dle4JZsWIzg=,iv:TZiVv8J9tJowNJm2428vyeX0u3fjBuMJbgCpEJFNE2s=,tag:Ojv881IpyNS8wrCkUFaAmg==,type:str]
+    email: ENC[AES256_GCM,data:TMBijnBYYQLBx1TWUra/HF5vAFZjZ4fRZQ==,iv:jGhot21TVqEij4LPwoRfTbPXBImivgg9knqRHuU6A8Y=,tag:2mKfHvYugmOmqdZfe4risg==,type:str]
+sops:
+    lastmodified: "2025-05-26T09:30:16Z"
+    mac: ENC[AES256_GCM,data:bcOQjgb3ie22ape8QooHVhcqYTGHPgN0W4j5ikbozI8YqIIudS9V0RA2dV2wzRNqBDaEsGTzqGIqe4aXEa7juizdxPEL63EtFmU06UbqjoUyw3UUiSPVTj7GVIpPGR3OhRyNJSKYy/ZkVQvAYllI56Du1FNV99lF+ytBQo/wU8w=,iv:ipqhozwXFE9bVuQqsZrBxHtVHcsIWiVewuDWTlofgNs=,tag:lNalhPo0WA4NKjVoRxzwuw==,type:str]
+    pgp:
+        - created_at: "2025-05-26T09:30:16Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxd/Yh1BfDklARAAiGkRRw5T62eViNLz9JIDsFcnQ7gJfb/CuoGTFFGnGY9e
+            I4mLxjxYvZfnBKKCHCxnMjhBGc+l2VWbbYhiFOXY2XIUHNsvL/7qPvrRvVTHuHIq
+            GKjL+sgY1NBNt2zftcJEMVR+EYr8EbAlq7dk3bOHWJxA99cf0ZBYHk1Vp3uh8XkO
+            zYn4FgRr+2+MB3Tf89lbsJH73JqYHhC73RKxxcIDFrSm/s5PaBrV2/Bkv45e9AOd
+            N2xQgw5rLFC0mxZd6fWEIjJw+19XgwowFFD4zK5T5eDYilAoS3tCSPQaewVmoUQM
+            MZtfE2QcSKCyZDdeWcwUWld0g+ANUT/NhtpyxJDbMxH1GVot7yh5L71uh9Y5ikMd
+            hkpBBe5z2rcpAOEel/rKKLopIqc0gaz8THCiTJWD7AdlHiy0fQ7Pd7nKAQujWzrf
+            8+aMNSJ7kGPvzcLVSatXaJbHu9DDTyXf3sznKIiFnxS9fr28wCAUBFzg6rEzj4Xb
+            ptQzVcA3+x026sXn7EUxL10O3st7RIV2/tF24zoGpb2W8mlGkt47LvijrcmvQcnW
+            s8iUsu3rSdYAdQ0WjV/NG7b8eaB/Jbe0WukvD4Dm0SHq5ZDqZhCp9e0v+RcwsapJ
+            WKstsBwGiTud+WMKmJjb5ziJ7X0wW9sst1HFyiwdAdus42aWVIrJa5gSCVUs90TU
+            ZgEJAhBtni2z5cPKkFivbn1yoIeZi7QH1PF2+ucFhdfSVcPuCBWydtz67aTH7rYa
+            XpGjhFYHapmph9nbDUueTrf2l5Q4LorVUsHwbM424Wo5gN8GF/l0af29ASLVvhPD
+            WpAzLIa+Fw==
+            =xXsp
+            -----END PGP MESSAGE-----
+          fp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2
diff --git a/infrastructure/gitea/helmrelease.yaml b/apps/gitea/helmrelease.yaml
similarity index 68%
rename from infrastructure/gitea/helmrelease.yaml
rename to apps/gitea/helmrelease.yaml
index 4bf68a5..fb1f59f 100644
--- a/infrastructure/gitea/helmrelease.yaml
+++ b/apps/gitea/helmrelease.yaml
@@ -15,18 +15,32 @@ spec:
         name: gitea-charts
         namespace: flux-system
   values:
+    valkey-cluster:
+      enabled: false
+    valkey:
+      enabled: true
+    postgresql:
+      enabled: true
+    postgresql-ha:
+      enabled: false
     persistence:
       enabled: true
-      storageClass: longhorn
-      size: 5Gi
+      size: 40Gi
+      storageClass: local-path
     ingress:
       enabled: true
       className: traefik
       hosts:
-        - host: gitea.local
+        - host: git.patanix.de
           paths:
             - path: /
               pathType: Prefix
+      tls:
+        - secretName: gitea-tls
+          hosts:
+            - git.patanix.de
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-dns
     service:
       http:
         type: ClusterIP
@@ -36,9 +50,10 @@ spec:
         port: 22
     gitea:
       admin:
-        username: giteaadmin
-        password: changeme
-        email: patrykhegenberg@gmail.com
+        existingSecret: gitea-admin
+        usernameKey: username
+        passwordKey: password
+        emailKey: email
       metrics:
         enabled: true
     actions:
diff --git a/infrastructure/gitea/helmrepository.yaml b/apps/gitea/helmrepository.yaml
similarity index 100%
rename from infrastructure/gitea/helmrepository.yaml
rename to apps/gitea/helmrepository.yaml
diff --git a/infrastructure/sonarqube/kustomization.yaml b/apps/gitea/kustomization.yaml
similarity index 58%
rename from infrastructure/sonarqube/kustomization.yaml
rename to apps/gitea/kustomization.yaml
index b4a3d7c..c81e2fd 100644
--- a/infrastructure/sonarqube/kustomization.yaml
+++ b/apps/gitea/kustomization.yaml
@@ -4,3 +4,7 @@ resources:
   - namespace.yaml
   - helmrepository.yaml
   - helmrelease.yaml
+  - gitea-admin-secret.yaml
+  # - gitea-postgres-secret.yaml
+  # - pvc.yaml
+  - certificate.yaml
diff --git a/infrastructure/gitea/namespace.yaml b/apps/gitea/namespace.yaml
similarity index 100%
rename from infrastructure/gitea/namespace.yaml
rename to apps/gitea/namespace.yaml
diff --git a/apps/gitea/pvc.yaml b/apps/gitea/pvc.yaml
new file mode 100644
index 0000000..c135469
--- /dev/null
+++ b/apps/gitea/pvc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-data
+  namespace: gitea
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 40Gi
+  storageClassName: local-path
diff --git a/apps/home-assistant/helmrelease.yaml b/apps/home-assistant/helmrelease.yaml
new file mode 100644
index 0000000..c73509b
--- /dev/null
+++ b/apps/home-assistant/helmrelease.yaml
@@ -0,0 +1,45 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: home-assistant
+  namespace: home-assistant
+spec:
+  interval: 10m
+  releaseName: home-assistant
+  chart:
+    spec:
+      chart: home-assistant
+      version: "0.3.4"
+      sourceRef:
+        kind: HelmRepository
+        name: home-assistant
+        namespace: flux-system
+  values:
+    hostNetwork: false
+    persistence:
+      enabled: true
+      existingClaim: home-assistant-config
+    ingress:
+      enabled: true
+      className: traefik
+      hosts:
+        - host: ha.patanix.de
+          paths:
+            - path: /
+              pathType: Prefix
+      tls:
+        - secretName: ha-patanix-de-tls
+          hosts:
+            - ha.patanix.de
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-dns
+    service:
+      type: ClusterIP
+      port: 8123
+    configuration:
+      enabled: true
+      trusted_proxies:
+        - 10.42.0.0/16
+        - ::1
+        - 127.0.0.1
+      # use_x_forwarded_for: true
diff --git a/infrastructure/gitea-runner/helmrepository.yaml b/apps/home-assistant/helmrepository.yaml
similarity index 50%
rename from infrastructure/gitea-runner/helmrepository.yaml
rename to apps/home-assistant/helmrepository.yaml
index aa6700e..773b830 100644
--- a/infrastructure/gitea-runner/helmrepository.yaml
+++ b/apps/home-assistant/helmrepository.yaml
@@ -1,8 +1,8 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
-  name: gitea-charts
+  name: home-assistant
   namespace: flux-system
 spec:
-  url: https://dl.gitea.io/charts/
-  interval: 1h
+  interval: 1h0m0s
+  url: http://pajikos.github.io/home-assistant-helm-chart
diff --git a/infrastructure/gitea/kustomization.yaml b/apps/home-assistant/kustomization.yaml
similarity index 91%
rename from infrastructure/gitea/kustomization.yaml
rename to apps/home-assistant/kustomization.yaml
index b4a3d7c..bd3d01d 100644
--- a/infrastructure/gitea/kustomization.yaml
+++ b/apps/home-assistant/kustomization.yaml
@@ -4,3 +4,4 @@ resources:
   - namespace.yaml
   - helmrepository.yaml
   - helmrelease.yaml
+  - pvc.yaml
diff --git a/infrastructure/longhorn/namespace.yaml b/apps/home-assistant/namespace.yaml
similarity index 63%
rename from infrastructure/longhorn/namespace.yaml
rename to apps/home-assistant/namespace.yaml
index 9ac9395..7c1d06d 100644
--- a/infrastructure/longhorn/namespace.yaml
+++ b/apps/home-assistant/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: longhorn-system
+  name: home-assistant
diff --git a/apps/home-assistant/pvc.yaml b/apps/home-assistant/pvc.yaml
new file mode 100644
index 0000000..9de2299
--- /dev/null
+++ b/apps/home-assistant/pvc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: home-assistant-config
+  namespace: home-assistant
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Gi
+  storageClassName: local-path
diff --git a/apps/kitchenowl/certificate.yaml b/apps/kitchenowl/certificate.yaml
new file mode 100644
index 0000000..99edd64
--- /dev/null
+++ b/apps/kitchenowl/certificate.yaml
@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: kitchenowl-tls
+  namespace: kitchenowl
+spec:
+  secretName: kitchenowl-tls
+  issuerRef:
+    name: letsencrypt-dns
+    kind: ClusterIssuer
+  commonName: kitchen.patanix.de
+  dnsNames:
+    - kitchen.patanix.de
diff --git a/apps/kitchenowl/deployment.yaml b/apps/kitchenowl/deployment.yaml
new file mode 100644
index 0000000..a6a0694
--- /dev/null
+++ b/apps/kitchenowl/deployment.yaml
@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kitchenowl
+  namespace: kitchenowl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kitchenowl
+  template:
+    metadata:
+      labels:
+        app: kitchenowl
+    spec:
+      containers:
+        - name: kitchenowl
+          image: 'tombursch/kitchenowl:latest'
+          env:
+            - name: SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: kitchenowl-secret
+                  key: KO_SECRET_KEY
+            - name: DB_TYPE
+              value: sqlite
+          volumeMounts:
+            - name: data
+              mountPath: /data
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: kitchenowl-data
diff --git a/apps/kitchenowl/ingress.yaml b/apps/kitchenowl/ingress.yaml
new file mode 100644
index 0000000..f1ac859
--- /dev/null
+++ b/apps/kitchenowl/ingress.yaml
@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: kitchenowl
+  namespace: kitchenowl
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-dns
+spec:
+  ingressClassName: traefik
+  rules:
+    - host: kitchen.patanix.de
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: kitchenowl
+                port:
+                  number: 80
+  tls:
+    - hosts:
+        - kitchen.patanix.de
+      secretName: kitchenowl-tls
diff --git a/apps/kitchenowl/kustomization.yaml b/apps/kitchenowl/kustomization.yaml
new file mode 100644
index 0000000..2de3493
--- /dev/null
+++ b/apps/kitchenowl/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - pvc.yaml
+  - secret.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+  - certificate.yaml
diff --git a/infrastructure/cnpg/namespace.yaml b/apps/kitchenowl/namespace.yaml
similarity index 67%
rename from infrastructure/cnpg/namespace.yaml
rename to apps/kitchenowl/namespace.yaml
index 8deac4c..e8bed9e 100644
--- a/infrastructure/cnpg/namespace.yaml
+++ b/apps/kitchenowl/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: cnpg-system
+  name: kitchenowl
diff --git a/apps/kitchenowl/pvc.yaml b/apps/kitchenowl/pvc.yaml
new file mode 100644
index 0000000..fe037d2
--- /dev/null
+++ b/apps/kitchenowl/pvc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: kitchenowl-data
+  namespace: kitchenowl
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: local-path
diff --git a/apps/kitchenowl/secret.yaml b/apps/kitchenowl/secret.yaml
new file mode 100644
index 0000000..f9cf80f
--- /dev/null
+++ b/apps/kitchenowl/secret.yaml
@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: kitchenowl-secret
+    namespace: kitchenowl
+type: Opaque
+stringData:
+    KO_SECRET_KEY: ENC[AES256_GCM,data:9Q4K1DMvJRDl72Q=,iv:DF3FaHwmLfSrN50L8O7/iUyXsF+ENEYIz5d3P7ZHbqk=,tag:JOzYcvIZNlRdimX5PLPV0A==,type:str]
+    KO_DB_PASSWORD: ENC[AES256_GCM,data:MeDzLSRNGDxuSKlZ/H5TKw==,iv:zJyTUJ5FqVYYAuSjTgPmvdRjHPSyjWZLm1su3o2siLg=,tag:iqvmA98wtmDDOPHcLpFLrw==,type:str]
+sops:
+    lastmodified: "2025-05-25T18:48:06Z"
+    mac: ENC[AES256_GCM,data:Yf4i9CMEsEY33d2R2JU56ghEpC7qlOQLC4f956f92mAls+fTfekzC1vpeMOHDup+4si3eBYdXKBMLnj0vuIcL5QSTRHLQgzAwRguqXEw/CL6zXD6cHwTyPbxWTLIob2NovIBonHVhIIKkaai2QGnJyrPN6EaTmXRMlYE5wKocxc=,iv:JVpj6i3ZtQMQ0JaoL5+fe8ZMi3ozG5xTcxSc9D9Drvg=,tag:Zw8jA5abHLkIIapS/tHRjg==,type:str]
+    pgp:
+        - created_at: "2025-05-25T18:48:06Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxd/Yh1BfDklARAAmE6dV/SfdGurYL0RPTJ1J3BTmiGzd9BemsyIjoBtRaOS
+            bNa5woXTpGO+48QWztiuWOEoIx5RlZNFmtF/zFHSvsuZX9uW4TMQdPQRE4HOJBG8
+            ZxByyDyowLmvjH7O7U6BoFw9rlyiAxYknO96gGcKCtJAaHgpmnqzcDzyRicAB615
+            04AlR+ZQwbiI/FKO11tV8mlxnR4AiEpyVpggD8zV1pHjnuzZPSLx40vpyhqU5edT
+            U8ii22xlxO306ANsO5Kk/J14Dg0aiLZrLGON07Am0CIbrPewUh5cvDWbeBuMPC60
+            CbrA905lI5RrrjGMIEf5qs2z0S+W4RxcrB4gUAhauKqwx/iUj8s2UGZXunzz44jI
+            ylepfhmJmh0lCYpZZGV9vfw0Qnat/dzVWXyeS1BfOMMcksyiVLqPpvg7me6Bdlrd
+            SZ5FzLCnN9p+2OFO/wmUVMiIbYie8Del6FVvEZRxeKHCGXE0qWY/YLdvBTye4gWB
+            03/mqaxnoJS+HpwNk/H8tmmrzHaabiRxIcv7Sd7QUNLMDZZkusBDbMevASgE2gyu
+            5QkOZ28sMvYuyeDl97KJfS6QottLB6EPa8fjHREdfhHSe+vhvb5/v1irsKuaZnvc
+            FtnrdWYAlBMYRCHVeE595xW9HG2xWKdBlpY7z0b2R5wyrffxObuUChK6tD06N/7U
+            aAEJAhBJUGnyEpEtLGU18J9W5i0HVVxV96ArGvm2+2/5jzwH9/vcJrG06sSoCpvA
+            Su7QnsOau+wKD7eBw9BcNTIkERr1ggCYha9en+zYCdt2DGHIpOrqCQ2tF0+JkgD1
+            Pz17gB922Z4A
+            =+7KI
+            -----END PGP MESSAGE-----
+          fp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2
diff --git a/apps/kitchenowl/service.yaml b/apps/kitchenowl/service.yaml
new file mode 100644
index 0000000..f61598b
--- /dev/null
+++ b/apps/kitchenowl/service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kitchenowl
+  namespace: kitchenowl
+spec:
+  selector:
+    app: kitchenowl
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8080
diff --git a/apps/kustomization.yaml b/apps/kustomization.yaml
new file mode 100644
index 0000000..7928324
--- /dev/null
+++ b/apps/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - home-assistant/
+  - kitchenowl/
+  - forgejo/
+  - forgejo-runner/
diff --git a/clusters/production/cert-manager.yaml b/clusters/production/cert-manager.yaml
new file mode 100644
index 0000000..4752bfd
--- /dev/null
+++ b/clusters/production/cert-manager.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cert-manager
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ../../infrastructure/cert-manager
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
diff --git a/clusters/production/flux-system/gotk-sync.yaml b/clusters/production/flux-system/gotk-sync.yaml
index 6f4c2dc..2bff95b 100644
--- a/clusters/production/flux-system/gotk-sync.yaml
+++ b/clusters/production/flux-system/gotk-sync.yaml
@@ -8,7 +8,7 @@ metadata:
 spec:
   interval: 1m0s
   ref:
-    branch: main
+    branch: homelab-prod
   secretRef:
     name: flux-system
   url: https://codeberg.org/Pata1704/homelab_gitops.git
diff --git a/clusters/production/forgejo-runner.yaml b/clusters/production/forgejo-runner.yaml
new file mode 100644
index 0000000..0ae4b3c
--- /dev/null
+++ b/clusters/production/forgejo-runner.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: forgejo-runner
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ../../apps/forgejo-runner
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
diff --git a/clusters/production/forgejo.yaml b/clusters/production/forgejo.yaml
new file mode 100644
index 0000000..04d4711
--- /dev/null
+++ b/clusters/production/forgejo.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: forgejo
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ../../apps/forgejo
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
diff --git a/clusters/production/gitea.yaml b/clusters/production/gitea.yaml
new file mode 100644
index 0000000..7f3c437
--- /dev/null
+++ b/clusters/production/gitea.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: gitea
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ../../apps/gitea
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
diff --git a/clusters/production/kitchenowl.yaml b/clusters/production/kitchenowl.yaml
new file mode 100644
index 0000000..a7d7e91
--- /dev/null
+++ b/clusters/production/kitchenowl.yaml
@@ -0,0 +1,17 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: kitchenowl
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ../../apps/kitchenowl
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+
diff --git a/clusters/production/kustomization.yaml b/clusters/production/kustomization.yaml
index b391401..d31dc1e 100644
--- a/clusters/production/kustomization.yaml
+++ b/clusters/production/kustomization.yaml
@@ -1,4 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - cert-manager.yaml
+  - kitchenowl.yaml
+  - forgejo.yaml
+  - forgejo-runner.yaml
+  - ocirepository.yaml
   - ../../infrastructure
+  - ../../apps
diff --git a/clusters/production/ocirepository.yaml b/clusters/production/ocirepository.yaml
new file mode 100644
index 0000000..f1a4749
--- /dev/null
+++ b/clusters/production/ocirepository.yaml
@@ -0,0 +1,12 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: ocirepositories
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ../../infrastructure/ocirepositories
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
diff --git a/infrastructure/cert-manager-webhook-hetzner/helmrelease.yaml b/infrastructure/cert-manager-webhook-hetzner/helmrelease.yaml
new file mode 100644
index 0000000..01106f5
--- /dev/null
+++ b/infrastructure/cert-manager-webhook-hetzner/helmrelease.yaml
@@ -0,0 +1,18 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager-webhook-hetzner
+  namespace: cert-manager
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: cert-manager-webhook-hetzner
+      version: 1.3.3
+      sourceRef:
+        kind: HelmRepository
+        name: vadimkim-cert-manager-webhook-hetzner
+        namespace: flux-system
+  values:
+    groupName: patanix.de
+
diff --git a/infrastructure/cert-manager-webhook-hetzner/helmrepository.yaml b/infrastructure/cert-manager-webhook-hetzner/helmrepository.yaml
new file mode 100644
index 0000000..23eebd5
--- /dev/null
+++ b/infrastructure/cert-manager-webhook-hetzner/helmrepository.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: vadimkim-cert-manager-webhook-hetzner
+  namespace: flux-system
+spec:
+  interval: 30m
+  url: https://vadimkim.github.io/cert-manager-webhook-hetzner
diff --git a/infrastructure/gitea-runner/kustomization.yaml b/infrastructure/cert-manager-webhook-hetzner/kustomization.yaml
similarity index 99%
rename from infrastructure/gitea-runner/kustomization.yaml
rename to infrastructure/cert-manager-webhook-hetzner/kustomization.yaml
index d7fbb03..36e69d3 100644
--- a/infrastructure/gitea-runner/kustomization.yaml
+++ b/infrastructure/cert-manager-webhook-hetzner/kustomization.yaml
@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
   - helmrepository.yaml
   - helmrelease.yaml
+
diff --git a/infrastructure/cert-manager/configmap-values.yaml b/infrastructure/cert-manager/configmap-values.yaml
new file mode 100644
index 0000000..a089e12
--- /dev/null
+++ b/infrastructure/cert-manager/configmap-values.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cert-manager-helm-values
+  namespace: cert-manager
+data:
+  values.yaml: |
+    installCRDs: true
+
diff --git a/infrastructure/cert-manager/helmrelease.yaml b/infrastructure/cert-manager/helmrelease.yaml
new file mode 100644
index 0000000..a8dbb58
--- /dev/null
+++ b/infrastructure/cert-manager/helmrelease.yaml
@@ -0,0 +1,24 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: cert-manager
+      version: v1.17.2
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack
+        namespace: flux-system
+  releaseName: cert-manager
+  valuesFrom:
+    - kind: ConfigMap
+      name: cert-manager-helm-values
+      valuesKey: values.yaml
+  install:
+    crds: CreateReplace
+  upgrade:
+    crds: CreateReplace
diff --git a/infrastructure/longhorn/helmrepository.yaml b/infrastructure/cert-manager/helmrepository.yaml
similarity index 60%
rename from infrastructure/longhorn/helmrepository.yaml
rename to infrastructure/cert-manager/helmrepository.yaml
index 2a21432..0dd08be 100644
--- a/infrastructure/longhorn/helmrepository.yaml
+++ b/infrastructure/cert-manager/helmrepository.yaml
@@ -1,8 +1,8 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
-  name: longhorn
+  name: jetstack
   namespace: flux-system
 spec:
-  url: https://charts.longhorn.io
-  interval: 10m
+  interval: 30m
+  url: https://charts.jetstack.io
diff --git a/infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml b/infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml
new file mode 100644
index 0000000..0d4b3cd
--- /dev/null
+++ b/infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml
@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: hetzner-secret
+    namespace: cert-manager
+type: Opaque
+stringData:
+    api-key: ENC[AES256_GCM,data:zbosJdBCNMhy1hhF/spyZI3gUFKxrc6t6teRCxob0Xc=,iv:wWSccIo1/39rEZsAdQYt2GfReOK/WD2lvd53/NUmdcs=,tag:lzVh1h629QozAXETUOuzSA==,type:str]
+sops:
+    lastmodified: "2025-05-26T18:30:47Z"
+    mac: ENC[AES256_GCM,data:5TsPo7zuzxPciMDVEvOSBe8WuoYJe0w6BSMNRAJpQ84/52hyJtYb81zLepcfDID8IMUEj9qvKC+Yj6qsK29hsTaeLunRw89q0g4xFd1eQjT3bmQxdEMD4hBuK8tSQeA+bxRT2w0vNMgv+/qvVYGnuC+PyswpXP+ElpjTxawnFJo=,iv:xedxTiTm4Kjudx8P7V3t6luI40/kYjDZb4WOpjv9zrE=,tag:3mUuwVRaHh/343w2AkoKhA==,type:str]
+    pgp:
+        - created_at: "2025-05-26T18:30:47Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAxd/Yh1BfDklARAAilLl2QO6pKp/cBoq7A22ltZqlfyUZTWqfbz07X8xk1W9
+            I3MXdI/2rtndEDt2y0i693w6kwHKiCUfgTyYt2aS8HxgxDEktmO/6Z53wnDiESs0
+            +CDBkG50TpLBFM8nmlRGJBpTuFY4swsrn/1MCMSl1Yq3+CTQ6Rmu9Zo4cx7ZTyFM
+            w5Y2NwC6Mum2jj7DFUotDa5oNHjmFuobCfIfzm/2jIMlqHjllFhEGq1lzjofdTBJ
+            WSdNLbTOG8TYGA7jcJjNiGWA3J7pt7vnsCheNFyLgdXw3JVwdZIeKoIA2g4ONlk3
+            KEkqZ7RdY17RrZmFlByjYoSDmu3kTLXxztB3l8tcz5dUZStb9iZMb/4ODVOwwAcU
+            Jeur1BHrHh4dyZSiuFxh51di+0WyXfgpvhIs8ZSRFsdnZ4SFW4yPqs86Qmoh6ig1
+            F+Iyk3PY+mdKoHIqqK2E2UK3RtFQW1KhcW0xAXtvilWjVI5+QmnY9fEpNDWGieL5
+            Q0NEGPrhNAV/aIMLTFXzba75QJgE5eOvfAHg6ralFAxg3RU2wF+zExwGFfLsIp3F
+            Q0VzFFxLT0gFIEjBswBQ7DJOgdGCXhpWJSjOB2li17VKCMHi0STd+F84aFv8MLT4
+            zni018MaxTmqUEAT9ebijScXoOzGCjTsfQQioSMS01JC/wwWrUcYAXR5dNlB7nfU
+            aAEJAhB2ahVphetmKx/lJQij8AAIHAwddSPvOaC3M0dpVngJJDYeQt/+xBys2f+K
+            moT6INYTvdv1c5ELh4YbLpNSs+5FMdCAGeWVY7NHQfzXh0kSjngQdd+nXKy/1Sk6
+            bIo8ZRLHK6pN
+            =xDsS
+            -----END PGP MESSAGE-----
+          fp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2
diff --git a/infrastructure/cert-manager/kustomization.yaml b/infrastructure/cert-manager/kustomization.yaml
new file mode 100644
index 0000000..2ba721a
--- /dev/null
+++ b/infrastructure/cert-manager/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - helmrepository.yaml
+  - helmrelease.yaml
+  - configmap-values.yaml
+  - hetzner-dns-api-token-secret.yaml
+  - letsencrypt-clusterissuer.yaml
+  - test-certificate.yaml
diff --git a/infrastructure/cert-manager/letsencrypt-clusterissuer.yaml b/infrastructure/cert-manager/letsencrypt-clusterissuer.yaml
new file mode 100644
index 0000000..75f3c4b
--- /dev/null
+++ b/infrastructure/cert-manager/letsencrypt-clusterissuer.yaml
@@ -0,0 +1,23 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-dns
+spec:
+  acme:
+    email: patryk-hegenberg@outlook.de
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-dns-key
+    solvers:
+      - dns01:
+          webhook:
+            groupName: patanix.de
+            solverName: hetzner
+            config:
+              secretName: hetzner-secret
+              zoneName: patanix.de
+              apiUrl: https://dns.hetzner.com/api/v1
+              # apiTokenSecretRef:
+              #   name: hetzner-dns-api-token
+              #   key: token
+
diff --git a/infrastructure/cert-manager/namespace.yaml b/infrastructure/cert-manager/namespace.yaml
new file mode 100644
index 0000000..c90416f
--- /dev/null
+++ b/infrastructure/cert-manager/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
diff --git a/infrastructure/cert-manager/test-certificate.yaml b/infrastructure/cert-manager/test-certificate.yaml
new file mode 100644
index 0000000..2eb49b0
--- /dev/null
+++ b/infrastructure/cert-manager/test-certificate.yaml
@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: test-certificate
+  namespace: cert-manager
+spec:
+  secretName: test-certificate-tls
+  issuerRef:
+    name: letsencrypt-dns
+    kind: ClusterIssuer
+  commonName: test.patanix.de
+  dnsNames:
+    - test.patanix.de
diff --git a/infrastructure/cnpg/helmrelease-cluster.yaml b/infrastructure/cnpg/helmrelease-cluster.yaml
deleted file mode 100644
index ec82d5e..0000000
--- a/infrastructure/cnpg/helmrelease-cluster.yaml
+++ /dev/null
@@ -1,62 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2 # Oder v2beta1
-kind: HelmRelease
-metadata:
-  name: shared-postgres-cluster
-  namespace: cnpg-system # Oder ein anderer Namespace für die Datenbank selbst, z.B. 'database'
-spec:
-  interval: 10m
-  chart:
-    spec:
-      chart: cluster # Dies ist der Chart für den Cluster selbst
-      # version: "<aktuelle-cluster-chart-version>" # Finde die passende Version auf ArtifactHub
-      sourceRef:
-        kind: HelmRepository
-        name: cnpg # Das zuvor definierte Repository
-        namespace: flux-system
-      interval: 1m
-  values:
-    # Cluster Konfiguration
-    # Name des Clusters, der im cnpg-system Namespace erstellt wird
-    name: shared-pg
-    # Anzahl der Instanzen (für Hochverfügbarkeit anpassen)
-    instances: 3
-    # Storage Konfiguration (Longhorn verwenden, wie in deinen anderen Setups)
-    storage:
-      size: "10Gi" # Gesamtgröße für den Cluster, anpassen nach Bedarf
-      storageClass: "longhorn" # Deine Longhorn StorageClass
-    # PostgreSQL Version (prüfe Kompatibilität mit deinen Anwendungen)
-    # postgresql:
-    #   imageName: "ghcr.io/cloudnative-pg/postgresql:15.3" # Beispiel
-
-    # Wichtig: Konfiguriere Backups! Hier nicht im Detail gezeigt.
-    # backup:
-    #   barmanObjectStore:
-    #     ...
-
-    # Monitoring (optional, aber empfohlen)
-    # monitoring:
-    #   enablePodMonitor: true
-
-    # Initiale Datenbanken und Benutzer (optional, kann auch manuell oder per Job erfolgen)
-    # Beachte, dass du für jede Anwendung (Gitea, SonarQube) eigene Datenbanken und Benutzer
-    # in diesem geteilten Cluster benötigst. CloudNativePG kann Benutzer verwalten.
-    # Beispiel für einen initialen Benutzer (NICHT für Anwendungen direkt verwenden,
-    # sondern spezifische Benutzer pro Anwendung erstellen)
-    # bootstrap:
-    #   initdb:
-    #     database: app_db_1 # Beispiel: Gitea DB
-    #     owner: app_user_1  # Beispiel: Gitea User
-    #   # Weitere Datenbanken hier
-    #
-    # # Deklarative Rollen/Benutzer
-    # postgresql:
-    #   managed:
-    #     roles:
-    #       - name: gitea_user
-    #         # passwordSecret: # Besser ein Secret verwenden
-    #         #   name: gitea-db-credentials
-    #         #   key: password
-    #       - name: sonarqube_user
-    #         # passwordSecret:
-    #         #   name: sonarqube-db-credentials
-    #         #   key: password
diff --git a/infrastructure/cnpg/helmrelease-operator.yaml b/infrastructure/cnpg/helmrelease-operator.yaml
deleted file mode 100644
index 147ebfe..0000000
--- a/infrastructure/cnpg/helmrelease-operator.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: cnpg-operator
-  namespace: cnpg-system
-spec:
-  interval: 10m
-  chart:
-    spec:
-      chart: cloudnative-pg
-      version: "0.23.2"
-      sourceRef:
-        kind: HelmRepository
-        name: cnpg
-        namespace: flux-system
-      interval: 1m
diff --git a/infrastructure/cnpg/helmrepository.yaml b/infrastructure/cnpg/helmrepository.yaml
deleted file mode 100644
index fa469e7..0000000
--- a/infrastructure/cnpg/helmrepository.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2 # Oder v1 je nach deiner Flux-Version
-kind: HelmRepository
-metadata:
-  name: cnpg
-  namespace: flux-system
-spec:
-  interval: 1h
-  url: https://cloudnative-pg.io/charts
diff --git a/infrastructure/gitea-runner/helmrelease.yaml b/infrastructure/gitea-runner/helmrelease.yaml
deleted file mode 100644
index e5a1976..0000000
--- a/infrastructure/gitea-runner/helmrelease.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: gitea-act-runner
-  namespace: gitea
-spec:
-  releaseName: gitea-act-runner
-  interval: 10m
-  chart:
-    spec:
-      chart: gitea-act-runner
-      version: "0.5.2"
-      sourceRef:
-        kind: HelmRepository
-        name: gitea-charts
-        namespace: flux-system
-  values:
-    provisioning:
-      enabled: true
-      # Gitea-URL wie im Cluster erreichbar (interner Service-Name!)
-      serverURL: "http://gitea-http.gitea.svc.cluster.local:3000"
-      # Admin-Zugangsdaten wie oben im Gitea-Chart gesetzt
-      adminUser: "giteaadmin"
-      # adminPassword: "changeme"
-      adminPassword: "F3l1x-230113?"
-    rbac:
-      create: true
-    # Optional: Runner-Name, falls du mehrere Runner willst
-    runner:
-      labels: ["k3s", "fluxcd"]
diff --git a/infrastructure/gitea-runner/namespace.yaml b/infrastructure/gitea-runner/namespace.yaml
deleted file mode 100644
index e69de29..0000000
diff --git a/infrastructure/kustomization.yaml b/infrastructure/kustomization.yaml
index 620a250..1db4b1a 100644
--- a/infrastructure/kustomization.yaml
+++ b/infrastructure/kustomization.yaml
@@ -1,9 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - monitoring/
-  - longhorn/
-  - gitea/
-  # - gitea-runner/
-  # - sonarqube/
-  - cnpg
+  - cert-manager/
+  - cert-manager-webhook-hetzner/
+  # - monitoring/
diff --git a/infrastructure/longhorn/helmrelease.yaml b/infrastructure/longhorn/helmrelease.yaml
deleted file mode 100644
index 695713b..0000000
--- a/infrastructure/longhorn/helmrelease.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: longhorn
-  namespace: longhorn-system
-spec:
-  releaseName: longhorn
-  chart:
-    spec:
-      chart: longhorn
-      version: "1.8.1"
-      sourceRef:
-        kind: HelmRepository
-        name: longhorn
-        namespace: flux-system
-  interval: 5m
-  install:
-    createNamespace: true
-  values:
-    defaultSettings:
-      defaultReplicaCount: 2
-    persistence:
-      defaultClassReplicaCount: 2
diff --git a/infrastructure/longhorn/longhorn-ingress.yaml b/infrastructure/longhorn/longhorn-ingress.yaml
deleted file mode 100644
index ce7f130..0000000
--- a/infrastructure/longhorn/longhorn-ingress.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: longhorn-ui
-  namespace: longhorn-system
-  annotations:
-    kubernetes.io/ingress.class: "traefik"
-spec:
-  rules:
-    - host: longhorn.local
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: longhorn-frontend
-                port:
-                  number: 80
diff --git a/infrastructure/ocirepositories/forgejo.yaml b/infrastructure/ocirepositories/forgejo.yaml
new file mode 100644
index 0000000..cf40613
--- /dev/null
+++ b/infrastructure/ocirepositories/forgejo.yaml
@@ -0,0 +1,10 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: forgejo
+  namespace: flux-system
+spec:
+  interval: 30m
+  url: oci://code.forgejo.org/forgejo-helm/forgejo
+  ref:
+    tag: "12.5.1"
diff --git a/infrastructure/sonarqube/helmrelease.yaml b/infrastructure/sonarqube/helmrelease.yaml
deleted file mode 100644
index 9544394..0000000
--- a/infrastructure/sonarqube/helmrelease.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: sonarqube
-  namespace: sonarqube
-spec:
-  interval: 10m
-  chart:
-    spec:
-      chart: sonarqube
-      version: "2025.2.0"
-      sourceRef:
-        kind: HelmRepository
-        name: sonarqube
-        namespace: flux-system
-  values:
-    community:
-      enabled: true
-    monitoringPasscode: "supersecret123"
-    persistence:
-      enabled: true
-      storageClass: longhorn
-      size: 5Gi
-    postgresql:
-      enabled: true
-      persistence:
-        enabled: true
-        storageClass: longhorn
-        size: 2Gi
-    ingress:
-      enabled: true
-      hosts:
-        - name: sonarqube.local
-          path: /
-      ingressClassName: traefik
diff --git a/infrastructure/sonarqube/helmrepository.yaml b/infrastructure/sonarqube/helmrepository.yaml
deleted file mode 100644
index 5d2cb5a..0000000
--- a/infrastructure/sonarqube/helmrepository.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: sonarqube
-  namespace: flux-system
-spec:
-  url: https://SonarSource.github.io/helm-chart-sonarqube
-  interval: 1h
diff --git a/notes/cert-manager-webhook.md b/notes/cert-manager-webhook.md
new file mode 100644
index 0000000..e1367bd
--- /dev/null
+++ b/notes/cert-manager-webhook.md
@@ -0,0 +1,79 @@
+# Schritt: cert-manager-webhook-hetzner (vadimkim) und ClusterIssuer
+
+## 1. HelmRepository für Webhook anlegen
+```bash
+cat <<EOF > infrastructure/cert-manager-webhook-hetzner/helmrepository.yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: vadimkim-cert-manager-webhook-hetzner
+  namespace: flux-system
+spec:
+  interval: 30m
+  url: https://vadimkim.github.io/cert-manager-webhook-hetzner
+EOF
+```
+
+## 2. HelmRelease für Webhook anlegen
+```bash
+cat <<EOF > infrastructure/cert-manager-webhook-hetzner/helmrelease.yaml
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: cert-manager-webhook-hetzner
+  namespace: cert-manager
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: cert-manager-webhook-hetzner
+      version: 2.9.0
+      sourceRef:
+        kind: HelmRepository
+        name: vadimkim-cert-manager-webhook-hetzner
+        namespace: flux-system
+  values:
+    groupName: patanix.de
+EOF
+```
+
+## 3. ClusterIssuer anlegen
+```bash
+cat <<EOF > infrastructure/cert-manager/letsencrypt-clusterissuer.yaml
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-dns
+spec:
+  acme:
+    email: patryk-hegenberg@outlook.de
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-dns-key
+    solvers:
+      - dns01:
+          webhook:
+            groupName: patanix.de
+            solverName: hetzner
+            config:
+              apiTokenSecretRef:
+                name: hetzner-dns-api-token
+                key: token
+EOF
+```
+
+## 4. Dateien ins Git-Repo legen und pushen
+```bash
+git add infrastructure/cert-manager-webhook-hetzner/*
+git add infrastructure/cert-manager/letsencrypt-clusterissuer.yaml
+git commit -m "Add vadimkim cert-manager-webhook-hetzner and ClusterIssuer for patanix.de"
+git push origin main
+```
+
+## 5. Flux synchronisieren und prüfen
+```bash
+flux reconcile source git flux-system
+flux get helmreleases -A
+kubectl get pods -n cert-manager
+kubectl get clusterissuer
+```
diff --git a/notes/cert-manager.md b/notes/cert-manager.md
new file mode 100644
index 0000000..338b3ae
--- /dev/null
+++ b/notes/cert-manager.md
@@ -0,0 +1,40 @@
+# Schritt 1: cert-manager v1.17.2 mit FluxCD deployen
+
+## Verzeichnisstruktur
+infrastructure/
+  cert-manager/
+    namespace.yaml
+    helmrepository.yaml
+    configmap-values.yaml
+    helmrelease.yaml
+  kustomization-cert-manager.yaml
+
+## Vorgehen
+
+1. YAML-Dateien wie oben beschrieben im Git-Repository anlegen.
+2. Änderungen committen und pushen:
+```bash
+   git add infrastructure/cert-manager/*
+   git add infrastructure/kustomization-cert-manager.yaml
+   git commit -m "Deploy cert-manager v1.17.2 via FluxCD"
+   git push origin main
+```
+
+3. Flux synchronisiert automatisch. Manuelles Triggern:
+```bash
+   flux reconcile source git flux-system
+   flux get kustomizations
+   kubectl -n cert-manager get pods
+```
+
+4. Prüfen, ob cert-manager läuft:
+```bash
+   kubectl -n cert-manager get pods
+   kubectl -n cert-manager get deployments
+```
+
+5. Fehlerdiagnose:
+```bash
+   flux logs
+   kubectl -n cert-manager logs deploy/cert-manager
+```
diff --git a/notes/home-assistant.md b/notes/home-assistant.md
new file mode 100644
index 0000000..c21df6b
--- /dev/null
+++ b/notes/home-assistant.md
@@ -0,0 +1,86 @@
+# Home Assistant Best Practices
+
+## Secret
+- Nicht zwingend nötig, nur für zusätzliche Umgebungsvariablen.
+- Kann jederzeit nachgerüstet werden.
+
+## Zertifikat
+- Standard: Ingress mit cert-manager-Annotation, cert-manager erstellt das Zertifikat automatisch.
+- Alternativ: Certificate-Objekt selbst anlegen, dann Annotation im Ingress entfernen.
+
+## HelmRepository (pajikos)
+```bash
+cat <<EOF > infrastructure/services/home-assistant/helmrepository.yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: pajikos-home-assistant
+  namespace: flux-system
+spec:
+  interval: 30m
+  url: https://pajikos.github.io/home-assistant-helm-chart
+EOF
+```
+
+## HelmRelease (Beispiel)
+```bash
+cat <<EOF > infrastructure/services/home-assistant/helmrelease.yaml
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: home-assistant
+  namespace: home-assistant
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: home-assistant
+      version: 15.3.5
+      sourceRef:
+        kind: HelmRepository
+        name: pajikos-home-assistant
+        namespace: flux-system
+  values:
+    persistence:
+      enabled: true
+      existingClaim: home-assistant-config
+    ingress:
+      main:
+        enabled: true
+        hosts:
+          - host: ha.patanix.de
+            paths:
+              - /
+        tls:
+          - secretName: ha-patanix-de-tls
+            hosts:
+              - ha.patanix.de
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-dns
+EOF
+```
+
+## 2. Secret verschlüsseln - falls vorhanden
+```bash
+sops -e -i infrastructure/services/home-assistant/secret.yaml
+```
+
+## 3. Dateien ins Repo legen und pushen
+```bash
+git add infrastructure/services/home-assistant/*
+git add infrastructure/kustomization-home-assistant.yaml
+git commit -m "Deploy Home Assistant via FluxCD (20GiB, ha.patanix.de)"
+git push origin main
+```
+
+## 4. Flux synchronisieren
+```bash
+flux reconcile source git flux-system
+flux get kustomizations
+kubectl -n home-assistant get pods
+kubectl -n home-assistant get ingress
+kubectl -n home-assistant get certificate
+```
+
+## 5. Erreichbarkeit testen
+# Nach DNS-Propagation und Zertifikatsausstellung: https://ha.patanix.de aufrufen
diff --git a/notes/sops-and-hetzner-secret.md b/notes/sops-and-hetzner-secret.md
new file mode 100644
index 0000000..75618e6
--- /dev/null
+++ b/notes/sops-and-hetzner-secret.md
@@ -0,0 +1,84 @@
+# SOPS für FluxCD einrichten
+
+## SOPS & GPG installieren
+```bash
+sudo dnf install gnupg
+```
+### Download the binary
+```bash
+curl -LO https://github.com/getsops/sops/releases/download/v3.10.2/sops-v3.10.2.linux.amd64
+```
+
+### Move the binary in to your PATH
+```bash
+mv sops-v3.10.2.linux.amd64 /usr/local/bin/sops
+```
+
+### Make the binary executable
+```bash
+chmod +x /usr/local/bin/sops
+```
+
+## GPG Key generieren
+```bash
+export KEY_NAME="k3s.homelab"
+export KEY_COMMENT="flux secrets"
+gpg --batch --full-generate-key <<EOF
+%no-protection
+Key-Type: 1
+Key-Length: 4096
+Subkey-Type: 1
+Subkey-Length: 4096
+Expire-Date: 0
+Name-Comment: ${KEY_COMMENT}
+Name-Real: ${KEY_NAME}
+EOF
+```
+
+## GPG Fingerprint anzeigen
+```bash
+gpg --list-secret-keys "${KEY_NAME}"
+export KEY_FP=<DEIN_FINGERPRINT>
+```
+
+## GPG Key als Kubernetes Secret speichern
+```bash
+gpg --export-secret-keys --armor "${KEY_FP}" | \
+kubectl create secret generic sops-gpg \
+  --namespace=flux-system \
+  --from-file=sops.asc=/dev/stdin
+```
+## .sops.yaml im Repo anlegen
+```bash
+cat <<EOF > .sops.yaml
+creation_rules:
+  - encrypted_regex: '^(data|stringData)$'
+    path_regex: \.yaml$
+    pgp: <DEIN_FINGERPRINT>
+EOF
+```
+
+## Hetzner DNS API Token in Secret-Datei eintragen
+```bash
+cat <<EOF > infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: hetzner-dns-api-token
+  namespace: cert-manager
+type: Opaque
+stringData:
+  token: "<HIER_DEIN_HETZNER_DNS_API_TOKEN_EINFÜGEN>"
+EOF
+```
+## Mit SOPS verschlüsseln
+```bash
+sops -e -i infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml
+```
+
+## Ins Git-Repo legen und pushen
+```bash
+git add infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml
+git commit -m "Add Hetzner DNS API token secret (encrypted with SOPS)"
+git push origin main
+```
diff --git a/notes/test-certificate.md b/notes/test-certificate.md
new file mode 100644
index 0000000..ee91d95
--- /dev/null
+++ b/notes/test-certificate.md
@@ -0,0 +1,40 @@
+# Test: Zertifikatsausstellung mit cert-manager und Hetzner DNS
+
+## Test-Zertifikat anlegen
+```bash
+cat <<EOF > infrastructure/cert-manager/test-certificate.yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: test-certificate
+  namespace: cert-manager
+spec:
+  secretName: test-certificate-tls
+  issuerRef:
+    name: letsencrypt-dns
+    kind: ClusterIssuer
+  commonName: test.patanix.de
+  dnsNames:
+    - test.patanix.de
+EOF
+```
+
+## Datei ins Repo legen und pushen
+```bash
+git add infrastructure/cert-manager/test-certificate.yaml
+git commit -m "Add test certificate request for test.patanix.de"
+git push origin main
+```
+
+## Status prüfen
+```bash
+kubectl -n cert-manager get certificate
+kubectl -n cert-manager describe certificate test-certificate
+kubectl -n cert-manager get secret test-certificate-tls
+```
+
+# Events und Fehlerdiagnose
+```bash
+kubectl -n cert-manager get events --sort-by=.metadata.creationTimestamp
+kubectl -n cert-manager logs deploy/cert-manager
+```
diff --git a/renovate.json b/renovate.json
deleted file mode 100644
index 7190a60..0000000
--- a/renovate.json
+++ /dev/null
@@ -1,3 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
-}