chore(deps): update helm release cilium to v1.19.3

chore: dont detect host rules from env
chore: Remove auth
2026-05-08 12:49:53 +00:00 · 2026-05-08 14:35:36 +02:00 · 2026-05-08 14:32:50 +02:00 · 2026-05-08 14:25:38 +02:00 · 2026-05-08 14:01:09 +02:00 · 2026-05-08 13:59:00 +02:00
41 changed files with 547 additions and 188 deletions
--- a/k8s-peterg/alloy/configmap.yaml
+++ b/k8s-peterg/alloy/configmap.yaml
@ -6,6 +6,11 @@ metadata:
 data:
  config.alloy: |-
    prometheus.exporter.unix "node" {
      set_collectors = [
        "cpu", "diskstats", "filesystem", "loadavg",
        "meminfo", "netdev", "netstat", "os",
        "pressure", "processes", "stat", "uname", "vmstat",
      ]
    }
    discovery.kubernetes "kubernetes_apiservers" {
@ -141,6 +146,11 @@ data:
        source_labels = ["__meta_kubernetes_pod_node_name"]
        target_label  = "node"
      }
      rule {
        regex  = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision"
        action = "labeldrop"
      }
    }
    discovery.relabel "kubernetes_services" {
@ -249,6 +259,11 @@ data:
        source_labels = ["__meta_kubernetes_pod_node_name"]
        target_label  = "node"
      }
      rule {
        regex  = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision"
        action = "labeldrop"
      }
    }
    discovery.relabel "pod_logs" {
@ -298,6 +313,11 @@ data:
        target_label  = "__path__"
        replacement   = "/var/log/pods/*$1/*.log"
      }
      rule {
        regex  = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision"
        action = "labeldrop"
      }
    }
    local.file_match "pod_logs" {
@ -352,9 +372,19 @@ data:
      }
    }
    prometheus.relabel "cadvisor" {
      forward_to = [prometheus.remote_write.default.receiver]
      rule {
        source_labels = ["__name__"]
        regex         = "container_(cpu_usage_seconds_total|memory_usage_bytes|memory_working_set_bytes|memory_rss|memory_cache|memory_swap|network_receive_bytes_total|network_transmit_bytes_total|network_receive_packets_total|network_transmit_packets_total|fs_reads_bytes_total|fs_writes_bytes_total|spec_cpu_quota|spec_cpu_period|spec_memory_limit_bytes|last_seen)"
        action        = "keep"
      }
    }
    prometheus.scrape "kubernetes_nodes_cadvisor" {
      targets    = discovery.relabel.kubernetes_nodes_cadvisor.output
-      forward_to = [prometheus.remote_write.default.receiver]
+      forward_to = [prometheus.relabel.cadvisor.receiver]
      job_name   = "kubernetes-nodes-cadvisor"
      scheme     = "https"
--- a/k8s-peterg/argo-workflows/kustomization.yaml
+++ b/k8s-peterg/argo-workflows/kustomization.yaml
@ -11,5 +11,5 @@ helmCharts:
    repo: https://argoproj.github.io/argo-helm
    namespace: argo-workflows
    releaseName: argo-workflows
-    version: 1.0.7
+    version: 1.0.13
    valuesFile: values.yaml
--- a/k8s-peterg/argo-workflows/secrets.yaml
+++ b/k8s-peterg/argo-workflows/secrets.yaml
@ -22,6 +22,7 @@ spec:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        nullBytePolicy: Ignore
    - secretKey: client-secret
      remoteRef:
        key: secrets/managed/argo-workflows/authentik-sso
@ -29,3 +30,4 @@ spec:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        nullBytePolicy: Ignore
--- a/k8s-peterg/argocd/applications-peterg.yaml
+++ b/k8s-peterg/argocd/applications-peterg.yaml
@ -99,3 +99,22 @@ spec:
      selfHeal: true
    syncOptions:
      - ServerSideApply=true
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: renovate-operator
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://code.peterg.nl/wheatley/kubernetes.git
    path: k8s-peterg/renovate-operator
    targetRevision: HEAD
  destination:
    server: https://kubernetes.default.svc
    namespace: renovate-operator
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
--- a/k8s-peterg/argocd/applications-wheatley.yaml
+++ b/k8s-peterg/argocd/applications-wheatley.yaml
@ -143,6 +143,25 @@ spec:
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: lidarr
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://code.peterg.nl/wheatley/kubernetes.git
    path: k8s-wheatley/lidarr
    targetRevision: HEAD
  destination:
    server: https://10.13.37.10:6443
    namespace: lidarr
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: prowlarr
  namespace: argocd
--- a/k8s-peterg/argocd/oidc.yaml
+++ b/k8s-peterg/argocd/oidc.yaml
@ -27,28 +27,3 @@ spec:
      remoteRef:
        key: secrets/managed/argocd/authentik-oidc-credentials
        property: clientSecret
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: argo-workflows-sso
  namespace: argocd
 spec:
  secretStoreRef:
    name: vault-wheatley
    kind: ClusterSecretStore
  target:
    name: argo-workflows-sso
    template:
      metadata:
        labels:
          app.kubernetes.io/part-of: argo-workflows
  data:
    - secretKey: client-id
      remoteRef:
        key: secrets/managed/argo-workflows/dex-sso
        property: client-id
    - secretKey: client-secret
      remoteRef:
        key: secrets/managed/argo-workflows/dex-sso
        property: client-secret
--- a/k8s-peterg/external-secrets-operator/clustersecrets.yaml
+++ b/k8s-peterg/external-secrets-operator/clustersecrets.yaml
@ -27,6 +27,7 @@ spec:
          conversionStrategy: Default
          decodingStrategy: None
          metadataPolicy: None
          nullBytePolicy: Ignore
      - secretKey: key
        remoteRef:
          key: secrets/provisioned/tls-wildcard-peterg-nl
@ -34,3 +35,4 @@ spec:
          conversionStrategy: Default
          decodingStrategy: None
          metadataPolicy: None
          nullBytePolicy: Ignore
--- a/k8s-peterg/external-secrets-operator/kustomization.yaml
+++ b/k8s-peterg/external-secrets-operator/kustomization.yaml
@ -12,4 +12,4 @@ helmCharts:
    repo: https://charts.external-secrets.io
    namespace: external-secrets
    releaseName: external-secrets
-    version: 2.3.0
+    version: 2.4.0
--- a/k8s-peterg/renovate-operator/configmap.yaml
+++ b/k8s-peterg/renovate-operator/configmap.yaml
@ -0,0 +1,20 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: renovate-config
  namespace: renovate-operator
 data:
  config.js: |-
    module.exports = {
      platform: 'forgejo',
      endpoint: 'https://code.peterg.nl/api/v1/',
      gitAuthor: 'Renovate <renovate@peterg.nl>',
      username: 'renovate',
      onboardingConfig: {
        $schema: 'https://docs.renovatebot.com/renovate-schema.json',
        extends: ['config:recommended'],
      },
      optimizeForDisabled: true,
      persistRepoData: true,
    };
--- a/k8s-peterg/renovate-operator/kustomization.yaml
+++ b/k8s-peterg/renovate-operator/kustomization.yaml
@ -0,0 +1,19 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: renovate-operator
 resources:
  - configmap.yaml
  - namespace.yaml
  - policies.yaml
  - renovate-job.yaml
  - secrets.yaml
 helmCharts:
  - name: renovate-operator
    repo: https://helm.mogenius.com/public
    namespace: renovate-operator
    releaseName: renovate-operator
    version: "4.7.0"
    valuesFile: values.yaml
--- a/k8s-peterg/renovate-operator/namespace.yaml
+++ b/k8s-peterg/renovate-operator/namespace.yaml
@ -0,0 +1,5 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: renovate-operator
--- a/k8s-peterg/renovate-operator/policies.yaml
+++ b/k8s-peterg/renovate-operator/policies.yaml
@ -0,0 +1,37 @@
 ---
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
  name: allow-internet-only
 spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0
            except:
              - 10.0.0.0/8
              - 192.168.0.0/16
              - 172.16.0.0/12
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: kubernetes-egress
 spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
        - podSelector:
            matchLabels:
              k8s-app: kube-apiserver
    - ports:
        - protocol: TCP
          port: 6443
--- a/k8s-peterg/renovate-operator/renovate-job.yaml
+++ b/k8s-peterg/renovate-operator/renovate-job.yaml
@ -0,0 +1,27 @@
 ---
 apiVersion: renovate-operator.mogenius.com/v1alpha1
 kind: RenovateJob
 metadata:
  name: renovate
  namespace: renovate-operator
 spec:
  schedule: "0 * * * *"
  provider:
    name: forgejo
    endpoint: https://code.peterg.nl/api/v1/
  image: ghcr.io/renovatebot/renovate:43.161.0
  secretRef: renovate-operator-secrets
  parallelism: 1
  skipForks: true
  extraVolumes:
    - name: renovate-config
      configMap:
        name: renovate-config
  extraVolumeMounts:
    - name: renovate-config
      mountPath: /config
  extraEnv:
    - name: LOG_LEVEL
      value: debug
    - name: RENOVATE_CONFIG_FILE
      value: /config/config.js
--- a/k8s-peterg/renovate-operator/secrets.yaml
+++ b/k8s-peterg/renovate-operator/secrets.yaml
@ -0,0 +1,22 @@
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: renovate-operator-secrets
  namespace: renovate-operator
 spec:
  refreshInterval: "15s"
  secretStoreRef:
    name: vault-wheatley
    kind: ClusterSecretStore
  target:
    name: renovate-operator-secrets
  data:
    - secretKey: RENOVATE_TOKEN
      remoteRef:
        key: /secrets/managed/renovate/token
        property: RENOVATE_TOKEN
    - secretKey: GITHUB_COM_TOKEN
      remoteRef:
        key: /secrets/managed/renovate/token
        property: GITHUB_COM_TOKEN
--- a/k8s-peterg/renovate-operator/values.yaml
+++ b/k8s-peterg/renovate-operator/values.yaml
@ -0,0 +1,20 @@
 fullnameOverride: "renovate-operator"
 metrics:
  enabled: true
  serviceMonitor:
    enabled: false
 crd:
  install: true
  mode: template
 rbac:
  ownNamespaceOnly: true
 route:
  enabled: true
  hostnames:
  parentRefs:
    - name: internal
      namespace: kube-system
      sectionName: https
--- a/k8s-peterg/vault-wheatley-approle.yaml
+++ b/k8s-peterg/vault-wheatley-approle.yaml
@ -1,9 +0,0 @@
 apiVersion: v1
 data:
  approle_id: MDE5YTdjOWQtMTYxOC0yZjg0LWE2NzUtOWQ5NmVkZWFiNzEyCg==
  approle_secret: ZDZkOWU0MmUtZmVhNi05MGIzLWNlODktYzJlY2E2YWIxMjc3Cg==
 kind: Secret
 metadata:
  name: vault-wheatley-approle
  namespace: external-secrets
 type: Opaque
--- a/k8s-wheatley/alloy/configmap.yaml
+++ b/k8s-wheatley/alloy/configmap.yaml
@ -5,7 +5,13 @@ metadata:
  name: alloy-config
 data:
  config.alloy: |-
-    prometheus.exporter.unix "node" {}
+    prometheus.exporter.unix "node" {
      set_collectors = [
        "cpu", "diskstats", "filesystem", "loadavg",
        "meminfo", "netdev", "netstat", "os",
        "pressure", "processes", "stat", "uname", "vmstat",
      ]
    }
    discovery.kubernetes "kubernetes_apiservers" {
      role = "endpoints"
@ -152,6 +158,11 @@ data:
        source_labels = ["__meta_kubernetes_pod_node_name"]
        target_label  = "node"
      }
      rule {
        regex  = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision"
        action = "labeldrop"
      }
    }
    discovery.relabel "kubernetes_services" {
@ -260,6 +271,11 @@ data:
        source_labels = ["__meta_kubernetes_pod_node_name"]
        target_label  = "node"
      }
      rule {
        regex  = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision"
        action = "labeldrop"
      }
    }
    discovery.relabel "pod_logs" {
@ -309,6 +325,11 @@ data:
        target_label  = "__path__"
        replacement   = "/var/log/pods/*$1/*.log"
      }
      rule {
        regex  = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision"
        action = "labeldrop"
      }
    }
    local.file_match "pod_logs" {
@ -369,9 +390,19 @@ data:
      }
    }
    prometheus.relabel "cadvisor" {
      forward_to = [prometheus.remote_write.default.receiver]
      rule {
        source_labels = ["__name__"]
        regex         = "container_(cpu_usage_seconds_total|memory_usage_bytes|memory_working_set_bytes|memory_rss|memory_cache|memory_swap|network_receive_bytes_total|network_transmit_bytes_total|network_receive_packets_total|network_transmit_packets_total|fs_reads_bytes_total|fs_writes_bytes_total|spec_cpu_quota|spec_cpu_period|spec_memory_limit_bytes|last_seen)"
        action        = "keep"
      }
    }
    prometheus.scrape "kubernetes_nodes_cadvisor" {
      targets    = discovery.relabel.kubernetes_nodes_cadvisor.output
-      forward_to = [prometheus.remote_write.default.receiver]
+      forward_to = [prometheus.relabel.cadvisor.receiver]
      job_name   = "kubernetes-nodes-cadvisor"
      scheme     = "https"
      clustering {
--- a/k8s-wheatley/external-secrets-operator/clustersecrets.yaml
+++ b/k8s-wheatley/external-secrets-operator/clustersecrets.yaml
@ -27,6 +27,7 @@ spec:
          conversionStrategy: Default
          decodingStrategy: None
          metadataPolicy: None
          nullBytePolicy: Ignore
      - secretKey: key
        remoteRef:
          key: secrets/provisioned/tls-wildcard-wheatley-in
@ -34,3 +35,4 @@ spec:
          conversionStrategy: Default
          decodingStrategy: None
          metadataPolicy: None
          nullBytePolicy: Ignore
--- a/k8s-wheatley/external-secrets-operator/kustomization.yaml
+++ b/k8s-wheatley/external-secrets-operator/kustomization.yaml
@ -12,4 +12,4 @@ helmCharts:
    repo: https://charts.external-secrets.io
    namespace: external-secrets
    releaseName: external-secrets
-    version: 2.3.0
+    version: 2.4.0
--- a/k8s-wheatley/lidarr/configmap.yaml
+++ b/k8s-wheatley/lidarr/configmap.yaml
@ -0,0 +1,9 @@
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: lidarr-envs
 data:
  PUID: "1000"
  PGID: "1000"
  TZ: Europe/Amsterdam
--- a/k8s-wheatley/lidarr/deployments.yaml
+++ b/k8s-wheatley/lidarr/deployments.yaml
@ -0,0 +1,50 @@
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: lidarr
  labels:
    app: lidarr
 spec:
  replicas: 1
  serviceName: lidarr
  selector:
    matchLabels:
      app: lidarr
  template:
    metadata:
      labels:
        app: lidarr
    spec:
      containers:
        - name: lidarr
          image: linuxserver/lidarr
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 8686
          envFrom:
            - configMapRef:
                name: lidarr-envs
          volumeMounts:
            - mountPath: /config
              name: lidarr-config
            - mountPath: /shared/media
              name: nfs-media
          securityContext:
            seccompProfile:
              type: RuntimeDefault
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - "ALL"
              add:
                - "CHOWN"
                - "SETUID"
                - "SETGID"
      volumes:
        - name: lidarr-config
          persistentVolumeClaim:
            claimName: lidarr-storage
        - name: nfs-media
          persistentVolumeClaim:
            claimName: nfs-media
--- a/k8s-wheatley/lidarr/ingress.yaml
+++ b/k8s-wheatley/lidarr/ingress.yaml
@ -0,0 +1,16 @@
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: lidarr-route
 spec:
  parentRefs:
    - name: internal
      namespace: kube-system
      sectionName: https
  hostnames:
    - "lidarr.wheatley.in"
  rules:
    - backendRefs:
        - name: lidarr
          port: 80
--- a/k8s-wheatley/lidarr/kustomization.yaml
+++ b/k8s-wheatley/lidarr/kustomization.yaml
@ -0,0 +1,33 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: lidarr
 resources:
  - ../../kustomize-bases/nfs-media
  - configmap.yaml
  - deployments.yaml
  - ingress.yaml
  - pvc.yaml
  - services.yaml
  - namespace.yaml
 patches:
  - target:
      kind: PersistentVolume
      name: nfs-media
    patch: |
      - op: replace
        path: /metadata/name
        value: nfs-media-lidarr
  - target:
      kind: PersistentVolumeClaim
      name: nfs-media
    patch: |
      - op: replace
        path: /spec/volumeName
        value: nfs-media-lidarr
 images:
  - name: linuxserver/lidarr
    newTag: 3.1.0@sha256:d2f944115de2ca6754ad142ee92f9db481b1574c7bc030974d624584106b78d7
--- a/k8s-wheatley/lidarr/namespace.yaml
+++ b/k8s-wheatley/lidarr/namespace.yaml
@ -0,0 +1,5 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: lidarr
--- a/k8s-wheatley/lidarr/pvc.yaml
+++ b/k8s-wheatley/lidarr/pvc.yaml
@ -0,0 +1,12 @@
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: lidarr-storage
 spec:
  storageClassName: piraeus-lvmthin
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi
--- a/k8s-wheatley/lidarr/services.yaml
+++ b/k8s-wheatley/lidarr/services.yaml
@ -0,0 +1,12 @@
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: lidarr
 spec:
  selector:
    app: lidarr
  ports:
    - port: 80
      protocol: TCP
      targetPort: 8686
--- a/k8s-wheatley/plex/kustomization.yaml
+++ b/k8s-wheatley/plex/kustomization.yaml
@ -4,6 +4,7 @@ kind: Kustomization
 namespace: plex
 resources:
  - ../../kustomize-bases/nfs-media
  - configmap.yaml
  - deployments.yaml
  - ingress.yaml
@ -12,6 +13,28 @@ resources:
  - services.yaml
  - namespace.yaml
 patches:
  - target:
      kind: PersistentVolume
      name: nfs-media
    patch: |
      - op: replace
        path: /metadata/name
        value: nfs-media-plex
      - op: replace
        path: /spec/accessModes/0
        value: ReadOnlyMany
  - target:
      kind: PersistentVolumeClaim
      name: nfs-media
    patch: |
      - op: replace
        path: /spec/volumeName
        value: nfs-media-plex
      - op: replace
        path: /spec/accessModes/0
        value: ReadOnlyMany
 images:
 - name: plexinc/pms-docker
  newTag: 1.43.1.10611-1e34174b1@sha256:8b5bcdf7b506fe051aa1a0a0d464efdb3ad8c0fb1f8a4dfb27a8c489b609920c
--- a/k8s-wheatley/plex/pvc.yaml
+++ b/k8s-wheatley/plex/pvc.yaml
@ -10,36 +10,3 @@ spec:
  resources:
    requests:
      storage: 20Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: nfs-media
 spec:
  accessModes:
    - ReadOnlyMany
  resources:
    requests:
      storage: 40Ti
  volumeName: nfs-media-plex
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: nfs-media-plex
 spec:
  capacity:
    storage: 40Ti
  accessModes:
    - ReadOnlyMany
  nfs:
    server: 10.0.69.10
    path: /tank/media
  mountOptions:
    - vers=4.1
    - rsize=1048576
    - wsize=1048576
    - hard
    - timeo=600
    - noatime
  persistentVolumeReclaimPolicy: Retain
--- a/k8s-wheatley/prowlarr/kustomization.yaml
+++ b/k8s-wheatley/prowlarr/kustomization.yaml
@ -16,4 +16,4 @@ images:
  - name: flaresolverr/flaresolverr
    newTag: v3.4.6@sha256:7962759d99d7e125e108e0f5e7f3cdbcd36161776d058d1d9b7153b92ef1af9e
  - name: linuxserver/prowlarr
-    newTag: 2.3.5@sha256:35f48abb3e976fcf077fae756866c582e4a90f8b24810ae4067b3558f7cdbbdf
+    newTag: 2.3.5@sha256:c5de2a8758a05594319263e7691c1dce56899442ed1720d6eca216c0958f4caf
--- a/k8s-wheatley/qbittorrent/configmap.yaml
+++ b/k8s-wheatley/qbittorrent/configmap.yaml
@ -9,22 +9,26 @@ data:
  VPN_TYPE: "wireguard"
  VPN_PORT_FORWARDING: on
  VPN_PORT_FORWARDING_PROVIDER: protonvpn
-  VPN_PORT_FORWARDING_UP_COMMAND: |
+  VPN_PORT_FORWARDING_UP_COMMAND: "/scripts/port-up.sh"
-    /bin/sh -c '
+  VPN_PORT_FORWARDING_DOWN_COMMAND: "/scripts/port-down.sh"
  FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12
  FIREWALL_INPUT_PORTS: "8112"
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: gluetun-scripts
 data:
  port-up.sh: |
    #!/bin/sh
    wget -O- --retry-connrefused \
      --post-data "json={\"listen_port\":{{PORTS}},\"current_network_interface\":\"tun0\",\"random_port\":false,\"upnp\":false}" \
      http://127.0.0.1:8112/api/v2/app/setPreferences 2>&1
-    '
+  port-down.sh: |
-  VPN_PORT_FORWARDING_DOWN_COMMAND: |
+    #!/bin/sh
    /bin/sh -c '
    wget -O- --retry-connrefused \
      --post-data "json={\"listen_port\":0,\"current_network_interface\":\"lo\"}" \
      http://127.0.0.1:8112/api/v2/app/setPreferences 2>&1
    '
  FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12
  FIREWALL_INPUT_PORTS: "8112"
  DNS_KEEP_NAMESERVER: on
  DOT: off
 ---
 apiVersion: v1
 kind: ConfigMap
--- a/k8s-wheatley/qbittorrent/deployments.yaml
+++ b/k8s-wheatley/qbittorrent/deployments.yaml
@ -33,6 +33,8 @@ spec:
            - mountPath: "/gluetun/wireguard"
              name: gluetun-wgconfig
              readOnly: true
            - name: gluetun-scripts
              mountPath: /scripts
            - name: gluetun-tmp
              mountPath: /tmp/gluetun
          restartPolicy: Always
@ -128,6 +130,10 @@ spec:
        - name: gluetun-wgconfig
          secret:
            secretName: gluetun-wgconfig
        - name: gluetun-scripts
          configMap:
            name: gluetun-scripts
            defaultMode: 0755
        - name: gluetun-tmp
          emptyDir: {}
        - name: nfs-media
--- a/k8s-wheatley/qbittorrent/kustomization.yaml
+++ b/k8s-wheatley/qbittorrent/kustomization.yaml
@ -4,6 +4,7 @@ kind: Kustomization
 namespace: qbittorrent
 resources:
  - ../../kustomize-bases/nfs-media
  - configmap.yaml
  - deployments.yaml
  - ingress.yaml
@ -12,6 +13,25 @@ resources:
  - services.yaml
  - namespace.yaml
 patches:
  - target:
      kind: PersistentVolume
      name: nfs-media
    patch: |
      - op: replace
        path: /metadata/name
        value: nfs-media-qbittorrent
      - op: replace
        path: /spec/nfs/path
        value: /tank/media/downloads
  - target:
      kind: PersistentVolumeClaim
      name: nfs-media
    patch: |
      - op: replace
        path: /spec/volumeName
        value: nfs-media-qbittorrent
 images:
  - name: ghcr.io/qdm12/gluetun
    newTag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab
--- a/k8s-wheatley/qbittorrent/pvc.yaml
+++ b/k8s-wheatley/qbittorrent/pvc.yaml
@ -10,36 +10,3 @@ spec:
  resources:
    requests:
      storage: 5Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: nfs-media
 spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 40Ti
  volumeName: nfs-media-qbittorrent
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: nfs-media-qbittorrent
 spec:
  capacity:
    storage: 40Ti
  accessModes:
    - ReadWriteMany
  nfs:
    server: 10.0.69.10
    path: /tank/media/downloads
  mountOptions:
    - vers=4.1
    - rsize=1048576
    - wsize=1048576
    - hard
    - timeo=600
    - noatime
  persistentVolumeReclaimPolicy: Retain
--- a/k8s-wheatley/radarr/kustomization.yaml
+++ b/k8s-wheatley/radarr/kustomization.yaml
@ -4,6 +4,7 @@ kind: Kustomization
 namespace: radarr
 resources:
  - ../../kustomize-bases/nfs-media
  - configmap.yaml
  - deployments.yaml
  - ingress.yaml
@ -12,6 +13,22 @@ resources:
  - services.yaml
  - namespace.yaml
 patches:
  - target:
      kind: PersistentVolume
      name: nfs-media
    patch: |
      - op: replace
        path: /metadata/name
        value: nfs-media-radarr
  - target:
      kind: PersistentVolumeClaim
      name: nfs-media
    patch: |
      - op: replace
        path: /spec/volumeName
        value: nfs-media-radarr
 images:
  - name: linuxserver/radarr
-    newTag: 6.1.1@sha256:6f1dda18354ea7f28cead8f6d099fc8222498c3ae165f567d504ed04d70980d7
+    newTag: 6.1.1@sha256:b01097ad2d948c9f5eca39eb60bb529e2e55b0738c4bf7db09383bef0abab59d
--- a/k8s-wheatley/radarr/pvc.yaml
+++ b/k8s-wheatley/radarr/pvc.yaml
@ -10,36 +10,3 @@ spec:
  resources:
    requests:
      storage: 5Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: nfs-media
 spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 40Ti
  volumeName: nfs-media-radarr
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: nfs-media-radarr
 spec:
  capacity:
    storage: 40Ti
  accessModes:
    - ReadWriteMany
  nfs:
    server: 10.0.69.10
    path: /tank/media
  mountOptions:
    - vers=4.1
    - rsize=1048576
    - wsize=1048576
    - hard
    - timeo=600
    - noatime
  persistentVolumeReclaimPolicy: Retain
--- a/k8s-wheatley/sonarr/kustomization.yaml
+++ b/k8s-wheatley/sonarr/kustomization.yaml
@ -4,6 +4,7 @@ kind: Kustomization
 namespace: sonarr
 resources:
  - ../../kustomize-bases/nfs-media
  - configmap.yaml
  - deployments.yaml
  - ingress.yaml
@ -12,6 +13,22 @@ resources:
  - services.yaml
  - namespace.yaml
 patches:
  - target:
      kind: PersistentVolume
      name: nfs-media
    patch: |
      - op: replace
        path: /metadata/name
        value: nfs-media-sonarr
  - target:
      kind: PersistentVolumeClaim
      name: nfs-media
    patch: |
      - op: replace
        path: /spec/volumeName
        value: nfs-media-sonarr
 images:
  - name: linuxserver/sonarr
-    newTag: 4.0.17@sha256:6854df9de20b8c82e1982604f39473d64dbb4c4584b1013f18f9ade1ee92af13
+    newTag: 4.0.17@sha256:3580aec3802c915f0f819a88d5099abce61734b925732b8393d176b5dc561020
--- a/k8s-wheatley/sonarr/pvc.yaml
+++ b/k8s-wheatley/sonarr/pvc.yaml
@ -10,36 +10,3 @@ spec:
  resources:
    requests:
      storage: 5Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: nfs-media
 spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 40Ti
  volumeName: nfs-media-sonarr
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: nfs-media-sonarr
 spec:
  capacity:
    storage: 40Ti
  accessModes:
    - ReadWriteMany
  nfs:
    server: 10.0.69.10
    path: /tank/media
  mountOptions:
    - vers=4.1
    - rsize=1048576
    - wsize=1048576
    - hard
    - timeo=600
    - noatime
  persistentVolumeReclaimPolicy: Retain
--- a/kustomize-bases/alloy/kustomization.yaml
+++ b/kustomize-bases/alloy/kustomization.yaml
@ -9,12 +9,12 @@ resources:
 helmCharts:
  - name: alloy
    repo: https://grafana.github.io/helm-charts
-    version: "1.7.0"
+    version: "1.8.0"
    releaseName: alloy
    valuesFile: values.yaml
  - name: kube-state-metrics
    repo: https://prometheus-community.github.io/helm-charts
-    version: "7.2.2"
+    version: "7.3.0"
    releaseName: kube-state-metrics
  - name: prometheus-operator-crds
    repo: https://prometheus-community.github.io/helm-charts
--- a/kustomize-bases/cilium/kustomization.yaml
+++ b/kustomize-bases/cilium/kustomization.yaml
@ -13,5 +13,5 @@ helmCharts:
    repo: https://helm.cilium.io
    namespace: kube-system
    releaseName: cilium
-    version: 1.18.6
+    version: 1.19.3
    valuesFile: values.yaml
--- a/kustomize-bases/nfs-media/kustomization.yaml
+++ b/kustomize-bases/nfs-media/kustomization.yaml
@ -0,0 +1,6 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - pvc.yaml
--- a/kustomize-bases/nfs-media/pvc.yaml
+++ b/kustomize-bases/nfs-media/pvc.yaml
@ -0,0 +1,40 @@
 # Shared NFS media storage template — used by plex, sonarr, radarr, and qbittorrent.
 # All apps on k8s-wheatley mount the same NFS server: 10.0.69.10
 #
 # Each app overlays this base with JSON patches in its kustomization.yaml:
 #   - Always: rename PV (metadata.name) and update PVC volumeName to match
 #   - plex only: patch accessModes to ReadOnlyMany on both PV and PVC
 #   - qbittorrent only: patch nfs.path to /tank/media/downloads
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: nfs-media  # renamed per-app via JSON patch
 spec:
  capacity:
    storage: 40Ti
  accessModes:
    - ReadWriteMany
  nfs:
    server: 10.0.69.10
    path: /tank/media
  mountOptions:
    - vers=4.1
    - rsize=1048576
    - wsize=1048576
    - hard
    - timeo=600
    - noatime
  persistentVolumeReclaimPolicy: Retain
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: nfs-media
 spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 40Ti
  volumeName: nfs-media  # patched per-app to match PV name
Author	SHA1	Message	Date
Renovate	7d863973b8	chore(deps): update helm release cilium to v1.19.3	2026-05-08 12:49:53 +00:00
pgijsbertsen	845aea8b13	chore: dont detect host rules from env	2026-05-08 14:35:36 +02:00
pgijsbertsen	bf6098e676	chore: Remove auth	2026-05-08 14:32:50 +02:00
pgijsbertsen	a97783ed0b	fix: Don't autodiscover	2026-05-08 14:25:38 +02:00
pgijsbertsen	a5a63ee4cd	fix: password intead of token	2026-05-08 14:01:09 +02:00
pgijsbertsen	b01b6a8987	feat: Detect host rules from env	2026-05-08 13:59:00 +02:00
pgijsbertsen	c40ccabcbb	chore: add hostType	2026-05-08 13:02:56 +02:00
pgijsbertsen	b1a30eaf1d	add policy	2026-05-08 11:54:39 +02:00
pgijsbertsen	36f4bbc98a	set loglevel	2026-05-08 11:50:31 +02:00
pgijsbertsen	e8df03cd18	add policies	2026-05-08 11:48:05 +02:00
pgijsbertsen	856e86fd51	fix secretref	2026-05-08 09:49:27 +02:00
pgijsbertsen	486542e783	chore(renovate-operator): use config.js	2026-05-08 09:37:30 +02:00
pgijsbertsen	47a110d564	fix(renovate-operator): Fix inclusion of docker login	2026-05-08 09:24:12 +02:00
pgijsbertsen	e7fe39a55c	fix(renovate-operator): Parse secrets correctly	2026-05-07 17:00:07 +02:00
pgijsbertsen	3d7580dc3a	feat(renovate-operator): Fix ratelimits	2026-05-07 15:15:54 +02:00
pgijsbertsen	26d989fc03	chore(renovate-operator): Decrease interval to 1h	2026-05-07 14:51:51 +02:00
pgijsbertsen	029c916c92	chore(renovate-operator): decrease interval	2026-05-07 10:05:25 +02:00
pgijsbertsen	df5c58690e	feat(renovate-operator): Add httproute	2026-05-07 09:22:59 +02:00
pgijsbertsen	d863b7e339	fix: define image	2026-05-06 17:27:36 +02:00
pgijsbertsen	35b2c83865	chore: re-enable renovate-job	2026-05-06 17:19:30 +02:00
pgijsbertsen	00ff293759	fix: use correct api version for externalsecrets	2026-05-06 17:16:20 +02:00
pgijsbertsen	2a4805b349	chore: temp disable renovatejob	2026-05-06 17:15:21 +02:00
pgijsbertsen	631143f9f8	feat: Add renovate-operator	2026-05-06 17:12:49 +02:00
pgijsbertsen	0633deb983	feat: Add Lidarr	2026-05-06 13:02:32 +02:00
pgijsbertsen	cd0c3724c6	Revert "chore: Move pvc to datastore as this is cluster-specific" This reverts commit `775a28e4bb`.	2026-05-06 12:50:43 +02:00
pgijsbertsen	775a28e4bb	chore: Move pvc to datastore as this is cluster-specific	2026-05-06 12:47:14 +02:00
Peter	edef9e4497	Merge pull request 'chore(deps): update linuxserver/prowlarr:2.3.5 docker digest to c5de2a8' (#59 ) from renovate/linuxserver-prowlarr-2.3.5 into main Reviewed-on: #59	2026-04-28 08:52:42 +02:00
Peter	8851641147	Merge pull request 'chore(deps): update linuxserver/radarr:6.1.1 docker digest to b01097a' (#60 ) from renovate/linuxserver-radarr-6.1.1 into main Reviewed-on: #60	2026-04-28 08:52:34 +02:00
Peter	2497dc06b6	Merge pull request 'chore(deps): update linuxserver/sonarr:4.0.17 docker digest to 3580aec' (#61 ) from renovate/linuxserver-sonarr-4.0.17 into main Reviewed-on: #61	2026-04-28 08:52:26 +02:00
Peter	c44bae1323	Merge pull request 'chore(deps): update helm release argo-workflows to v1.0.13' (#62 ) from renovate/argo-workflows-1.x into main Reviewed-on: #62	2026-04-28 08:52:19 +02:00
Peter	77bbba3552	Merge pull request 'chore(deps): update helm release alloy to v1.8.0' (#63 ) from renovate/alloy-1.x into main Reviewed-on: #63	2026-04-28 08:52:08 +02:00
Peter	931a30d053	Merge pull request 'chore(deps): update helm release external-secrets to v2.4.0' (#64 ) from renovate/external-secrets-2.x into main Reviewed-on: #64	2026-04-28 08:51:57 +02:00
Peter	68822950c9	Merge pull request 'chore(deps): update helm release kube-state-metrics to v7.3.0' (#65 ) from renovate/kube-state-metrics-7.x into main Reviewed-on: #65	2026-04-28 08:51:47 +02:00
Renovate	bd306516ed	chore(deps): update helm release kube-state-metrics to v7.3.0	2026-04-28 00:07:05 +00:00
Renovate	22db0e5f5b	chore(deps): update helm release external-secrets to v2.4.0	2026-04-28 00:06:57 +00:00
Renovate	ae87765c4b	chore(deps): update helm release alloy to v1.8.0	2026-04-28 00:06:00 +00:00
Renovate	5f258cd68a	chore(deps): update helm release argo-workflows to v1.0.13	2026-04-28 00:05:40 +00:00
Renovate	aac5c5e182	chore(deps): update linuxserver/sonarr:4.0.17 docker digest to 3580aec	2026-04-28 00:05:38 +00:00
Renovate	e1c2e09a98	chore(deps): update linuxserver/radarr:6.1.1 docker digest to b01097a	2026-04-28 00:05:35 +00:00
Renovate	69a5ecb317	chore(deps): update linuxserver/prowlarr:2.3.5 docker digest to c5de2a8	2026-04-28 00:05:32 +00:00
pgijsbertsen	2b9630eb04	chore(gluetun): Rework port forward	2026-04-27 13:20:35 +02:00
pgijsbertsen	bdeec6d819	chore: Add labeldrop for Loki	2026-04-24 15:06:24 +02:00
pgijsbertsen	8c75b869f1	chore: Improve parsed metrics	2026-04-24 15:03:34 +02:00
pgijsbertsen	9d55315f4b	chore: Add nullBytePolicy property	2026-04-17 21:46:49 +02:00
pgijsbertsen	5c1a74db0e	chore: Refactor nfs PVC resource	2026-04-17 21:15:46 +02:00
pgijsbertsen	bd7d2794d4	chore: Update gluetun config	2026-04-17 21:09:51 +02:00
pgijsbertsen	184049745f	chore: Remove unused secrets	2026-04-16 09:03:05 +02:00