Merge pull request 'chore: Configure Renovate' (#1) from renovate/configure into main

Reviewed-on: #1

.sops.yaml

@@ -1,4 +0,0 @@
-creation_rules:
-  - encrypted_regex: '^(data|stringData)$'
-    path_regex: \.yaml$
-    pgp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764

apps/forgejo-runner/deployment.yaml

@@ -1,75 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: forgejo-runner
-  namespace: forgejo
-  labels:
-    app: forgejo-runner
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: forgejo-runner
-  template:
-    metadata:
-      labels:
-        app: forgejo-runner
-    spec:
-      restartPolicy: Always
-      volumes:
-      - name: docker-certs
-        emptyDir: {}
-      - name: runner-data
-        emptyDir: {}
-      initContainers:
-      - name: runner-config-generation
-        image: code.forgejo.org/forgejo/runner:6.3.1
-        command:
-          [
-            "sh",
-            "-c",
-            "forgejo-runner create-runner-file --instance $FORGEJO_INSTANCE_URL --secret $RUNNER_SECRET --connect"
-          ]
-        env:
-        - name: RUNNER_SECRET
-          valueFrom:
-            secretKeyRef:
-              name: forgejo-runner-token
-              key: token
-        - name: FORGEJO_INSTANCE_URL
-          value: https://git.patanix.de
-        volumeMounts:
-        - name: runner-data
-          mountPath: /data
-      containers:
-      - name: runner
-        image: code.forgejo.org/forgejo/runner:6.3.1
-        command:
-          [
-            "sh",
-            "-c",
-            "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; forgejo-runner daemon"
-          ]
-        env:
-        - name: DOCKER_HOST
-          value: tcp://localhost:2376
-        - name: DOCKER_CERT_PATH
-          value: /certs/client
-        - name: DOCKER_TLS_VERIFY
-          value: "1"
-        volumeMounts:
-        - name: docker-certs
-          mountPath: /certs
-        - name: runner-data
-          mountPath: /data
-      - name: daemon
-        image: docker:23.0.6-dind
-        env:
-        - name: DOCKER_TLS_CERTDIR
-          value: /certs
-        securityContext:
-          privileged: true
-        volumeMounts:
-        - name: docker-certs
-          mountPath: /certs
-

apps/forgejo-runner/runner-secret.yaml

@@ -1,35 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: forgejo-runner-token
-    namespace: forgejo
-type: Opaque
-stringData:
-    token: ENC[AES256_GCM,data:e0BsoUOwkfl7qt48/eT8Nvexg8RZ24cG33VeIfjru4NxyVOXUVQDGw==,iv:4My1NRIA5DG1uvgxAki5pYVYJdM/oTNqPu4WEn1IFaI=,tag:dKRwR5q/szl9/Qm/6TFnKQ==,type:str]
-sops:
-    lastmodified: "2025-05-26T16:32:21Z"
-    mac: ENC[AES256_GCM,data:ccBH5XRiXgio3aCEi4O4YRdh7sq46qxN457IMUqgQrCNFBNjk70OJD31ZxalYPr1iTlAQdbtPT8tVcFRd8EvTeRSm9KaWqusVKHbdsWeDUStHNXADjFwLTAoqVOn0yz9H5YTdLFxIHuV61w2HDJkz+sG0bM9uwv6YPkdbnyLtFs=,iv:h9NzKcUGbLwriVBo1Gfkw2Wbqr1dIZ0nevT1p4pHiQs=,tag:TXxb9UxVeTF6lUbSUxP9DQ==,type:str]
-    pgp:
-        - created_at: "2025-05-26T16:32:21Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAxd/Yh1BfDklARAArNaDCnZTWLtET2sx73YyUhRSqF4fuc8whg8s6K93llT8
-            oxi/MJNkD8yFa3PgGzFl1Yfdw2xpv5BbdYe0dIclitZe87y4DjMrUbc6ZeYaWr/A
-            W+LgcUcspBiofqgOHS+RGupi0djdjOcQN2upAU2OsbPXI3IhmSyQQmaOU5zbgHRx
-            230KArgUGCpkdnO78tKlSMnyw02omzV/J6qMZ3iV1KyK8kRC5VH4OIWQN8hypEXG
-            4Iaf6bJbTpaLZLNScjGJR4v9FKo0CQ8RSO8UDtGdVajrHBNWuHkogu7Ol8byoCJ5
-            S9+N39YC0wcaRQ0bf9qFr3EcNnCDSxYcPRH7aCLGazyu9qZEf2Azj+i80saY9XBJ
-            787KyHxB7OfNPuG6FAtmJqRxnfc7br/4clQ93phqCBXRAd+AOGAhCuwQCLNsYP17
-            jklZKSnvKw56RgsQ2ANHkDZ9O3RcfWJjj5lZX0Tr8REm849YimL70D5KGPj/YDuO
-            vY1GdJjDTfxWwXuX7crJbROF1m8KBcQdIa3/XUZx2sDHfSJn4Wlklze9P0P6XmVc
-            D4Yc7kZ8z5oEvJkW/+7YUKZjxv/2QkLHQ1qKYse8CeDFQ9plibLd09D6Z83Ycvhx
-            /n9C5LRJS1LZn4h4DMxncALPMDXQjCjoBDXttieLvZz8r3a2Ja1TEsNERZxrBoXU
-            aAEJAhAk/ocgcppH9AALdg47PFam0GTHIVc5ywo6pPVOLJPkDxr/cKYw3a08mQE9
-            B+NUGfLBBhRH39LZdb/HwNB8pqLw/QEtAL/5cxO4jFl48l0WhZ+Gz6DWj+NZ4ttC
-            wsWJRN7WlR4U
-            =cLTV
-            -----END PGP MESSAGE-----
-          fp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
-    encrypted_regex: ^(data|stringData)$
-    version: 3.10.2

apps/forgejo/certificate.yaml

@@ -1,13 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: forgejo-tls
-  namespace: forgejo
-spec:
-  secretName: forgejo-tls
-  issuerRef:
-    name: letsencrypt-dns
-    kind: ClusterIssuer
-  commonName: git.patanix.de
-  dnsNames:
-    - git.patanix.de

apps/forgejo/forgejo-admin-secret.yaml

@@ -1,37 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: forgejo-admin
-    namespace: forgejo
-type: Opaque
-stringData:
-    username: ENC[AES256_GCM,data:5U+NQFI=,iv:Hy4WQ1iSSDGY1/hZeqvUlUmbH2DzrFaIMRXHhPFFNao=,tag:ssIQ38hN5dqBamzKfqOntA==,type:str]
-    email: ENC[AES256_GCM,data:TkA4de0xPhpa6vNh8yqgUDxpTiFnQjbVcg==,iv:BCrKyx52wvCdXXKPDqQpCEt5LL3pe13MAb0SBx4cU2E=,tag:lnjjPIxSOMgqrhAeFCqI/w==,type:str]
-    password: ENC[AES256_GCM,data:m+UcNRE/KjJuZn4=,iv:FHE0gAQo+jJluWyjhDcxqKfxKsh2+MNCnU0oCBZJ15M=,tag:3TBBB9N4l1CkQPovPGzXNw==,type:str]
-sops:
-    lastmodified: "2025-05-26T11:50:42Z"
-    mac: ENC[AES256_GCM,data:QCmUknliiOFBXfVNzYNjdtHMG+ZNC9WyQT7Q6+zhJAeFr2CbpsMmlqHFuKj68c7zlty6ZZpc58ZVMnp6l29n9YTPNKjNlIbtkVYcd3SPnAEOiiYXyxymJdPjWmRwi1XxsfVPkG8Vb0psWtRuHgJxpDsGWEPFMDw9B2pyRITBPEw=,iv:YsX7bSb5Exzb1fs/ZfVQiz5yFUkL1YDTag+1zHSYUk8=,tag:PR3/N9QdJ1X++6Og6FLWLQ==,type:str]
-    pgp:
-        - created_at: "2025-05-26T11:50:42Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAxd/Yh1BfDklARAAk/2MvtyJYevYh6DMMdOlj+KwjAifju/T1a9/yEdVZEOA
-            8EC+zq49NIIkrpw3vy18TMSg0Sp4jDUatIjN06zrmPZp6p5x26VDjOcuNiyZIgp+
-            6IFs2yvPk7rqExC/4eOK3BS7YWcBPTrhFCMBLaeWOi+Ku1qmTmPNufogUp7/RcHF
-            Sk9lqtiGcGvV7nQs+SXakgxnI019AJ5y3DBkACJwLaTBZaCc8ebCVJpuBhQpBuql
-            ArtL7l8FEf5Yy8WZny9agK+sRZc3LugFS+XVlVKzfY53tPIanwYqdFQbXCAcKXXp
-            zAqR6f15+lpCIKjoPbBgrmun+OtyGHfFelaQFnLQwefAUFiS2lGlukgHdC8B9yjk
-            iw6uCM3NPAdtzDoHlE5AdkauXF2vfW0yvnaCOzh3ogsMsQG9VbcRXQUXx2SUW+2r
-            BNJUaiGnRMoMFjsms6TSY7EMFT7dnyRGOlhFZLocEDBzfjsCvvuvuOoyrw1gTiJw
-            tgT685+Su80qbtTrfWGx7tewhFn/ERklgLFWa3WrJxXmfajpI4ksardtB5EclnMb
-            b9uV95WroK5C3IbE2q8y2qpt51tizUZCMYHNOr0XdBGgkwkMtPRAdTnXABaiBgfk
-            dNOHL1sMngT7tfVuazPPV5KuCYJ47aKFNjTq7PyDkU+Y/5xqa2yOGn43wSjJXJ7U
-            aAEJAhDXjJgiE9z5Fms0y1Q6PJzZB40EKyOYidhV64YqOeNMb4rEwsr41t+jo5EY
-            x0HAkWPxAtcLGHn31jZtwGN0sMyHQ8wMjNFaGzIOFaLYHGB5mHWKcKPgItMp3rDR
-            5DZ8W+sMt4Df
-            =OK0Y
-            -----END PGP MESSAGE-----
-          fp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
-    encrypted_regex: ^(data|stringData)$
-    version: 3.10.2

apps/forgejo/helmrelease.yaml

@@ -1,43 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: forgejo
-  namespace: forgejo
-spec:
-  interval: 15m
-  chartRef:
-    kind: OCIRepository
-    name: forgejo
-    namespace: flux-system
-  values:
-    persistence:
-      enabled: true
-      size: 40Gi
-      storageClass: local-path
-    ingress:
-      enabled: true
-      className: traefik
-      hosts:
-        - host: git.patanix.de
-          paths:
-            - path: /
-              pathType: Prefix
-      tls:
-        - secretName: forgejo-tls
-          hosts:
-            - git.patanix.de
-      annotations:
-        cert-manager.io/cluster-issuer: letsencrypt-dns
-    admin:
-      existingSecret: forgejo-admin
-      usernameKey: username
-      passwordKey: password
-      emailKey: email
-    redis:
-      enabled: true
-    redis-cluster:
-      enabled: false
-    postgresql-ha:
-      enabled: false
-    postgresql:
-      enabled: true

apps/gitea/certificate.yaml

@@ -1,13 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: gitea-tls
-  namespace: gitea
-spec:
-  secretName: gitea-tls
-  issuerRef:
-    name: letsencrypt-dns
-    kind: ClusterIssuer
-  commonName: git.patanix.de
-  dnsNames:
-    - git.patanix.de

apps/gitea/gitea-admin-secret.yaml

@@ -1,37 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: gitea-admin
-    namespace: gitea
-type: Opaque
-stringData:
-    username: ENC[AES256_GCM,data:ZBxl7DQBLe5fDww=,iv:zTwXtGFqL3yMgAzyDpsGiMAJ8scB32SC1Ehuuhk1pDE=,tag:CZidHkUJizZmEtY6eo6m6w==,type:str]
-    password: ENC[AES256_GCM,data:VyN6dle4JZsWIzg=,iv:TZiVv8J9tJowNJm2428vyeX0u3fjBuMJbgCpEJFNE2s=,tag:Ojv881IpyNS8wrCkUFaAmg==,type:str]
-    email: ENC[AES256_GCM,data:TMBijnBYYQLBx1TWUra/HF5vAFZjZ4fRZQ==,iv:jGhot21TVqEij4LPwoRfTbPXBImivgg9knqRHuU6A8Y=,tag:2mKfHvYugmOmqdZfe4risg==,type:str]
-sops:
-    lastmodified: "2025-05-26T09:30:16Z"
-    mac: ENC[AES256_GCM,data:bcOQjgb3ie22ape8QooHVhcqYTGHPgN0W4j5ikbozI8YqIIudS9V0RA2dV2wzRNqBDaEsGTzqGIqe4aXEa7juizdxPEL63EtFmU06UbqjoUyw3UUiSPVTj7GVIpPGR3OhRyNJSKYy/ZkVQvAYllI56Du1FNV99lF+ytBQo/wU8w=,iv:ipqhozwXFE9bVuQqsZrBxHtVHcsIWiVewuDWTlofgNs=,tag:lNalhPo0WA4NKjVoRxzwuw==,type:str]
-    pgp:
-        - created_at: "2025-05-26T09:30:16Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAxd/Yh1BfDklARAAiGkRRw5T62eViNLz9JIDsFcnQ7gJfb/CuoGTFFGnGY9e
-            I4mLxjxYvZfnBKKCHCxnMjhBGc+l2VWbbYhiFOXY2XIUHNsvL/7qPvrRvVTHuHIq
-            GKjL+sgY1NBNt2zftcJEMVR+EYr8EbAlq7dk3bOHWJxA99cf0ZBYHk1Vp3uh8XkO
-            zYn4FgRr+2+MB3Tf89lbsJH73JqYHhC73RKxxcIDFrSm/s5PaBrV2/Bkv45e9AOd
-            N2xQgw5rLFC0mxZd6fWEIjJw+19XgwowFFD4zK5T5eDYilAoS3tCSPQaewVmoUQM
-            MZtfE2QcSKCyZDdeWcwUWld0g+ANUT/NhtpyxJDbMxH1GVot7yh5L71uh9Y5ikMd
-            hkpBBe5z2rcpAOEel/rKKLopIqc0gaz8THCiTJWD7AdlHiy0fQ7Pd7nKAQujWzrf
-            8+aMNSJ7kGPvzcLVSatXaJbHu9DDTyXf3sznKIiFnxS9fr28wCAUBFzg6rEzj4Xb
-            ptQzVcA3+x026sXn7EUxL10O3st7RIV2/tF24zoGpb2W8mlGkt47LvijrcmvQcnW
-            s8iUsu3rSdYAdQ0WjV/NG7b8eaB/Jbe0WukvD4Dm0SHq5ZDqZhCp9e0v+RcwsapJ
-            WKstsBwGiTud+WMKmJjb5ziJ7X0wW9sst1HFyiwdAdus42aWVIrJa5gSCVUs90TU
-            ZgEJAhBtni2z5cPKkFivbn1yoIeZi7QH1PF2+ucFhdfSVcPuCBWydtz67aTH7rYa
-            XpGjhFYHapmph9nbDUueTrf2l5Q4LorVUsHwbM424Wo5gN8GF/l0af29ASLVvhPD
-            WpAzLIa+Fw==
-            =xXsp
-            -----END PGP MESSAGE-----
-          fp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
-    encrypted_regex: ^(data|stringData)$
-    version: 3.10.2

apps/gitea/pvc.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: gitea-data
-  namespace: gitea
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 40Gi
-  storageClassName: local-path

apps/home-assistant/helmrelease.yaml

@@ -1,45 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: home-assistant
-  namespace: home-assistant
-spec:
-  interval: 10m
-  releaseName: home-assistant
-  chart:
-    spec:
-      chart: home-assistant
-      version: "0.3.4"
-      sourceRef:
-        kind: HelmRepository
-        name: home-assistant
-        namespace: flux-system
-  values:
-    hostNetwork: false
-    persistence:
-      enabled: true
-      existingClaim: home-assistant-config
-    ingress:
-      enabled: true
-      className: traefik
-      hosts:
-        - host: ha.patanix.de
-          paths:
-            - path: /
-              pathType: Prefix
-      tls:
-        - secretName: ha-patanix-de-tls
-          hosts:
-            - ha.patanix.de
-      annotations:
-        cert-manager.io/cluster-issuer: letsencrypt-dns
-    service:
-      type: ClusterIP
-      port: 8123
-    configuration:
-      enabled: true
-      trusted_proxies:
-        - 10.42.0.0/16
-        - ::1
-        - 127.0.0.1
-      # use_x_forwarded_for: true

apps/home-assistant/pvc.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: home-assistant-config
-  namespace: home-assistant
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 20Gi
-  storageClassName: local-path

apps/kitchenowl/certificate.yaml

@@ -1,13 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: kitchenowl-tls
-  namespace: kitchenowl
-spec:
-  secretName: kitchenowl-tls
-  issuerRef:
-    name: letsencrypt-dns
-    kind: ClusterIssuer
-  commonName: kitchen.patanix.de
-  dnsNames:
-    - kitchen.patanix.de

apps/kitchenowl/deployment.yaml

@@ -1,33 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: kitchenowl
-  namespace: kitchenowl
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: kitchenowl
-  template:
-    metadata:
-      labels:
-        app: kitchenowl
-    spec:
-      containers:
-        - name: kitchenowl
-          image: 'tombursch/kitchenowl:latest'
-          env:
-            - name: SECRET_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: kitchenowl-secret
-                  key: KO_SECRET_KEY
-            - name: DB_TYPE
-              value: sqlite
-          volumeMounts:
-            - name: data
-              mountPath: /data
-      volumes:
-        - name: data
-          persistentVolumeClaim:
-            claimName: kitchenowl-data

apps/kitchenowl/ingress.yaml

@@ -1,24 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: kitchenowl
-  namespace: kitchenowl
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-dns
-spec:
-  ingressClassName: traefik
-  rules:
-    - host: kitchen.patanix.de
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: kitchenowl
-                port:
-                  number: 80
-  tls:
-    - hosts:
-        - kitchen.patanix.de
-      secretName: kitchenowl-tls

apps/kitchenowl/kustomization.yaml

@@ -1,10 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - namespace.yaml
-  - pvc.yaml
-  - secret.yaml
-  - deployment.yaml
-  - service.yaml
-  - ingress.yaml
-  - certificate.yaml

apps/kitchenowl/pvc.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: kitchenowl-data
-  namespace: kitchenowl
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 5Gi
-  storageClassName: local-path

apps/kitchenowl/secret.yaml

@@ -1,36 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: kitchenowl-secret
-    namespace: kitchenowl
-type: Opaque
-stringData:
-    KO_SECRET_KEY: ENC[AES256_GCM,data:9Q4K1DMvJRDl72Q=,iv:DF3FaHwmLfSrN50L8O7/iUyXsF+ENEYIz5d3P7ZHbqk=,tag:JOzYcvIZNlRdimX5PLPV0A==,type:str]
-    KO_DB_PASSWORD: ENC[AES256_GCM,data:MeDzLSRNGDxuSKlZ/H5TKw==,iv:zJyTUJ5FqVYYAuSjTgPmvdRjHPSyjWZLm1su3o2siLg=,tag:iqvmA98wtmDDOPHcLpFLrw==,type:str]
-sops:
-    lastmodified: "2025-05-25T18:48:06Z"
-    mac: ENC[AES256_GCM,data:Yf4i9CMEsEY33d2R2JU56ghEpC7qlOQLC4f956f92mAls+fTfekzC1vpeMOHDup+4si3eBYdXKBMLnj0vuIcL5QSTRHLQgzAwRguqXEw/CL6zXD6cHwTyPbxWTLIob2NovIBonHVhIIKkaai2QGnJyrPN6EaTmXRMlYE5wKocxc=,iv:JVpj6i3ZtQMQ0JaoL5+fe8ZMi3ozG5xTcxSc9D9Drvg=,tag:Zw8jA5abHLkIIapS/tHRjg==,type:str]
-    pgp:
-        - created_at: "2025-05-25T18:48:06Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAxd/Yh1BfDklARAAmE6dV/SfdGurYL0RPTJ1J3BTmiGzd9BemsyIjoBtRaOS
-            bNa5woXTpGO+48QWztiuWOEoIx5RlZNFmtF/zFHSvsuZX9uW4TMQdPQRE4HOJBG8
-            ZxByyDyowLmvjH7O7U6BoFw9rlyiAxYknO96gGcKCtJAaHgpmnqzcDzyRicAB615
-            04AlR+ZQwbiI/FKO11tV8mlxnR4AiEpyVpggD8zV1pHjnuzZPSLx40vpyhqU5edT
-            U8ii22xlxO306ANsO5Kk/J14Dg0aiLZrLGON07Am0CIbrPewUh5cvDWbeBuMPC60
-            CbrA905lI5RrrjGMIEf5qs2z0S+W4RxcrB4gUAhauKqwx/iUj8s2UGZXunzz44jI
-            ylepfhmJmh0lCYpZZGV9vfw0Qnat/dzVWXyeS1BfOMMcksyiVLqPpvg7me6Bdlrd
-            SZ5FzLCnN9p+2OFO/wmUVMiIbYie8Del6FVvEZRxeKHCGXE0qWY/YLdvBTye4gWB
-            03/mqaxnoJS+HpwNk/H8tmmrzHaabiRxIcv7Sd7QUNLMDZZkusBDbMevASgE2gyu
-            5QkOZ28sMvYuyeDl97KJfS6QottLB6EPa8fjHREdfhHSe+vhvb5/v1irsKuaZnvc
-            FtnrdWYAlBMYRCHVeE595xW9HG2xWKdBlpY7z0b2R5wyrffxObuUChK6tD06N/7U
-            aAEJAhBJUGnyEpEtLGU18J9W5i0HVVxV96ArGvm2+2/5jzwH9/vcJrG06sSoCpvA
-            Su7QnsOau+wKD7eBw9BcNTIkERr1ggCYha9en+zYCdt2DGHIpOrqCQ2tF0+JkgD1
-            Pz17gB922Z4A
-            =+7KI
-            -----END PGP MESSAGE-----
-          fp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
-    encrypted_regex: ^(data|stringData)$
-    version: 3.10.2

apps/kitchenowl/service.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: kitchenowl
-  namespace: kitchenowl
-spec:
-  selector:
-    app: kitchenowl
-  ports:
-    - protocol: TCP
-      port: 80
-      targetPort: 8080

apps/kustomization.yaml

@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - home-assistant/
-  - kitchenowl/
-  - forgejo/
-  - forgejo-runner/

clusters/production/cert-manager.yaml

@@ -1,16 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: cert-manager
-  namespace: flux-system
-spec:
-  interval: 10m
-  path: ../../infrastructure/cert-manager
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-gpg

clusters/production/flux-system/gotk-sync.yaml

@@ -8,7 +8,7 @@ metadata:
 spec:
   interval: 1m0s
   ref:
-    branch: homelab-prod
+    branch: main
   secretRef:
     name: flux-system
   url: https://codeberg.org/Pata1704/homelab_gitops.git

clusters/production/forgejo-runner.yaml

@@ -1,16 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: forgejo-runner
-  namespace: flux-system
-spec:
-  interval: 10m
-  path: ../../apps/forgejo-runner
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-gpg

clusters/production/forgejo.yaml

@@ -1,16 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: forgejo
-  namespace: flux-system
-spec:
-  interval: 10m
-  path: ../../apps/forgejo
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-gpg

clusters/production/gitea.yaml

@@ -1,16 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: gitea
-  namespace: flux-system
-spec:
-  interval: 10m
-  path: ../../apps/gitea
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-gpg

clusters/production/kitchenowl.yaml

@@ -1,17 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: kitchenowl
-  namespace: flux-system
-spec:
-  interval: 10m
-  path: ../../apps/kitchenowl
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-gpg
-

clusters/production/kustomization.yaml

@@ -1,10 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - cert-manager.yaml
-  - kitchenowl.yaml
-  - forgejo.yaml
-  - forgejo-runner.yaml
-  - ocirepository.yaml
   - ../../infrastructure
-  - ../../apps

clusters/production/ocirepository.yaml

@@ -1,12 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: ocirepositories
-  namespace: flux-system
-spec:
-  interval: 10m
-  path: ../../infrastructure/ocirepositories
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system

infrastructure/cert-manager-webhook-hetzner/helmrelease.yaml

@@ -1,18 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: cert-manager-webhook-hetzner
-  namespace: cert-manager
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: cert-manager-webhook-hetzner
-      version: 1.3.3
-      sourceRef:
-        kind: HelmRepository
-        name: vadimkim-cert-manager-webhook-hetzner
-        namespace: flux-system
-  values:
-    groupName: patanix.de
-

infrastructure/cert-manager-webhook-hetzner/helmrepository.yaml

@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: vadimkim-cert-manager-webhook-hetzner
-  namespace: flux-system
-spec:
-  interval: 30m
-  url: https://vadimkim.github.io/cert-manager-webhook-hetzner

infrastructure/cert-manager/configmap-values.yaml

@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: cert-manager-helm-values
-  namespace: cert-manager
-data:
-  values.yaml: |
-    installCRDs: true
-

infrastructure/cert-manager/helmrelease.yaml

@@ -1,24 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: cert-manager
-  namespace: cert-manager
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: cert-manager
-      version: v1.17.2
-      sourceRef:
-        kind: HelmRepository
-        name: jetstack
-        namespace: flux-system
-  releaseName: cert-manager
-  valuesFrom:
-    - kind: ConfigMap
-      name: cert-manager-helm-values
-      valuesKey: values.yaml
-  install:
-    crds: CreateReplace
-  upgrade:
-    crds: CreateReplace

infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml

@@ -1,35 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: hetzner-secret
-    namespace: cert-manager
-type: Opaque
-stringData:
-    api-key: ENC[AES256_GCM,data:zbosJdBCNMhy1hhF/spyZI3gUFKxrc6t6teRCxob0Xc=,iv:wWSccIo1/39rEZsAdQYt2GfReOK/WD2lvd53/NUmdcs=,tag:lzVh1h629QozAXETUOuzSA==,type:str]
-sops:
-    lastmodified: "2025-05-26T18:30:47Z"
-    mac: ENC[AES256_GCM,data:5TsPo7zuzxPciMDVEvOSBe8WuoYJe0w6BSMNRAJpQ84/52hyJtYb81zLepcfDID8IMUEj9qvKC+Yj6qsK29hsTaeLunRw89q0g4xFd1eQjT3bmQxdEMD4hBuK8tSQeA+bxRT2w0vNMgv+/qvVYGnuC+PyswpXP+ElpjTxawnFJo=,iv:xedxTiTm4Kjudx8P7V3t6luI40/kYjDZb4WOpjv9zrE=,tag:3mUuwVRaHh/343w2AkoKhA==,type:str]
-    pgp:
-        - created_at: "2025-05-26T18:30:47Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAxd/Yh1BfDklARAAilLl2QO6pKp/cBoq7A22ltZqlfyUZTWqfbz07X8xk1W9
-            I3MXdI/2rtndEDt2y0i693w6kwHKiCUfgTyYt2aS8HxgxDEktmO/6Z53wnDiESs0
-            +CDBkG50TpLBFM8nmlRGJBpTuFY4swsrn/1MCMSl1Yq3+CTQ6Rmu9Zo4cx7ZTyFM
-            w5Y2NwC6Mum2jj7DFUotDa5oNHjmFuobCfIfzm/2jIMlqHjllFhEGq1lzjofdTBJ
-            WSdNLbTOG8TYGA7jcJjNiGWA3J7pt7vnsCheNFyLgdXw3JVwdZIeKoIA2g4ONlk3
-            KEkqZ7RdY17RrZmFlByjYoSDmu3kTLXxztB3l8tcz5dUZStb9iZMb/4ODVOwwAcU
-            Jeur1BHrHh4dyZSiuFxh51di+0WyXfgpvhIs8ZSRFsdnZ4SFW4yPqs86Qmoh6ig1
-            F+Iyk3PY+mdKoHIqqK2E2UK3RtFQW1KhcW0xAXtvilWjVI5+QmnY9fEpNDWGieL5
-            Q0NEGPrhNAV/aIMLTFXzba75QJgE5eOvfAHg6ralFAxg3RU2wF+zExwGFfLsIp3F
-            Q0VzFFxLT0gFIEjBswBQ7DJOgdGCXhpWJSjOB2li17VKCMHi0STd+F84aFv8MLT4
-            zni018MaxTmqUEAT9ebijScXoOzGCjTsfQQioSMS01JC/wwWrUcYAXR5dNlB7nfU
-            aAEJAhB2ahVphetmKx/lJQij8AAIHAwddSPvOaC3M0dpVngJJDYeQt/+xBys2f+K
-            moT6INYTvdv1c5ELh4YbLpNSs+5FMdCAGeWVY7NHQfzXh0kSjngQdd+nXKy/1Sk6
-            bIo8ZRLHK6pN
-            =xDsS
-            -----END PGP MESSAGE-----
-          fp: F20CF3DE0B4ACDFCAF07A9D76399FB237185E764
-    encrypted_regex: ^(data|stringData)$
-    version: 3.10.2

infrastructure/cert-manager/kustomization.yaml

@@ -1,10 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - namespace.yaml
-  - helmrepository.yaml
-  - helmrelease.yaml
-  - configmap-values.yaml
-  - hetzner-dns-api-token-secret.yaml
-  - letsencrypt-clusterissuer.yaml
-  - test-certificate.yaml

infrastructure/cert-manager/letsencrypt-clusterissuer.yaml

@@ -1,23 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-dns
-spec:
-  acme:
-    email: patryk-hegenberg@outlook.de
-    server: https://acme-v02.api.letsencrypt.org/directory
-    privateKeySecretRef:
-      name: letsencrypt-dns-key
-    solvers:
-      - dns01:
-          webhook:
-            groupName: patanix.de
-            solverName: hetzner
-            config:
-              secretName: hetzner-secret
-              zoneName: patanix.de
-              apiUrl: https://dns.hetzner.com/api/v1
-              # apiTokenSecretRef:
-              #   name: hetzner-dns-api-token
-              #   key: token
-

infrastructure/cert-manager/namespace.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager

infrastructure/cert-manager/test-certificate.yaml

@@ -1,13 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: test-certificate
-  namespace: cert-manager
-spec:
-  secretName: test-certificate-tls
-  issuerRef:
-    name: letsencrypt-dns
-    kind: ClusterIssuer
-  commonName: test.patanix.de
-  dnsNames:
-    - test.patanix.de

infrastructure/cnpg/helmrelease-cluster.yaml

@@ -0,0 +1,62 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta2 # Oder v2beta1
+kind: HelmRelease
+metadata:
+  name: shared-postgres-cluster
+  namespace: cnpg-system # Oder ein anderer Namespace für die Datenbank selbst, z.B. 'database'
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: cluster # Dies ist der Chart für den Cluster selbst
+      # version: "<aktuelle-cluster-chart-version>" # Finde die passende Version auf ArtifactHub
+      sourceRef:
+        kind: HelmRepository
+        name: cnpg # Das zuvor definierte Repository
+        namespace: flux-system
+      interval: 1m
+  values:
+    # Cluster Konfiguration
+    # Name des Clusters, der im cnpg-system Namespace erstellt wird
+    name: shared-pg
+    # Anzahl der Instanzen (für Hochverfügbarkeit anpassen)
+    instances: 3
+    # Storage Konfiguration (Longhorn verwenden, wie in deinen anderen Setups)
+    storage:
+      size: "10Gi" # Gesamtgröße für den Cluster, anpassen nach Bedarf
+      storageClass: "longhorn" # Deine Longhorn StorageClass
+    # PostgreSQL Version (prüfe Kompatibilität mit deinen Anwendungen)
+    # postgresql:
+    #   imageName: "ghcr.io/cloudnative-pg/postgresql:15.3" # Beispiel
+
+    # Wichtig: Konfiguriere Backups! Hier nicht im Detail gezeigt.
+    # backup:
+    #   barmanObjectStore:
+    #     ...
+
+    # Monitoring (optional, aber empfohlen)
+    # monitoring:
+    #   enablePodMonitor: true
+
+    # Initiale Datenbanken und Benutzer (optional, kann auch manuell oder per Job erfolgen)
+    # Beachte, dass du für jede Anwendung (Gitea, SonarQube) eigene Datenbanken und Benutzer
+    # in diesem geteilten Cluster benötigst. CloudNativePG kann Benutzer verwalten.
+    # Beispiel für einen initialen Benutzer (NICHT für Anwendungen direkt verwenden,
+    # sondern spezifische Benutzer pro Anwendung erstellen)
+    # bootstrap:
+    #   initdb:
+    #     database: app_db_1 # Beispiel: Gitea DB
+    #     owner: app_user_1  # Beispiel: Gitea User
+    #   # Weitere Datenbanken hier
+    #
+    # # Deklarative Rollen/Benutzer
+    # postgresql:
+    #   managed:
+    #     roles:
+    #       - name: gitea_user
+    #         # passwordSecret: # Besser ein Secret verwenden
+    #         #   name: gitea-db-credentials
+    #         #   key: password
+    #       - name: sonarqube_user
+    #         # passwordSecret:
+    #         #   name: sonarqube-db-credentials
+    #         #   key: password

infrastructure/cnpg/helmrelease-operator.yaml

@@ -0,0 +1,16 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: cnpg-operator
+  namespace: cnpg-system
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: cloudnative-pg
+      version: "0.23.2"
+      sourceRef:
+        kind: HelmRepository
+        name: cnpg
+        namespace: flux-system
+      interval: 1m

infrastructure/cnpg/helmrepository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2 # Oder v1 je nach deiner Flux-Version
+kind: HelmRepository
+metadata:
+  name: cnpg
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://cloudnative-pg.io/charts

infrastructure/cnpg/kustomization.yaml

@@ -1,5 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - runner-secret.yaml
-  - deployment.yaml
+  - namespace.yaml
+  - helmrepository.yaml
+  - helmrelease-operator.yaml

infrastructure/cnpg/namespace.yaml

@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: kitchenowl
+  name: cnpg-system

infrastructure/gitea-runner/helmrelease.yaml

@@ -0,0 +1,30 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: gitea-act-runner
+  namespace: gitea
+spec:
+  releaseName: gitea-act-runner
+  interval: 10m
+  chart:
+    spec:
+      chart: gitea-act-runner
+      version: "0.5.2"
+      sourceRef:
+        kind: HelmRepository
+        name: gitea-charts
+        namespace: flux-system
+  values:
+    provisioning:
+      enabled: true
+      # Gitea-URL wie im Cluster erreichbar (interner Service-Name!)
+      serverURL: "http://gitea-http.gitea.svc.cluster.local:3000"
+      # Admin-Zugangsdaten wie oben im Gitea-Chart gesetzt
+      adminUser: "giteaadmin"
+      # adminPassword: "changeme"
+      adminPassword: "F3l1x-230113?"
+    rbac:
+      create: true
+    # Optional: Runner-Name, falls du mehrere Runner willst
+    runner:
+      labels: ["k3s", "fluxcd"]

infrastructure/gitea-runner/helmrepository.yaml

@@ -1,8 +1,8 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
-  name: home-assistant
+  name: gitea-charts
   namespace: flux-system
 spec:
-  interval: 1h0m0s
-  url: http://pajikos.github.io/home-assistant-helm-chart
+  url: https://dl.gitea.io/charts/
+  interval: 1h

infrastructure/gitea-runner/kustomization.yaml

@@ -3,4 +3,3 @@ kind: Kustomization
 resources:
   - helmrepository.yaml
   - helmrelease.yaml
-

infrastructure/gitea/helmrelease.yaml

@@ -15,32 +15,18 @@ spec:
         name: gitea-charts
         namespace: flux-system
   values:
-    valkey-cluster:
-      enabled: false
-    valkey:
-      enabled: true
-    postgresql:
-      enabled: true
-    postgresql-ha:
-      enabled: false
     persistence:
       enabled: true
-      size: 40Gi
-      storageClass: local-path
+      storageClass: longhorn
+      size: 5Gi
     ingress:
       enabled: true
       className: traefik
       hosts:
-        - host: git.patanix.de
+        - host: gitea.local
           paths:
             - path: /
               pathType: Prefix
-      tls:
-        - secretName: gitea-tls
-          hosts:
-            - git.patanix.de
-      annotations:
-        cert-manager.io/cluster-issuer: letsencrypt-dns
     service:
       http:
         type: ClusterIP
@@ -50,10 +36,9 @@ spec:
         port: 22
     gitea:
       admin:
-        existingSecret: gitea-admin
-        usernameKey: username
-        passwordKey: password
-        emailKey: email
+        username: giteaadmin
+        password: changeme
+        email: patrykhegenberg@gmail.com
       metrics:
         enabled: true
     actions:

infrastructure/gitea/kustomization.yaml

@@ -4,4 +4,3 @@ resources:
   - namespace.yaml
   - helmrepository.yaml
   - helmrelease.yaml
-  - pvc.yaml

infrastructure/kustomization.yaml

@@ -1,6 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - cert-manager/
-  - cert-manager-webhook-hetzner/
-  # - monitoring/
+  - monitoring/
+  - longhorn/
+  - gitea/
+  # - gitea-runner/
+  # - sonarqube/
+  - cnpg

infrastructure/longhorn/helmrelease.yaml

@@ -0,0 +1,23 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: longhorn
+  namespace: longhorn-system
+spec:
+  releaseName: longhorn
+  chart:
+    spec:
+      chart: longhorn
+      version: "1.8.1"
+      sourceRef:
+        kind: HelmRepository
+        name: longhorn
+        namespace: flux-system
+  interval: 5m
+  install:
+    createNamespace: true
+  values:
+    defaultSettings:
+      defaultReplicaCount: 2
+    persistence:
+      defaultClassReplicaCount: 2

infrastructure/longhorn/helmrepository.yaml

@@ -1,8 +1,8 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
-  name: jetstack
+  name: longhorn
   namespace: flux-system
 spec:
-  interval: 30m
-  url: https://charts.jetstack.io
+  url: https://charts.longhorn.io
+  interval: 10m

infrastructure/longhorn/kustomization.yaml

@@ -2,6 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespace.yaml
-  - forgejo-admin-secret.yaml
+  - helmrepository.yaml
   - helmrelease.yaml
-  - certificate.yaml
+  - longhorn-ingress.yaml

infrastructure/longhorn/longhorn-ingress.yaml

@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: longhorn-ui
+  namespace: longhorn-system
+  annotations:
+    kubernetes.io/ingress.class: "traefik"
+spec:
+  rules:
+    - host: longhorn.local
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: longhorn-frontend
+                port:
+                  number: 80

infrastructure/longhorn/namespace.yaml

@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: home-assistant
+  name: longhorn-system

infrastructure/ocirepositories/forgejo.yaml

@@ -1,10 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: OCIRepository
-metadata:
-  name: forgejo
-  namespace: flux-system
-spec:
-  interval: 30m
-  url: oci://code.forgejo.org/forgejo-helm/forgejo
-  ref:
-    tag: "12.5.1"

infrastructure/sonarqube/helmrelease.yaml

@@ -0,0 +1,35 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: sonarqube
+  namespace: sonarqube
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: sonarqube
+      version: "2025.2.0"
+      sourceRef:
+        kind: HelmRepository
+        name: sonarqube
+        namespace: flux-system
+  values:
+    community:
+      enabled: true
+    monitoringPasscode: "supersecret123"
+    persistence:
+      enabled: true
+      storageClass: longhorn
+      size: 5Gi
+    postgresql:
+      enabled: true
+      persistence:
+        enabled: true
+        storageClass: longhorn
+        size: 2Gi
+    ingress:
+      enabled: true
+      hosts:
+        - name: sonarqube.local
+          path: /
+      ingressClassName: traefik

infrastructure/sonarqube/helmrepository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: sonarqube
+  namespace: flux-system
+spec:
+  url: https://SonarSource.github.io/helm-chart-sonarqube
+  interval: 1h

infrastructure/sonarqube/kustomization.yaml

@@ -4,7 +4,3 @@ resources:
   - namespace.yaml
   - helmrepository.yaml
   - helmrelease.yaml
-  - gitea-admin-secret.yaml
-  # - gitea-postgres-secret.yaml
-  # - pvc.yaml
-  - certificate.yaml

infrastructure/sonarqube/namespace.yaml

@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: forgejo
+  name: sonarqube

notes/cert-manager-webhook.md

@@ -1,79 +0,0 @@
-# Schritt: cert-manager-webhook-hetzner (vadimkim) und ClusterIssuer
-
-## 1. HelmRepository für Webhook anlegen
-```bash
-cat <<EOF > infrastructure/cert-manager-webhook-hetzner/helmrepository.yaml
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: vadimkim-cert-manager-webhook-hetzner
-  namespace: flux-system
-spec:
-  interval: 30m
-  url: https://vadimkim.github.io/cert-manager-webhook-hetzner
-EOF
-```
-
-## 2. HelmRelease für Webhook anlegen
-```bash
-cat <<EOF > infrastructure/cert-manager-webhook-hetzner/helmrelease.yaml
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: cert-manager-webhook-hetzner
-  namespace: cert-manager
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: cert-manager-webhook-hetzner
-      version: 2.9.0
-      sourceRef:
-        kind: HelmRepository
-        name: vadimkim-cert-manager-webhook-hetzner
-        namespace: flux-system
-  values:
-    groupName: patanix.de
-EOF
-```
-
-## 3. ClusterIssuer anlegen
-```bash
-cat <<EOF > infrastructure/cert-manager/letsencrypt-clusterissuer.yaml
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-dns
-spec:
-  acme:
-    email: patryk-hegenberg@outlook.de
-    server: https://acme-v02.api.letsencrypt.org/directory
-    privateKeySecretRef:
-      name: letsencrypt-dns-key
-    solvers:
-      - dns01:
-          webhook:
-            groupName: patanix.de
-            solverName: hetzner
-            config:
-              apiTokenSecretRef:
-                name: hetzner-dns-api-token
-                key: token
-EOF
-```
-
-## 4. Dateien ins Git-Repo legen und pushen
-```bash
-git add infrastructure/cert-manager-webhook-hetzner/*
-git add infrastructure/cert-manager/letsencrypt-clusterissuer.yaml
-git commit -m "Add vadimkim cert-manager-webhook-hetzner and ClusterIssuer for patanix.de"
-git push origin main
-```
-
-## 5. Flux synchronisieren und prüfen
-```bash
-flux reconcile source git flux-system
-flux get helmreleases -A
-kubectl get pods -n cert-manager
-kubectl get clusterissuer
-```

notes/cert-manager.md

@@ -1,40 +0,0 @@
-# Schritt 1: cert-manager v1.17.2 mit FluxCD deployen
-
-## Verzeichnisstruktur
-infrastructure/
-  cert-manager/
-    namespace.yaml
-    helmrepository.yaml
-    configmap-values.yaml
-    helmrelease.yaml
-  kustomization-cert-manager.yaml
-
-## Vorgehen
-
-1. YAML-Dateien wie oben beschrieben im Git-Repository anlegen.
-2. Änderungen committen und pushen:
-```bash
-   git add infrastructure/cert-manager/*
-   git add infrastructure/kustomization-cert-manager.yaml
-   git commit -m "Deploy cert-manager v1.17.2 via FluxCD"
-   git push origin main
-```
-
-3. Flux synchronisiert automatisch. Manuelles Triggern:
-```bash
-   flux reconcile source git flux-system
-   flux get kustomizations
-   kubectl -n cert-manager get pods
-```
-
-4. Prüfen, ob cert-manager läuft:
-```bash
-   kubectl -n cert-manager get pods
-   kubectl -n cert-manager get deployments
-```
-
-5. Fehlerdiagnose:
-```bash
-   flux logs
-   kubectl -n cert-manager logs deploy/cert-manager
-```

notes/home-assistant.md

@@ -1,86 +0,0 @@
-# Home Assistant Best Practices
-
-## Secret
-- Nicht zwingend nötig, nur für zusätzliche Umgebungsvariablen.
-- Kann jederzeit nachgerüstet werden.
-
-## Zertifikat
-- Standard: Ingress mit cert-manager-Annotation, cert-manager erstellt das Zertifikat automatisch.
-- Alternativ: Certificate-Objekt selbst anlegen, dann Annotation im Ingress entfernen.
-
-## HelmRepository (pajikos)
-```bash
-cat <<EOF > infrastructure/services/home-assistant/helmrepository.yaml
-apiVersion: source.toolkit.fluxcd.io/v1beta2
-kind: HelmRepository
-metadata:
-  name: pajikos-home-assistant
-  namespace: flux-system
-spec:
-  interval: 30m
-  url: https://pajikos.github.io/home-assistant-helm-chart
-EOF
-```
-
-## HelmRelease (Beispiel)
-```bash
-cat <<EOF > infrastructure/services/home-assistant/helmrelease.yaml
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: home-assistant
-  namespace: home-assistant
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: home-assistant
-      version: 15.3.5
-      sourceRef:
-        kind: HelmRepository
-        name: pajikos-home-assistant
-        namespace: flux-system
-  values:
-    persistence:
-      enabled: true
-      existingClaim: home-assistant-config
-    ingress:
-      main:
-        enabled: true
-        hosts:
-          - host: ha.patanix.de
-            paths:
-              - /
-        tls:
-          - secretName: ha-patanix-de-tls
-            hosts:
-              - ha.patanix.de
-        annotations:
-          cert-manager.io/cluster-issuer: letsencrypt-dns
-EOF
-```
-
-## 2. Secret verschlüsseln - falls vorhanden
-```bash
-sops -e -i infrastructure/services/home-assistant/secret.yaml
-```
-
-## 3. Dateien ins Repo legen und pushen
-```bash
-git add infrastructure/services/home-assistant/*
-git add infrastructure/kustomization-home-assistant.yaml
-git commit -m "Deploy Home Assistant via FluxCD (20GiB, ha.patanix.de)"
-git push origin main
-```
-
-## 4. Flux synchronisieren
-```bash
-flux reconcile source git flux-system
-flux get kustomizations
-kubectl -n home-assistant get pods
-kubectl -n home-assistant get ingress
-kubectl -n home-assistant get certificate
-```
-
-## 5. Erreichbarkeit testen
-# Nach DNS-Propagation und Zertifikatsausstellung: https://ha.patanix.de aufrufen

notes/sops-and-hetzner-secret.md

@@ -1,84 +0,0 @@
-# SOPS für FluxCD einrichten
-
-## SOPS & GPG installieren
-```bash
-sudo dnf install gnupg
-```
-### Download the binary
-```bash
-curl -LO https://github.com/getsops/sops/releases/download/v3.10.2/sops-v3.10.2.linux.amd64
-```
-
-### Move the binary in to your PATH
-```bash
-mv sops-v3.10.2.linux.amd64 /usr/local/bin/sops
-```
-
-### Make the binary executable
-```bash
-chmod +x /usr/local/bin/sops
-```
-
-## GPG Key generieren
-```bash
-export KEY_NAME="k3s.homelab"
-export KEY_COMMENT="flux secrets"
-gpg --batch --full-generate-key <<EOF
-%no-protection
-Key-Type: 1
-Key-Length: 4096
-Subkey-Type: 1
-Subkey-Length: 4096
-Expire-Date: 0
-Name-Comment: ${KEY_COMMENT}
-Name-Real: ${KEY_NAME}
-EOF
-```
-
-## GPG Fingerprint anzeigen
-```bash
-gpg --list-secret-keys "${KEY_NAME}"
-export KEY_FP=<DEIN_FINGERPRINT>
-```
-
-## GPG Key als Kubernetes Secret speichern
-```bash
-gpg --export-secret-keys --armor "${KEY_FP}" | \
-kubectl create secret generic sops-gpg \
-  --namespace=flux-system \
-  --from-file=sops.asc=/dev/stdin
-```
-## .sops.yaml im Repo anlegen
-```bash
-cat <<EOF > .sops.yaml
-creation_rules:
-  - encrypted_regex: '^(data|stringData)$'
-    path_regex: \.yaml$
-    pgp: <DEIN_FINGERPRINT>
-EOF
-```
-
-## Hetzner DNS API Token in Secret-Datei eintragen
-```bash
-cat <<EOF > infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: hetzner-dns-api-token
-  namespace: cert-manager
-type: Opaque
-stringData:
-  token: "<HIER_DEIN_HETZNER_DNS_API_TOKEN_EINFÜGEN>"
-EOF
-```
-## Mit SOPS verschlüsseln
-```bash
-sops -e -i infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml
-```
-
-## Ins Git-Repo legen und pushen
-```bash
-git add infrastructure/cert-manager/hetzner-dns-api-token-secret.yaml
-git commit -m "Add Hetzner DNS API token secret (encrypted with SOPS)"
-git push origin main
-```

notes/test-certificate.md

@@ -1,40 +0,0 @@
-# Test: Zertifikatsausstellung mit cert-manager und Hetzner DNS
-
-## Test-Zertifikat anlegen
-```bash
-cat <<EOF > infrastructure/cert-manager/test-certificate.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: test-certificate
-  namespace: cert-manager
-spec:
-  secretName: test-certificate-tls
-  issuerRef:
-    name: letsencrypt-dns
-    kind: ClusterIssuer
-  commonName: test.patanix.de
-  dnsNames:
-    - test.patanix.de
-EOF
-```
-
-## Datei ins Repo legen und pushen
-```bash
-git add infrastructure/cert-manager/test-certificate.yaml
-git commit -m "Add test certificate request for test.patanix.de"
-git push origin main
-```
-
-## Status prüfen
-```bash
-kubectl -n cert-manager get certificate
-kubectl -n cert-manager describe certificate test-certificate
-kubectl -n cert-manager get secret test-certificate-tls
-```
-
-# Events und Fehlerdiagnose
-```bash
-kubectl -n cert-manager get events --sort-by=.metadata.creationTimestamp
-kubectl -n cert-manager logs deploy/cert-manager
-```

renovate.json

@@ -0,0 +1,3 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+}