chore(deps): update pnpm to v10.17.1 (#35)

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs
from Renovate will soon appear from 'Mend'. Learn more
[here](https://redirect.github.com/renovatebot/renovate/discussions/37842).

This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
| [pnpm](https://pnpm.io)
([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) |
[`10.6.0` ->
`10.17.1`](https://renovatebot.com/diffs/npm/pnpm/10.6.0/10.17.1) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/pnpm/10.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/pnpm/10.6.0/10.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>pnpm/pnpm (pnpm)</summary>

###
[`v10.17.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#10171)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.17.0...v10.17.1)

##### Patch Changes

- When a version specifier cannot be resolved because the versions don't
satisfy the `minimumReleaseAge` setting, print this information out in
the error message
[#&#8203;9974](https://redirect.github.com/pnpm/pnpm/pull/9974).
- Fix `state.json` creation path when executing `pnpm patch` in a
workspace project
[#&#8203;9733](https://redirect.github.com/pnpm/pnpm/pull/9733).
- When `minimumReleaseAge` is set and the `latest` tag is not mature
enough, prefer a non-deprecated version as the new `latest`
[#&#8203;9987](https://redirect.github.com/pnpm/pnpm/issues/9987).

###
[`v10.17.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#10170)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.16.1...v10.17.0)

##### Minor Changes

- The `minimumReleaseAgeExclude` setting now supports patterns. For
instance:

  ```yaml
  minimumReleaseAge: 1440
  minimumReleaseAgeExclude:
    - "@&#8203;eslint/*"
  ```

Related PR:
[#&#8203;9984](https://redirect.github.com/pnpm/pnpm/pull/9984).

##### Patch Changes

- Don't ignore the `minimumReleaseAge` check, when the package is
requested by exact version and the packument is loaded from cache
[#&#8203;9978](https://redirect.github.com/pnpm/pnpm/issues/9978).
- When `minimumReleaseAge` is set and the active version under a
dist-tag is not mature enough, do not downgrade to a prerelease version
in case the original version wasn't a prerelease one
[#&#8203;9979](https://redirect.github.com/pnpm/pnpm/issues/9979).

###
[`v10.16.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#10161)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.16.0...v10.16.1)

##### Patch Changes

- The full metadata cache should be stored not at the same location as
the abbreviated metadata. This fixes a bug where pnpm was loading the
abbreviated metadata from cache and couldn't find the "time" field as a
result
[#&#8203;9963](https://redirect.github.com/pnpm/pnpm/issues/9963).
- Forcibly disable ANSI color codes when generating patch diff
[#&#8203;9914](https://redirect.github.com/pnpm/pnpm/pull/9914).

###
[`v10.16.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#10160)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.15.1...v10.16.0)

##### Minor Changes

- There have been several incidents recently where popular packages were
successfully attacked. To reduce the risk of installing a compromised
version, we are introducing a new setting that delays the installation
of newly released dependencies. In most cases, such attacks are
discovered quickly and the malicious versions are removed from the
registry within an hour.

The new setting is called `minimumReleaseAge`. It specifies the number
of minutes that must pass after a version is published before pnpm will
install it. For example, setting `minimumReleaseAge: 1440` ensures that
only packages released at least one day ago can be installed.

If you set `minimumReleaseAge` but need to disable this restriction for
certain dependencies, you can list them under the
`minimumReleaseAgeExclude` setting. For instance, with the following
configuration pnpm will always install the latest version of webpack,
regardless of its release time:

  ```yaml
  minimumReleaseAgeExclude:
    - webpack
  ```

Related issue:
[#&#8203;9921](https://redirect.github.com/pnpm/pnpm/issues/9921).

- Added support for `finders`
[#&#8203;9946](https://redirect.github.com/pnpm/pnpm/pull/9946).

In the past, `pnpm list` and `pnpm why` could only search for
dependencies by **name** (and optionally version). For example:

  ```
  pnpm why minimist
  ```

prints the chain of dependencies to any installed instance of
`minimist`:

  ```
  verdaccio 5.20.1
  ├─┬ handlebars 4.7.7
  │ └── minimist 1.2.8
  └─┬ mv 2.1.1
    └─┬ mkdirp 0.5.6
      └── minimist 1.2.8
  ```

What if we want to search by **other properties** of a dependency, not
just its name? For instance, find all packages that have `react@17` in
their peer dependencies?

This is now possible with "finder functions". Finder functions can be
declared in `.pnpmfile.cjs` and invoked with the `--find-by=<function
name>` flag when running `pnpm list` or `pnpm why`.

Let's say we want to find any dependencies that have React 17 in peer
dependencies. We can add this finder to our `.pnpmfile.cjs`:

  ```js
  module.exports = {
    finders: {
      react17: (ctx) => {
        return ctx.readManifest().peerDependencies?.react === "^17.0.0";
      },
    },
  };
  ```

  Now we can use this finder function by running:

  ```
  pnpm why --find-by=react17
  ```

pnpm will find all dependencies that have this React in peer
dependencies and print their exact locations in the dependency graph.

  ```
  @&#8203;apollo/client 4.0.4
  ├── @&#8203;graphql-typed-document-node/core 3.2.0
  └── graphql-tag 2.12.6
  ```

It is also possible to print out some additional information in the
output by returning a string from the finder. For example, with the
following finder:

  ```js
  module.exports = {
    finders: {
      react17: (ctx) => {
        const manifest = ctx.readManifest();
        if (manifest.peerDependencies?.react === "^17.0.0") {
          return `license: ${manifest.license}`;
        }
        return false;
      },
    },
  };
  ```

Every matched package will also print out the license from its
`package.json`:

  ```
  @&#8203;apollo/client 4.0.4
  ├── @&#8203;graphql-typed-document-node/core 3.2.0
  │   license: MIT
  └── graphql-tag 2.12.6
      license: MIT
  ```

##### Patch Changes

- Fix deprecation warning printed when executing pnpm with Node.js 24
[#&#8203;9529](https://redirect.github.com/pnpm/pnpm/issues/9529).
- Throw an error if `nodeVersion` is not set to an exact semver version
[#&#8203;9934](https://redirect.github.com/pnpm/pnpm/issues/9934).
- `pnpm publish` should be able to publish a `.tar.gz` file
[#&#8203;9927](https://redirect.github.com/pnpm/pnpm/pull/9927).
- Canceling a running process with Ctrl-C should make `pnpm run` return
a non-zero exit code
[#&#8203;9626](https://redirect.github.com/pnpm/pnpm/issues/9626).

###
[`v10.15.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#10151)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.15.0...v10.15.1)

##### Patch Changes

- Fix `.pnp.cjs` crash when importing subpath
[#&#8203;9904](https://redirect.github.com/pnpm/pnpm/issues/9904).
- When resolving peer dependencies, pnpm looks whether the peer
dependency is present in the root workspace project's dependencies. This
change makes it so that the peer dependency is correctly resolved even
from aliased npm-hosted dependencies or other types of dependencies
[#&#8203;9913](https://redirect.github.com/pnpm/pnpm/issues/9913).

###
[`v10.15.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#10150)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.14.0...v10.15.0)

##### Minor Changes

- Added the `cleanupUnusedCatalogs` configuration. When set to `true`,
pnpm will remove unused catalog entries during installation
[#&#8203;9793](https://redirect.github.com/pnpm/pnpm/pull/9793).
- Automatically load pnpmfiles from config dependencies that are named
`@*/pnpm-plugin-*`
[#&#8203;9780](https://redirect.github.com/pnpm/pnpm/issues/9780).
- `pnpm config get` now prints an INI string for an object value
[#&#8203;9797](https://redirect.github.com/pnpm/pnpm/issues/9797).
- `pnpm config get` now accepts property paths (e.g. `pnpm config get
catalog.react`, `pnpm config get .catalog.react`, `pnpm config get
'packageExtensions["@&#8203;babel/parser"].peerDependencies["@&#8203;babel/types"]'`),
and `pnpm config set` now accepts dot-leading or subscripted keys (e.g.
`pnpm config set .ignoreScripts true`).
- `pnpm config get --json` now prints a JSON serialization of config
value, and `pnpm config set --json` now parses the input value as JSON.

##### Patch Changes

- **Semi-breaking.** When automatically installing missing peer
dependencies, prefer versions that are already present in the direct
dependencies of the root workspace package
[#&#8203;9835](https://redirect.github.com/pnpm/pnpm/pull/9835).
- When executing the `pnpm create` command, must verify whether the node
version is supported even if a cache already exists
[#&#8203;9775](https://redirect.github.com/pnpm/pnpm/pull/9775).
- When making requests for the non-abbreviated packument, add `*/*` to
the `Accept` header to avoid getting a 406 error on AWS CodeArtifact
[#&#8203;9862](https://redirect.github.com/pnpm/pnpm/issues/9862).
- The standalone exe version of pnpm works with glibc 2.26 again
[#&#8203;9734](https://redirect.github.com/pnpm/pnpm/issues/9734).
- Fix a regression in which `pnpm dlx pkg --help` doesn't pass `--help`
to `pkg`
[#&#8203;9823](https://redirect.github.com/pnpm/pnpm/issues/9823).

###
[`v10.14.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#10140)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.13.1...v10.14.0)

##### Minor Changes

- **Added support for JavaScript runtime resolution**

Declare Node.js, Deno, or Bun in
[`devEngines.runtime`](https://redirect.github.com/openjs-foundation/package-metadata-interoperability-collab-space/issues/15)
(inside `package.json`) and let pnpm download and pin it automatically.

  Usage example:

  ```json
  {
    "devEngines": {
      "runtime": {
        "name": "node",
        "version": "^24.4.0",
"onFail": "download" (we only support the "download" value for now)
      }
    }
  }
  ```

  How it works:

1. `pnpm install` resolves your specified range to the latest matching
runtime version.
  2. The exact version (and checksum) is saved in the lockfile.
3. Scripts use the local runtime, ensuring consistency across
environments.

  Why this is better:

1. This new setting supports also Deno and Bun (vs. our Node-only
settings `useNodeVersion` and `executionEnv.nodeVersion`)
  2. Supports version ranges (not just a fixed version).
3. The resolved version is stored in the pnpm lockfile, along with an
integrity checksum for future validation of the Node.js content's
validity.
4. It can be used on any workspace project (like
`executionEnv.nodeVersion`). So, different projects in a workspace can
use different runtimes.
5. For now `devEngines.runtime` setting will install the runtime
locally, which we will improve in future versions of pnpm by using a
shared location on the computer.

Related PR:
[#&#8203;9755](https://redirect.github.com/pnpm/pnpm/pull/9755).

- Add `--cpu`, `--libc`, and `--os` to `pnpm install`, `pnpm add`, and
`pnpm dlx` to customize `supportedArchitectures` via the CLI
[#&#8203;7510](https://redirect.github.com/pnpm/pnpm/issues/7510).

##### Patch Changes

- Fix a bug in which `pnpm add` downloads packages whose `libc` differ
from `pnpm.supportedArchitectures.libc`.
- The integrities of the downloaded Node.js artifacts are verified
[#&#8203;9750](https://redirect.github.com/pnpm/pnpm/pull/9750).
- Allow `dlx` to parse CLI flags and options between the `dlx` command
and the command to run or between the `dlx` command and `--`
[#&#8203;9719](https://redirect.github.com/pnpm/pnpm/issues/9719).
- `pnpm install --prod` should removing hoisted dev dependencies
[#&#8203;9782](https://redirect.github.com/pnpm/pnpm/issues/9782).
- Fix an edge case bug causing local tarballs to not re-link into the
virtual store. This bug would happen when changing the contents of the
tarball without renaming the file and running a filtered install.
- Fix a bug causing `pnpm install` to incorrectly assume the lockfile is
up to date after changing a local tarball that has peers dependencies.

###
[`v10.13.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#10131)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.13.0...v10.13.1)

##### Patch Changes

- Run user defined pnpmfiles after pnpmfiles of plugins.

###
[`v10.13.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#10130)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.12.4...v10.13.0)

##### Minor Changes

- Added the possibility to load multiple pnpmfiles. The `pnpmfile`
setting can now accept a list of pnpmfile locations
[#&#8203;9702](https://redirect.github.com/pnpm/pnpm/pull/9702).
- pnpm will now automatically load the `pnpmfile.cjs` file from any
[config dependency](https://pnpm.io/config-dependencies) named
`@pnpm/plugin-*` or `pnpm-plugin-*`
[#&#8203;9729](https://redirect.github.com/pnpm/pnpm/pull/9729).

The order in which config dependencies are initialized should not matter
— they are initialized in alphabetical order. If a specific order is
needed, the paths to the `pnpmfile.cjs` files in the config dependencies
can be explicitly listed using the `pnpmfile` setting in
`pnpm-workspace.yaml`.

##### Patch Changes

- When patching dependencies installed via `pkg.pr.new`, treat them as
Git tarball URLs
[#&#8203;9694](https://redirect.github.com/pnpm/pnpm/pull/9694).
- Prevent conflicts between local projects' config and the global config
in `dangerouslyAllowAllBuilds`, `onlyBuiltDependencies`,
`onlyBuiltDependenciesFile`, and `neverBuiltDependencies`
[#&#8203;9628](https://redirect.github.com/pnpm/pnpm/issues/9628).
- Sort keys in `pnpm-workspace.yaml` with deep
[#&#8203;9701](https://redirect.github.com/pnpm/pnpm/pull/9701).
- The `pnpm rebuild` command should not add pkgs included in
`ignoredBuiltDependencies` to `ignoredBuilds` in
`node_modules/.modules.yaml`
[#&#8203;9338](https://redirect.github.com/pnpm/pnpm/issues/9338).
- Replaced `shell-quote` with `shlex` for quoting command arguments
[#&#8203;9381](https://redirect.github.com/pnpm/pnpm/issues/9381).

###
[`v10.12.4`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#10124)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.12.3...v10.12.4)

##### Patch Changes

- Fix `pnpm licenses` command for local dependencies
[#&#8203;9583](https://redirect.github.com/pnpm/pnpm/pull/9583).
- Fix a bug in which `pnpm ls --filter=not-exist --json` prints nothing
instead of an empty array
[#&#8203;9672](https://redirect.github.com/pnpm/pnpm/issues/9672).
- Fix a deadlock that sometimes happens during peer dependency
resolution
[#&#8203;9673](https://redirect.github.com/pnpm/pnpm/issues/9673).
- Running `pnpm install` after `pnpm fetch` should hoist all
dependencies that need to be hoisted.
Fixes a regression introduced in \[v10.12.2] by
\[[#&#8203;9648](https://redirect.github.com/pnpm/pnpm/issues/9648)];
resolves
\[[#&#8203;9689](https://redirect.github.com/pnpm/pnpm/issues/9689)].

\[v10.12.2]:
https://redirect.github.com/pnpm/pnpm/releases/tag/v10.12.2Add
commentMore actions
\[[#&#8203;9648](https://redirect.github.com/pnpm/pnpm/issues/9648)]:
[https://github.com/pnpm/pnpm/pull/9648](https://redirect.github.com/pnpm/pnpm/pull/9648)
\[[#&#8203;9689](https://redirect.github.com/pnpm/pnpm/issues/9689)]:
[https://github.com/pnpm/pnpm/issues/9689](https://redirect.github.com/pnpm/pnpm/issues/9689)

###
[`v10.12.3`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#10123)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.12.2...v10.12.3)

##### Patch Changes

- Restore hoisting of optional peer dependencies when installing with an
outdated lockfile.
Regression introduced in [v10.12.2] by [#&#8203;9648]; resolves
[#&#8203;9685].

[v10.12.2]: https://redirect.github.com/pnpm/pnpm/releases/tag/v10.12.2

  [#&#8203;9648]: https://redirect.github.com/pnpm/pnpm/pull/9648

  [#&#8203;9685]: https://redirect.github.com/pnpm/pnpm/issues/9685

###
[`v10.12.2`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#10122)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.12.1...v10.12.2)

##### Patch Changes

- Fixed hoisting with `enableGlobalVirtualStore` set to `true`
[#&#8203;9648](https://redirect.github.com/pnpm/pnpm/pull/9648).
- Fix the `--help` and `-h` flags not working as expected for the `pnpm
create` command.
- The dependency package path output by the `pnpm licenses list --json`
command is incorrect.
- Fix a bug in which `pnpm deploy` fails due to overridden dependencies
having peer dependencies causing `ERR_PNPM_OUTDATED_LOCKFILE`
[#&#8203;9595](https://redirect.github.com/pnpm/pnpm/issues/9595).

###
[`v10.12.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#10121)

##### Minor Changes

- **Experimental.** Added support for global virtual stores. When
enabled, `node_modules` contains only symlinks to a central virtual
store, rather to `node_modules/.pnpm`. By default, this central store is
located at `<store-path>/links` (you can find the store path by running
`pnpm store path`).

In the central virtual store, each package is hard linked into a
directory whose name is the hash of its dependency graph. This allows
multiple projects on the system to symlink shared dependencies from this
central location, significantly improving installation speed when a warm
cache is available.

> This is conceptually similar to how [NixOS manages
packages](https://nixos.org/guides/how-nix-works/), using dependency
graph hashes to create isolated and reusable package directories.

To enable the global virtual store, set `enableGlobalVirtualStore: true`
in your root `pnpm-workspace.yaml`, or globally via:

    ```sh
    pnpm config -g set enable-global-virtual-store true
    ```

NOTE: In CI environments, where caches are typically cold, this setting
may slow down installation. pnpm automatically disables the global
virtual store when running in CI.

Related PR:
[#&#8203;8190](https://redirect.github.com/pnpm/pnpm/pull/8190)

<!---->

- The `pnpm update` command now supports updating `catalog:` protocol
dependencies and writes new specifiers to `pnpm-workspace.yaml`.
- Added two new CLI options (`--save-catalog` and
`--save-catalog-name=<name>`) to `pnpm add` to save new dependencies as
catalog entries. `catalog:` or `catalog:<name>` will be added to
`package.json` and the package specifier will be added to the `catalogs`
or `catalog[<name>]` object in `pnpm-workspace.yaml`
[#&#8203;9425](https://redirect.github.com/pnpm/pnpm/issues/9425).
- **Semi-breaking.** The keys used for side-effects caches have changed.
If you have a side-effects cache generated by a previous version of
pnpm, the new version will not use it and will create a new cache
instead [#&#8203;9605](https://redirect.github.com/pnpm/pnpm/pull/9605).
- Added a new setting called `ci` for explicitly telling pnpm if the
current environment is a CI or not.

##### Patch Changes

- Sort versions printed by `pnpm patch` using semantic versioning rules.
- Improve the way the error message displays mismatched specifiers. Show
differences instead of 2 whole objects
[#&#8203;9598](https://redirect.github.com/pnpm/pnpm/pull/9598).
- Revert [#&#8203;9574](https://redirect.github.com/pnpm/pnpm/pull/9574)
to fix a regression
[#&#8203;9596](https://redirect.github.com/pnpm/pnpm/issues/9596).

###
[`v10.11.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#10111)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.11.0...v10.11.1)

##### Patch Changes

- Fix an issue in which `pnpm deploy --legacy` creates unexpected
directories when the root `package.json` has a workspace package as a
peer dependency
[#&#8203;9550](https://redirect.github.com/pnpm/pnpm/issues/9550).
- Dependencies specified via a URL that redirects will only be locked to
the target if it is immutable, fixing a regression when installing from
GitHub releases.
([#&#8203;9531](https://redirect.github.com/pnpm/pnpm/issues/9531))
- Installation should not exit with an error if `strictPeerDependencies`
is `true` but all issues are ignored by `peerDependencyRules`
[#&#8203;9505](https://redirect.github.com/pnpm/pnpm/pull/9505).
- Use `pnpm_config_` env variables instead of `npm_config_`
[#&#8203;9571](https://redirect.github.com/pnpm/pnpm/pull/9571).
- Fix a regression (in v10.9.0) causing the `--lockfile-only` flag on
`pnpm update` to produce a different `pnpm-lock.yaml` than an update
without the flag.
- Let `pnpm deploy` work in repos with `overrides` when
`inject-workspace-packages=true`
[#&#8203;9283](https://redirect.github.com/pnpm/pnpm/issues/9283).
- Fixed the problem of path loss caused by parsing URL address. Fixes a
regression shipped in pnpm v10.11 via
[#&#8203;9502](https://redirect.github.com/pnpm/pnpm/pull/9502).
- `pnpm -r --silent run` should not print out section
[#&#8203;9563](https://redirect.github.com/pnpm/pnpm/issues/9563).

###
[`v10.11.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#10110)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.10.0...v10.11.0)

##### Minor Changes

- A new setting added for `pnpm init` to create a `package.json` with
`type=module`, when `init-type` is `module`. Works as a flag for the
init command too
[#&#8203;9463](https://redirect.github.com/pnpm/pnpm/pull/9463).

- Added support for Nushell to `pnpm setup`
[#&#8203;6476](https://redirect.github.com/pnpm/pnpm/issues/6476).

- Added two new flags to the `pnpm audit` command, `--ignore` and
`--ignore-unfixable`
[#&#8203;8474](https://redirect.github.com/pnpm/pnpm/pull/8474).

    Ignore all vulnerabilities that have no solution:

    ```shell
    > pnpm audit --ignore-unfixable
    ```

Provide a list of CVE's to ignore those specifically, even if they have
a resolution.

    ```shell
    > pnpm audit --ignore=CVE-2021-1234 --ignore=CVE-2021-5678
    ```

- Added support for recursively running pack in every project of a
workspace
[#&#8203;4351](https://redirect.github.com/pnpm/pnpm/issues/4351).

Now you can run `pnpm -r pack` to pack all packages in the workspace.

##### Patch Changes

- pnpm version management should work, when `dangerouslyAllowAllBuilds`
is set to `true`
[#&#8203;9472](https://redirect.github.com/pnpm/pnpm/issues/9472).
- `pnpm link` should work from inside a workspace
[#&#8203;9506](https://redirect.github.com/pnpm/pnpm/issues/9506).
- Set the default `workspaceConcurrency` to
`Math.min(os.availableParallelism(), 4)`
[#&#8203;9493](https://redirect.github.com/pnpm/pnpm/pull/9493).
- Installation should not exit with an error if `strictPeerDependencies`
is `true` but all issues are ignored by `peerDependencyRules`
[#&#8203;9505](https://redirect.github.com/pnpm/pnpm/pull/9505).
- Read `updateConfig` from `pnpm-workspace.yaml`
[#&#8203;9500](https://redirect.github.com/pnpm/pnpm/issues/9500).
-   Add support for `recursive pack`
- Remove `url.parse` usage to fix warning on Node.js 24
[#&#8203;9492](https://redirect.github.com/pnpm/pnpm/issues/9492).
- `pnpm run` should be able to run commands from the workspace root, if
`ignoreScripts` is set tot `true`
[#&#8203;4858](https://redirect.github.com/pnpm/pnpm/issues/4858).

###
[`v10.10.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#10100)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.9.0...v10.10.0)

##### Minor Changes

- Allow loading the `preResolution`, `importPackage`, and `fetchers`
hooks from local pnpmfile.

##### Patch Changes

- Fix `cd` command, when `shellEmulator` is `true`
[#&#8203;7838](https://redirect.github.com/pnpm/pnpm/issues/7838).
- Sort keys in `pnpm-workspace.yaml`
[#&#8203;9453](https://redirect.github.com/pnpm/pnpm/pull/9453).
- Pass the `npm_package_json` environment variable to the executed
scripts
[#&#8203;9452](https://redirect.github.com/pnpm/pnpm/issues/9452).
- Fixed a mistake in the description of the `--reporter=silent` option.

###
[`v10.9.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1090)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.8.1...v10.9.0)

##### Minor Changes

- **Added support for installing JSR packages.** You can now install JSR
packages using the following syntax:

        pnpm add jsr:<pkg_name>

    or with a version range:

        pnpm add jsr:<pkg_name>@&#8203;<range>

    For example, running:

        pnpm add jsr:@&#8203;foo/bar

    will add the following entry to your `package.json`:

    ```json
    {
      "dependencies": {
        "@&#8203;foo/bar": "jsr:^0.1.2"
      }
    }
    ```

When publishing, this entry will be transformed into a format compatible
with npm, older versions of Yarn, and previous pnpm versions:

    ```json
    {
      "dependencies": {
        "@&#8203;foo/bar": "npm:@&#8203;jsr/foo__bar@^0.1.2"
      }
    }
    ```

Related issue:
[#&#8203;8941](https://redirect.github.com/pnpm/pnpm/issues/8941).

Note: The `@jsr` scope defaults to <https://npm.jsr.io/> if the
`@jsr:registry` setting is not defined.

- Added a new setting, `dangerouslyAllowAllBuilds`, for automatically
running any scripts of dependencies without the need to approve any
builds. It was already possible to allow all builds by adding this to
`pnpm-workspace.yaml`:

    ```yaml
    neverBuiltDependencies: []
    ```

`dangerouslyAllowAllBuilds` has the same effect but also allows to be
set globally via:

        pnpm config set dangerouslyAllowAllBuilds true

    It can also be set when running a command:

        pnpm install --dangerously-allow-all-builds

##### Patch Changes

- Fix a false negative in `verifyDepsBeforeRun` when `nodeLinker` is
`hoisted` and there is a workspace package without dependencies and
`node_modules` directory
[#&#8203;9424](https://redirect.github.com/pnpm/pnpm/issues/9424).
- Explicitly drop `verifyDepsBeforeRun` support for `nodeLinker: pnp`.
Combining `verifyDepsBeforeRun` and `nodeLinker: pnp` will now print a
warning.

###
[`v10.8.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1081)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.8.0...v10.8.1)

##### Patch Changes

- Removed bright white highlighting, which didn't look good on some
light themes
[#&#8203;9389](https://redirect.github.com/pnpm/pnpm/pull/9389).
- If there is no pnpm related configuration in `package.json`,
`onlyBuiltDependencies` will be written to `pnpm-workspace.yaml` file
[#&#8203;9404](https://redirect.github.com/pnpm/pnpm/pull/9404).

###
[`v10.8.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1080)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.7.1...v10.8.0)

##### Minor Changes

- **Experimental.** A new hook is supported for updating configuration
settings. The hook can be provided via `.pnpmfile.cjs`. For example:

  ```js
  module.exports = {
    hooks: {
      updateConfig: (config) => ({
        ...config,
        nodeLinker: "hoisted",
      }),
    },
  };
  ```

- Now you can use the `pnpm add` command with the `--config` flag to
install new configurational dependencies
[#&#8203;9377](https://redirect.github.com/pnpm/pnpm/pull/9377).

##### Patch Changes

- Do not hang indefinitely, when there is a glob that starts with `!/`
in `pnpm-workspace.yaml`. This fixes a regression introduced by
[#&#8203;9169](https://redirect.github.com/pnpm/pnpm/pull/9169).
- `pnpm audit --fix` should update the overrides in
`pnpm-workspace.yaml`.
- `pnpm link` should update overrides in `pnpm-workspace.yaml`, not in
`package.json`
[#&#8203;9365](https://redirect.github.com/pnpm/pnpm/pull/9365).

###
[`v10.7.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1071)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.7.0...v10.7.1)

##### Patch Changes

- `pnpm config set` should convert the settings to their correct type
before adding them to `pnpm-workspace.yaml`
[#&#8203;9355](https://redirect.github.com/pnpm/pnpm/issues/9355).
- `pnpm config get` should read auth related settings via npm CLI
[#&#8203;9345](https://redirect.github.com/pnpm/pnpm/issues/9345).
- Replace leading `~/` in a path in `.npmrc` with the home directory
[#&#8203;9217](https://redirect.github.com/pnpm/pnpm/issues/9217).

###
[`v10.7.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1070)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.6.5...v10.7.0)

##### Minor Changes

- `pnpm config get` and `list` also show settings set in
`pnpm-workspace.yaml` files
[#&#8203;9316](https://redirect.github.com/pnpm/pnpm/pull/9316).

- It should be possible to use env variables in `pnpm-workspace.yaml`
setting names and value.

- Add an ability to patch dependencies by version ranges. Exact versions
override version ranges, which in turn override name-only patches.
Version range `*` is the same as name-only, except that patch
application failure will not be ignored.

  For example:

  ```yaml
  patchedDependencies:
    foo: patches/foo-1.patch
    foo@^2.0.0: patches/foo-2.patch
    foo@2.1.0: patches/foo-3.patch
  ```

The above configuration would apply `patches/foo-3.patch` to
`foo@2.1.0`, `patches/foo-2.patch` to all `foo` versions which satisfy
`^2.0.0` except `2.1.0`, and `patches/foo-1.patch` to the remaining
`foo` versions.

  > \[!WARNING]
> The version ranges should not overlap. If you want to specialize a sub
range, make sure to exclude it from the other keys. For example:
  >
  > ```yaml
  > # pnpm-workspace.yaml
  > patchedDependencies:
  >   # the specialized sub range
  >   'foo@2.2.0-2.8.0': patches/foo.2.2.0-2.8.0.patch
  >   # the more general patch, excluding the sub range above
  >   'foo@>=2.0.0 <2.2.0 || >2.8.0': 'patches/foo.gte2.patch
  > ```
  >
> In most cases, however, it's sufficient to just define an exact
version to override the range.

- `pnpm config set --location=project` saves the setting to a
`pnpm-workspace.yaml` file if no `.npmrc` file is present in the
directory
[#&#8203;9316](https://redirect.github.com/pnpm/pnpm/pull/9316).

- Rename `pnpm.allowNonAppliedPatches` to `pnpm.allowUnusedPatches`. The
old name is still supported but it would print a deprecation warning
message.

- Add `pnpm.ignorePatchFailures` to manage whether pnpm would ignore
patch application failures.

If `ignorePatchFailures` is not set, pnpm would throw an error when
patches with exact versions or version ranges fail to apply, and it
would ignore failures from name-only patches.

If `ignorePatchFailures` is explicitly set to `false`, pnpm would throw
an error when any type of patch fails to apply.

If `ignorePatchFailures` is explicitly set to `true`, pnpm would print a
warning when any type of patch fails to apply.

##### Patch Changes

- Remove dependency paths from audit output to prevent out-of-memory
errors
[#&#8203;9280](https://redirect.github.com/pnpm/pnpm/issues/9280).

###
[`v10.6.5`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1065)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.6.4...v10.6.5)

##### Patch Changes

- Remove warnings after having explicitly approved no builds
[#&#8203;9296](https://redirect.github.com/pnpm/pnpm/issues/9296).
- When installing different dependency packages, should retain the
`ignoredBuilds` field in the `.modules.yaml` file
[#&#8203;9240](https://redirect.github.com/pnpm/pnpm/issues/9240).
- Fix usages of the [`catalog:` protocol](https://pnpm.io/catalogs) in
[injected local workspace
packages](https://pnpm.io/package_json#dependenciesmetainjected). This
previously errored with `ERR_PNPM_SPEC_NOT_SUPPORTED_BY_ANY_RESOLVER`.
[#&#8203;8715](https://redirect.github.com/pnpm/pnpm/issues/8715)
- Setting `workspace-concurrency` to less than or equal to 0 should work
[#&#8203;9297](https://redirect.github.com/pnpm/pnpm/issues/9297).

###
[`v10.6.4`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1064)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.6.3...v10.6.4)

##### Patch Changes

- Fix `pnpm dlx` with `--allow-build` flag
[#&#8203;9263](https://redirect.github.com/pnpm/pnpm/issues/9263).
- Invalid Node.js version in `use-node-version` should not cause pnpm
itself to break
[#&#8203;9276](https://redirect.github.com/pnpm/pnpm/issues/9276).
- The max amount of workers running for linking packages from the store
has been reduced to 4 to achieve optimal results
[#&#8203;9286](https://redirect.github.com/pnpm/pnpm/issues/9286). The
workers are performing many file system operations, so increasing the
number of CPUs doesn't help performance after some point.

###
[`v10.6.3`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1063)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.6.2...v10.6.3)

##### Patch Changes

- `pnpm install --prod=false` should not crash, when executed in a
project with a `pnpm-workspace.yaml` file
[#&#8203;9233](https://redirect.github.com/pnpm/pnpm/issues/9233). This
fixes regression introduced via
[#&#8203;9211](https://redirect.github.com/pnpm/pnpm/pull/9211).
- Add the missing `node-options` config to `recursive run`
[#&#8203;9180](https://redirect.github.com/pnpm/pnpm/issues/9180).
- Removed a branching code path that only executed when
`dedupe-peer-dependents=false`. We believe this internal refactor will
not result in behavior changes, but we expect it to make future pnpm
versions behave more consistently for projects that override
`dedupe-peer-dependents` to false. There should be less unique bugs from
turning off `dedupe-peer-dependents`.

See details in
[#&#8203;9259](https://redirect.github.com/pnpm/pnpm/pull/9259).

###
[`v10.6.2`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1062)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.6.1...v10.6.2)

##### Patch Changes

- `pnpm self-update` should always update the version in the
`packageManager` field of `package.json`.
- Fix running pnpm CLI from pnpm CLI on Windows when the CLI is bundled
to an executable
[#&#8203;8971](https://redirect.github.com/pnpm/pnpm/issues/8971).
- `pnpm patch-commit` will now use the same filesystem as the store
directory to compare and create patch files.
- Don't show info output when `--loglevel=error` is used.
- `peerDependencyRules` should be set in `pnpm-workspace.yaml` to take
effect.

###
[`v10.6.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1061)

[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v10.6.0...v10.6.1)

##### Patch Changes

- The pnpm CLI process should not stay hanging, when `--silent`
reporting is used.
- When `--loglevel` is set to `error`, don't show installation summary,
execution time, and big tarball download progress.
- Don't ignore pnpm.patchedDependencies from `package.json`
[#&#8203;9226](https://redirect.github.com/pnpm/pnpm/issues/9226).
- When executing the `approve-builds` command, if package.json contains
`onlyBuiltDependencies` or `ignoredBuiltDependencies`, the selected
dependency package will continue to be written into `package.json`.
- When a package version cannot be found in the package metadata, print
the registry from which the package was fetched.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/morten-olsen/homelab-operator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS45Ny4xMCIsInVwZGF0ZWRJblZlciI6IjQxLjk3LjEwIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/workflows/main.yml

@@ -29,7 +29,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
         with:
           node-version: "${{ env.NODE_VERSION }}"
           registry-url: "${{ env.NODE_REGISTRY }}"
@@ -55,10 +55,12 @@ jobs:
 
       - name: Install dependencies
         run: pnpm install
+        working-directory: images/operator
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Run tests
+        working-directory: images/operator
         run: pnpm test
 
   update-release-draft:
@@ -71,9 +73,23 @@ jobs:
     environment: release
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@v6
+      - id: create-release
+        uses: release-drafter/release-drafter@v6
         with:
           config-name: release-drafter-config.yml
           publish: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: actions/checkout@v4
+
+      - name: Upload Release Asset
+        id: upload-release-asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create-release.outputs.upload_url }}
+          asset_path: ./operator.yaml
+          asset_name: operator.yaml
+          asset_content_type: application/yaml

.github/workflows/publish-backup-tag.yml

@@ -0,0 +1,65 @@
+name: Publish tag
+
+on:
+  push:
+    branches:
+      - "main"
+    tags:
+      - "v*"
+
+env:
+  environment: test
+  release_channel: latest
+  DO_NOT_TRACK: "1"
+  NODE_VERSION: "23.x"
+  DOCKER_REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}-backup
+  PNPM_VERSION: 10.6.0
+
+permissions:
+  contents: read
+  packages: read
+
+jobs:
+  release:
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+      pages: write
+    name: Release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@5b7b28b1cc417bbd34cd8c225a957c9ce9adf7f2
+        with:
+          registry: ${{ env.DOCKER_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@032a4b3bda1b716928481836ac5bfe36e1feaad6
+        with:
+          images: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@cb8fc7586f9ad9441b20c33e0f6e8b1b58d8b4c6
+        with:
+          context: ./images/backup
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.github/workflows/publish-tag.yml

@@ -3,7 +3,7 @@ name: Publish tag
 on:
   push:
     branches:
-      - 'main'
+      - "main"
     tags:
       - "v*"
 
@@ -36,7 +36,7 @@ jobs:
           fetch-depth: 0
 
       - name: Log in to the Container registry
-        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        uses: docker/login-action@5b7b28b1cc417bbd34cd8c225a957c9ce9adf7f2
         with:
           registry: ${{ env.DOCKER_REGISTRY }}
           username: ${{ github.actor }}
@@ -44,15 +44,15 @@ jobs:
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        uses: docker/metadata-action@032a4b3bda1b716928481836ac5bfe36e1feaad6
         with:
           images: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}
 
       - name: Build and push Docker image
         id: push
-        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        uses: docker/build-push-action@cb8fc7586f9ad9441b20c33e0f6e8b1b58d8b4c6
         with:
-          context: .
+          context: ./images/operator
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
@@ -62,4 +62,4 @@ jobs:
         with:
           subject-name: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME}}
           subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+          push-to-registry: true

.github/workflows/renovate.yml

@@ -0,0 +1,16 @@
+name: Renovate
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 */6 * * *"
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@v40.2.2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          configurationFile: ./renovate.json5

.gitignore

@@ -1,36 +1,4 @@
-# dependencies (bun install)
+/secret.*.yaml
-node_modules
+/data/
-
+/.envrc
-# output
+*.DS_Store
-out
-dist
-*.tgz
-
-# code coverage
-coverage
-*.lcov
-
-# logs
-logs
-_.log
-report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json
-
-# dotenv environment variable files
-.env
-.env.development.local
-.env.test.local
-.env.production.local
-.env.local
-
-# caches
-.eslintcache
-.cache
-*.tsbuildinfo
-
-# IntelliJ based IDEs
-.idea
-
-# Finder (MacOS) folder config
-.DS_Store
-
-/data/

Dockerfile

@@ -1,6 +0,0 @@
-FROM node:23-alpine
-RUN corepack enable
-COPY package.json pnpm-lock.yaml ./
-RUN pnpm install --frozen-lockfile --prod
-COPY . .
-CMD ["node", "src/index.ts"]

Makefile

@@ -1,15 +1,14 @@
-.PHONY: setup dev-recreate dev-create dev-destroy
+.PHONY: dev-recreate dev-destroy server-install
-
-setup:
-	./scripts/setup-server.sh
 
 dev-destroy:
 	colima delete -f
 
-dev-create:
+dev-recreate: dev-destroy
-	colima start --network-address --kubernetes -m 8 --mount ${PWD}/data:/data:w --k3s-arg="--disable=helm-controller,local-storage"
+	colima start --network-address --kubernetes -m 8 --k3s-arg="--disable helm-controller,local-storage,traefik --docker" # --mount ${PWD}/data:/data:w 
+	flux install --components="source-controller,helm-controller"
 
-dev-recreate: dev-destroy dev-create setup
+setup-flux:
+	flux install --components="source-controller,helm-controller"
 
 server-install:
 	curl -sfL https://get.k3s.io | sh -s - --disable traefik,local-storage,helm-controller

README.md

@@ -1,6 +0,0 @@
-## Bootstrap repo
-
-```
-brew install fluxcd/tap/flux
-make setup-server
-```

TODO.md

@@ -1 +0,0 @@
-- Fix issue with incompatible spec breaking the server

cert-issuer.yaml

@@ -1,19 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-prod
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: alice@alice.com
-    privateKeySecretRef:
-      name: letsencrypt-prod-account-key
-    solvers:
-      - dns01:
-          cloudflare:
-            email: alice@alice.com
-            apiTokenSecretRef:
-              name: cloudflare-api-token
-              key: api-token

chart/templates/clusterrole.yaml

@@ -1,14 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "homelab-operator.fullname" . }}
-rules:
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["create", "get", "watch", "list"]
-- apiGroups: ["*"]
-  resources: ["*"]
-  verbs: ["get", "watch", "list", "patch"]
-- apiGroups: ["apiextensions.k8s.io"]
-  resources: ["customresourcedefinitions"]
-  verbs: ["get", "create", "replace"]

charts/apps/AGENT.md

@@ -0,0 +1,136 @@
+# Agent Documentation
+
+This document describes how to create a new application chart for the homelab operator.
+
+## Chart Structure
+
+Each application has its own chart located in a directory under `charts/apps`. The chart should contain the following files:
+
+- `Chart.yaml`: The chart metadata.
+- `values.yaml`: The default values for the chart.
+- `templates/`: A directory containing the Kubernetes resource templates.
+
+## Custom Resources
+
+The homelab operator uses several custom resources to manage applications. These resources are defined in the `templates` directory of the chart.
+
+### `PostgresDatabase`
+
+If the application requires a PostgreSQL database, you can create a `PostgresDatabase` resource. The operator will automatically create a database and a secret containing the connection details. The secret will have the same name as the release with a `-pg-connection` postfix.
+
+Example:
+
+```yaml
+# templates/database.yaml
+apiVersion: homelab.mortenolsen.pro/v1
+kind: PostgresDatabase
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+```
+
+The secret has the following values:
+
+- `database`: name of the created database
+- `host`: the hostname of the postgres server
+- `port`: the port of the postgres server
+- `url`: combined url in the format `postgresql://{user}:{password}@{host}:{port}/{database}`
+
+### `OidcClient`
+
+If the application requires OIDC authentication, you can create an `OidcClient` resource. The operator will automatically create an OIDC client and a secret containing the client ID and secret. The secret will have the same name as the release with a `-client` postfix.
+
+You need to specify the redirect URIs for the OIDC client. The subdomain is taken from the `values.yaml` file.
+
+Example:
+
+```yaml
+# templates/client.yaml
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+  redirectUris:
+    - path: /user/oauth2/Authentik/callback
+      subdomain: "{{ .Values.subdomain }}"
+      matchingMode: strict
+```
+
+The secret has the following value:
+
+- `authorization`: Authorization endpoint
+- `clientId`
+- `clientSecret`
+- `configuration`: autodiscovery endpoint
+- `configurationIssuer`: issuer url
+- `endSession`: end session endpoint
+- `jwks`: jwks endpoint
+- `token`: token endpoint
+- `userinfo`: user info endpoint
+
+### `HttpService` and `ExternalHttpService`
+
+To expose the application, you can use either an `HttpService` or an `ExternalHttpService` resource.
+
+- `HttpService`: This will expose the application through the Istio gateway. This is for internal access only.
+- `ExternalHttpService`: This will expose the application through a CloudFlare tunnel. This is for external access.
+
+Both resources take a `subdomain` and a `destination` as parameters. The `destination` is the Kubernetes service to route traffic to.
+
+Example of `HttpService`:
+
+```yaml
+# templates/http-service.yaml
+apiVersion: homelab.mortenolsen.pro/v1
+kind: HttpService
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+  subdomain: "{{ .Values.subdomain }}"
+  destination:
+    host: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local"
+    port:
+      number: 80
+```
+
+Example of `ExternalHttpService`:
+
+```yaml
+# templates/external-http-service.yaml
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+  subdomain: "{{ .Values.subdomain }}"
+  destination:
+    host: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local"
+    port:
+      number: 80
+```
+
+## `values.yaml`
+
+The `values.yaml` file should contain the following values:
+
+- `globals.environment`: The environment the application is running in (e.g., `prod`, `dev`).
+- `image.repository`: The Docker image repository.
+- `image.tag`: The Docker image tag.
+- `subdomain`: The subdomain for the application.
+
+Example:
+
+```yaml
+# values.yaml
+globals:
+  environment: prod
+image:
+  repository: docker.gitea.com/gitea
+  tag: latest
+subdomain: gitea
+```

charts/apps/apprise/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: apprise

charts/apps/apprise/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  redirectUris:
+    - path: /oauth/oidc/callback
+      subdomain: '{{ .Values.subdomain }}'
+      matchingMode: strict

charts/apps/apprise/templates/deployment.yaml

@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}"
+    spec:
+      containers:
+        - name: "{{ .Release.Name }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          env:
+            - name: TZ
+              value: "{{ .Values.globals.timezone }}"
+            - name: BASE_URL
+              value: https://{{ .Values.subdomain }}.{{ .Values.globals.domain }}
+          volumeMounts:
+            - mountPath: /config
+              name: data
+
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-data"

charts/apps/apprise/templates/http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: HttpService
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+  subdomain: "{{ .Values.subdomain }}"
+  destination:
+    host: "{{ .Release.Name }}"
+    port:
+      number: 80

charts/apps/apprise/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/apprise/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ .Release.Name }}"
+  labels:
+    app: "{{ .Release.Name }}"
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 8000
+      protocol: TCP
+      name: http
+  selector:
+    app: "{{ .Release.Name }}"

charts/apps/apprise/values.yaml

@@ -0,0 +1,9 @@
+globals:
+  environment: prod
+  timezone: Europe/Amsterdam
+  domain: olsen.cloud
+image:
+  repository: docker.io/caronc/apprise
+  tag: latest@sha256:127b3834f0679502529397ead8ffeaadf5189019c4c863fa6652e9b942fdccf8
+  pullPolicy: IfNotPresent
+subdomain: apprise

charts/apps/audiobookshelf/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: audiobookshelf

charts/apps/audiobookshelf/templates/client.yaml

@@ -0,0 +1,13 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  redirectUris:
+    - path: /audiobookshelf/auth/openid/callback
+      subdomain: '{{ .Values.subdomain }}'
+      matchingMode: strict
+    - path: /audiobookshelf/auth/openid/mobile-redirect
+      subdomain: '{{ .Values.subdomain }}'
+      matchingMode: strict

charts/apps/audiobookshelf/templates/deployment.yaml

@@ -0,0 +1,52 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}'
+    spec:
+      containers:
+        - name: '{{ .Release.Name }}'
+          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          volumeMounts:
+            - mountPath: /config
+              name: config
+            - mountPath: /metadata
+              name: metadata
+            - mountPath: /audiobooks
+              name: audiobooks
+            - mountPath: /podcasts
+              name: podcasts
+      volumes:
+        - name: config
+          persistentVolumeClaim:
+            claimName: '{{ .Release.Name }}-config'
+        - name: metadata
+          persistentVolumeClaim:
+            claimName: '{{ .Release.Name }}-metadata'
+        - name: audiobooks
+          persistentVolumeClaim:
+            claimName: books
+        - name: podcasts
+          persistentVolumeClaim:
+            claimName: podcasts

charts/apps/audiobookshelf/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/audiobookshelf/templates/pvc.yaml

@@ -0,0 +1,24 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-config'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'
+
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-metadata'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/audiobookshelf/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 80
+      protocol: TCP
+      name: http
+  selector:
+    app: '{{ .Release.Name }}'

charts/apps/audiobookshelf/values.yaml

@@ -0,0 +1,7 @@
+globals:
+  environment: prod
+image:
+  repository: ghcr.io/advplyr/audiobookshelf
+  tag: 2.26.1@sha256:5901162ccdf4b44f563ff2012484d5e315d9a1ecd6af86f7fe605ec96bbc5039
+  pullPolicy: IfNotPresent
+subdomain: audiobookshelf

charts/apps/baikal/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: esphome

charts/apps/baikal/templates/database.yaml

@@ -0,0 +1,6 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: PostgresDatabase
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'

charts/apps/baikal/templates/deployment.yaml

@@ -0,0 +1,46 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}"
+    spec:
+      containers:
+        - name: "{{ .Release.Name }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          env:
+            - name: TZ
+              value: "{{ .Values.globals.timezone }}"
+          volumeMounts:
+            - mountPath: /var/www/baikal/Specific
+              name: data
+            - mountPath: /var/www/baikal/config
+              name: config
+
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-data"
+        - name: config
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-config"

charts/apps/baikal/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/baikal/templates/http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: HttpService
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+  subdomain: "{{ .Values.subdomain }}"
+  destination:
+    host: "{{ .Release.Name }}"
+    port:
+      number: 80

charts/apps/baikal/templates/pvc.yaml

@@ -0,0 +1,24 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: "{{ .Release.Name }}-data"
+spec:
+  accessModes:
+    - "ReadWriteOnce"
+  resources:
+    requests:
+      storage: "1Gi"
+  storageClassName: "{{ .Values.globals.environment }}"
+
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: "{{ .Release.Name }}-config"
+spec:
+  accessModes:
+    - "ReadWriteOnce"
+  resources:
+    requests:
+      storage: "1Gi"
+  storageClassName: "{{ .Values.globals.environment }}"

charts/apps/baikal/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ .Release.Name }}"
+  labels:
+    app: "{{ .Release.Name }}"
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 80
+      protocol: TCP
+      name: http
+  selector:
+    app: "{{ .Release.Name }}"

charts/apps/baikal/values.yaml

@@ -0,0 +1,9 @@
+globals:
+  environment: prod
+  timezone: Europe/Amsterdam
+  domain: olsen.cloud
+image:
+  repository: docker.io/ckulka/baikal
+  tag: nginx@sha256:045918423df00a3f9ec793a819b9acdb055d338b75387926b7d93d753ac1e93a
+  pullPolicy: IfNotPresent
+subdomain: baikal

charts/apps/bytestash/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: ByteStash

charts/apps/bytestash/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  redirectUris:
+    - path: /api/auth/oidc/callback
+      subdomain: '{{ .Values.subdomain }}'
+      matchingMode: strict

charts/apps/bytestash/templates/deployment.yaml

@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}"
+  labels:
+    app: "{{ .Release.Name }}"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}"
+    spec:
+      containers:
+        - name: "{{ .Release.Name }}"
+          image: ghcr.io/jordan-dalby/bytestash:latest
+          ports:
+            - containerPort: 5000
+              name: http
+          env:
+            - name: ALLOW_NEW_ACCOUNTS
+              value: "true"
+            - name: DISABLE_INTERNAL_ACCOUNTS
+              value: "true"
+            - name: OIDC_ENABLED
+              value: "true"
+            - name: OIDC_DISPLAY_NAME
+              value: OIDC
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-client"
+                  key: clientId
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-client"
+                  key: clientSecret
+            - name: OIDC_ISSUER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-client"
+                  key: configurationIssuer
+
+          volumeMounts:
+            - mountPath: /data/snippets
+              name: data
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-data"

charts/apps/bytestash/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/bytestash/templates/http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: HttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}'
+    port:
+      number: 80

charts/apps/bytestash/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/bytestash/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 5000
+      protocol: TCP
+      name: http
+  selector:
+    app: '{{ .Release.Name }}'

charts/apps/bytestash/values.yaml

@@ -0,0 +1,3 @@
+globals:
+  environment: prod
+subdomain: bytestash

charts/apps/calibre-web/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: calibre-web

charts/apps/calibre-web/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  redirectUris:
+    - path: /api/auth/oidc/callback
+      subdomain: '{{ .Values.subdomain }}'
+      matchingMode: strict

charts/apps/calibre-web/templates/deployment.yaml

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}"
+  labels:
+    app: "{{ .Release.Name }}"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}"
+    spec:
+      containers:
+        - name: "{{ .Release.Name }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+          ports:
+            - containerPort: 8083
+              name: http
+          env:
+            - name: TZ
+              value: "{{ .Values.globals.timezone }}"
+            - name: PUID
+              value: "1000"
+            - name: PGID
+              value: "1000"
+          volumeMounts:
+            - mountPath: /config
+              name: data
+            - mountPath: /books
+              name: books
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-data"
+        - name: books
+          persistentVolumeClaim:
+            claimName: books

charts/apps/calibre-web/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/calibre-web/templates/http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: HttpService
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+  subdomain: "{{ .Values.subdomain }}"
+  destination:
+    host: "{{ .Release.Name }}"
+    port:
+      number: 80

charts/apps/calibre-web/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/calibre-web/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ .Release.Name }}"
+  labels:
+    app: "{{ .Release.Name }}"
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 8083
+      protocol: TCP
+      name: http
+  selector:
+    app: "{{ .Release.Name }}"

charts/apps/calibre-web/values.yaml

@@ -0,0 +1,9 @@
+globals:
+  environment: prod
+  domain: olsen.cloud
+  timezone: Europe/Amsterdam
+image:
+  repository: lscr.io/linuxserver/calibre-web
+  tag: latest@sha256:98a20064168ab284bbb8e048af48c89a5e25650f35a4b217705241af94c1debe
+  pullPolicy: IfNotPresent
+subdomain: calibre-web

charts/apps/coder/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: openwebui

charts/apps/coder/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  redirectUris:
+    - path: /api/v2/users/oidc/callback
+      subdomain: '{{ .Values.subdomain }}'
+      matchingMode: strict

charts/apps/coder/templates/deployment.yaml

@@ -0,0 +1,73 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}'
+    spec:
+      serviceAccountName: '{{ .Release.Name }}-serviceaccount'
+      containers:
+        - name: '{{ .Release.Name }}'
+          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+          ports:
+            - name: http
+              containerPort: 7080
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          volumeMounts:
+            - mountPath: /home/coder/.config
+              name: data
+          env:
+            - name: CODER_HTTP_ADDRESS
+              value: '0.0.0.0:7080'
+            - name: CODER_OIDC_ALLOWED_GROUPS
+              value: admin
+            - name: CODER_OIDC_GROUP_FIELD
+              value: groups
+            - name: CODER_ACCESS_URL
+              value: https://coder.olsen.cloud
+            - name: CODER_OIDC_ICON_URL
+              value: https://authentik.olsen.cloud/static/dist/assets/icons/icon.png
+            - name: CODER_DISABLE_PASSWORD_AUTH
+              value: 'true'
+            - name: CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS
+              value: 'false'
+            - name: CODER_OIDC_SIGN_IN_TEXT
+              value: 'Sign in with OIDC'
+            - name: CODER_OIDC_SCOPES
+              value: openid,profile,email,offline_access
+            - name: CODER_OIDC_ISSUER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: configurationIssuer
+            - name: CODER_OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: clientId
+            - name: CODER_OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: clientSecret
+
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: '{{ .Release.Name }}-data'

charts/apps/coder/templates/http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: HttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/coder/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/coder/templates/role.yaml

@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: '{{ .Release.Name }}-workspace-creator'
+rules:
+  - apiGroups: [''] # "" indicates the core API group (for Pods, PVCs, Services)
+    resources: ['pods', 'pods/exec', 'pods/log', 'persistentvolumeclaims', 'services']
+    verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
+  - apiGroups: ['apps'] # For Deployments, StatefulSets
+    resources: ['deployments', 'statefulsets']
+    verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
+  - apiGroups: ['networking.k8s.io'] # For Ingresses
+    resources: ['ingresses']
+    verbs: ['get', 'list', 'watch', 'create', 'update', 'patch', 'delete']
+  - apiGroups: ['events.k8s.io'] # For events related to workspace activity
+    resources: ['events']
+    verbs: ['create', 'patch', 'update'] # Coder might create events for workspace lifecycle
+  # Add any other resources that Coder workspace templates might create (e.g., secrets, configmaps)
+  # - apiGroups: [""]
+  #   resources: ["secrets", "configmaps"]
+  #   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

charts/apps/coder/templates/rolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: '{{ .Release.Name }}-workspace-creator-binding'
+  namespace: '{{ .Release.Namespace }}'
+subjects:
+  - kind: ServiceAccount
+    name: '{{ .Release.Name }}-serviceaccount'
+    namespace: '{{ .Release.Namespace }}'
+roleRef:
+  kind: ClusterRole
+  name: '{{ .Release.Name }}-workspace-creator'
+  apiGroup: rbac.authorization.k8s.io

charts/apps/coder/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 7080
+      protocol: TCP
+      name: http
+  selector:
+    app: '{{ .Release.Name }}'

charts/apps/coder/templates/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: '{{ .Release.Name }}-serviceaccount'
+  namespace: '{{ .Release.Namespace }}'

charts/apps/coder/values.yaml

@@ -0,0 +1,7 @@
+globals:
+  environment: prod
+image:
+  repository: ghcr.io/coder/coder
+  tag: latest@sha256:73714e0685addde01bbff905cf5b647d6b677d77977c8009b6293d40fdf0f562
+  pullPolicy: IfNotPresent
+subdomain: coder

charts/apps/data/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: data

charts/apps/data/templates/database.yaml

@@ -0,0 +1,6 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: PostgresDatabase
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'

charts/apps/data/values.yaml

@@ -0,0 +1,2 @@
+globals:
+  environment: prod

charts/apps/esphome/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: esphome

charts/apps/esphome/templates/deployment.yaml

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}"
+    spec:
+      hostNetwork: true
+      containers:
+        - name: "{{ .Release.Name }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+          ports:
+            - name: http
+              containerPort: 6052
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          env:
+            - name: TZ
+              value: "{{ .Values.globals.timezone }}"
+          volumeMounts:
+            - mountPath: /config
+              name: data
+
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-data"

charts/apps/esphome/templates/http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: HttpService
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+  subdomain: "{{ .Values.subdomain }}"
+  destination:
+    host: "{{ .Release.Name }}"
+    port:
+      number: 80

charts/apps/esphome/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/esphome/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ .Release.Name }}"
+  labels:
+    app: "{{ .Release.Name }}"
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 6052
+      protocol: TCP
+      name: http
+  selector:
+    app: "{{ .Release.Name }}"

charts/apps/esphome/values.yaml

@@ -0,0 +1,9 @@
+globals:
+  environment: prod
+  timezone: Europe/Amsterdam
+  domain: olsen.cloud
+image:
+  repository: ghcr.io/esphome/esphome
+  tag: latest@sha256:393775c4c02e0b09d086cd794815a723f90d4af7c3d871935e22be1a34c5d89a
+  pullPolicy: IfNotPresent
+subdomain: esphome

charts/apps/gitea/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: gitea

charts/apps/gitea/templates/_runner-deployment.yaml

@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: '{{ .Release.Name }}-runner'
+  labels:
+    app: '{{ .Release.Name }}-runner'
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}-runner'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}-runner'
+    spec:
+      containers:
+        - name: '{{ .Release.Name }}-runner'
+          image: docker.io/gitea/act_runner:latest-dind-rootless
+          env:
+            - name: GITEA_INSTANCE_URL
+              value: '{{ .Release.Name }}'
+            - name: GITEA_RUNNER_NAME
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-runner'
+                  key: registration_token
+            - name: DOCKER_HOST
+              value: tcp://localhost:2376
+            - name: DOCKER_CERT_PATH
+              value: /certs/client
+            - name: DOCKER_TLS_VERIFY
+              value: '1'
+          securityContext:
+            privileged: true

charts/apps/gitea/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  redirectUris:
+    - path: /user/oauth2/Authentik/callback
+      subdomain: '{{ .Values.subdomain }}'
+      matchingMode: strict

charts/apps/gitea/templates/database.yaml

@@ -0,0 +1,6 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: PostgresDatabase
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'

charts/apps/gitea/templates/deployment.yaml

@@ -0,0 +1,103 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}"
+    spec:
+      containers:
+        - name: "{{ .Release.Name }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+            - name: ssh
+              containerPort: 22
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          volumeMounts:
+            - mountPath: /data
+              name: data
+          env:
+            - name: TZ
+              value: "{{ .Values.globals.timezone }}"
+            - name: USER_UID
+              value: "1000"
+            - name: USER_GID
+              value: "1000"
+            - name: GITEA__server__SSH_DOMAIN
+              value: ssh-gitea.olsen.cloud
+            - name: GITEA__server__SSH_PORT
+              value: "2205"
+            - name: GITEA__service__REQUIRE_EXTERNAL_REGISTRATION_PASSWORD
+              value: "true"
+            #- name: GITEA__service__ENABLE_BASIC_AUTHENTICATION
+            #  value: 'true'
+            - name: GITEA__service__ENABLE_PASSWORD_SIGNIN_FORM
+              value: "false"
+            - name: GITEA__service__DEFAULT_KEEP_EMAIL_PRIVATE
+              value: "true"
+            - name: GITEA__service__DEFAULT_USER_IS_RESTRICTED
+              value: "true"
+            - name: GITEA__service__DEFAULT_USER_VISIBILITY
+              value: "private"
+            - name: GITEA__service__DEFAULT_ORG_VISIBILITY
+              value: "private"
+            - name: GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION
+              value: "true"
+            - name: GITEA__other__SHOW_FOOTER_POWERED_BY
+              value: "false"
+            - name: GITEA__other__SHOW_FOOTER_TEMPLATE_LOAD_TIME
+              value: "false"
+            - name: GITEA__other__SHOW_FOOTER_VERSION
+              value: "false"
+            - name: GITEA__repository__ENABLE_PUSH_CREATE_USER
+              value: "true"
+            - name: GITEA__repository__ENABLE_PUSH_CREATE_ORG
+              value: "true"
+            - name: GITEA__openid__ENABLE_OPENID_SIGNIN
+              value: "false"
+            - name: GITEA__openid__ENABLE_OPENID_SIGNUP
+              value: "false"
+            - name: GITEA__database__DB_TYPE
+              value: postgres
+            - name: GITEA__database__NAME
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-pg-connection"
+                  key: database
+            - name: GITEA__database__HOST
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-pg-connection"
+                  key: host
+            - name: GITEA__database__USER
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-pg-connection"
+                  key: user
+            - name: GITEA__database__PASSWD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-pg-connection"
+                  key: password
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-data"

charts/apps/gitea/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/gitea/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/gitea/templates/service.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ .Release.Name }}"
+  labels:
+    app: "{{ .Release.Name }}"
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 3000
+      protocol: TCP
+      name: http
+  selector:
+    app: "{{ .Release.Name }}"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ .Release.Name }}-ssh"
+  labels:
+    app: "{{ .Release.Name }}"
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 2205
+      targetPort: 22
+      protocol: TCP
+      name: ssh
+  selector:
+    app: "{{ .Release.Name }}"

charts/apps/gitea/values.yaml

@@ -0,0 +1,8 @@
+globals:
+  environment: prod
+  timezone: Europe/Amsterdam
+image:
+  repository: docker.gitea.com/gitea
+  tag: latest@sha256:2edc102cbb636ae1ddac5fa0c715aa5b03079dee13ac6800b2cef6d4e912e718
+  pullPolicy: IfNotPresent
+subdomain: gitea

charts/apps/headscale/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: headscale

charts/apps/headscale/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  redirectUris:
+    - path: /oidc/callback
+      subdomain: '{{ .Values.subdomain }}'
+      matchingMode: strict

charts/apps/headscale/templates/config-map.yaml

@@ -0,0 +1,70 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: '{{ .Release.Name }}-config-template'
+data:
+  config.yaml.template: |
+    server_url: ${PUBLIC_URL}
+    listen_addr: 0.0.0.0:8080
+    metrics_listen_addr: 0.0.0.0:9090
+    grpc_listen_addr: 0.0.0.0:50443
+
+    private_key_path: /var/lib/headscale/private_key # Path inside the container
+
+    noise:
+      private_key_path: /var/lib/headscale/noise_private_key # Path inside the container
+
+    listen_routes: false 
+    base_domain: "${PUBLIC_URL}" # For client routes and DNS push.
+
+    derp:
+      server:
+        enabled: false
+        region_id: 999
+        region_code: "headscale"
+        region_name: "Headscale Embedded DERP"
+        stun_listen_addr: "0.0.0.0:3478"
+        automatically_add_embedded_derp_region: true
+      urls:
+        - https://controlplane.tailscale.com/derpmap/default
+      auto_update_enabled: true
+      update_frequency: 24h
+
+    oidc:
+      enabled: true
+      only_start_if_oidc_is_available: true
+      issuer: "${OIDC_ISSUER_URL}"
+      client_id: "${OIDC_CLIENT_ID}"
+      client_secret: "${OIDC_CLIENT_SECRET}"
+      scopes: ["openid", "profile", "email"]
+      redirect_url: "${PUBLIC_URL}/oidc/callback"
+      pkce:
+        enabled: true
+        method: S256
+
+
+    # DNS configuration
+    dns:
+      magic_dns: false
+      override_local_dns: true # Push Headscale's DNS settings to clients
+      ttl: 60
+      nameservers:
+        global:
+          - 1.1.1.1 # Cloudflare DNS
+          #- 10.43.0.10 # Replace with your ClusterIP for kube-dns/CoreDNS
+      # Domains to search for (e.g., for Kubernetes services)
+      search_domains:
+        - svc.cluster.local
+        - cluster.local
+
+    auto_create_users: true
+
+    oidc_user_property: preferred_username # Or 'email' or 'sub'
+
+    prefixes:
+      v4: 10.20.20.0/24 # Example: A /24 subnet for your VPN clients
+
+    database:
+      type: sqlite
+      sqlite:
+        path: /var/lib/headscale/db.sqlite

charts/apps/headscale/templates/deployment.yaml

@@ -0,0 +1,97 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}'
+    spec:
+      # To expose WireGuard UDP directly, we need a NodePort service.
+      # The Pod needs to be aware of the external port it's being exposed on.
+      # The easiest way to get WireGuard to listen on the correct port and make it
+      # externally accessible is to use `hostNetwork: true` for the UDP component,
+      # or by directly specifying the listen port in Headscale config if the NodePort is stable.
+
+      # OPTION 1: Best for simple homelab on bare metal where host network traffic isn't an issue
+      # hostNetwork: true # This makes the pod listen directly on the node's IPs
+      # dnsPolicy: ClusterFirstWithHostNet # Required if using hostNetwork
+
+      initContainers:
+        - name: generate-config
+          image: alpine/git # A small image with 'envsubst' available or easily installable
+          imagePullPolicy: IfNotPresent
+          command: ['sh', '-c']
+          args:
+            - |
+              # Install envsubst if it's not present (alpine/git may not have it by default)
+              apk update && apk add bash gettext
+
+              # Substitute environment variables into the template
+              # The vars are passed via `env` section below
+              envsubst < /config-template/config.yaml.template > /etc/headscale/config.yaml
+
+              mkdir -p /etc/headscale
+              # Optional: Verify the generated config
+              echo "--- Generated Headscale Configuration ---"
+              cat /etc/headscale/config.yaml
+              echo "---------------------------------------"
+          env:
+            # These are the variables that `envsubst` will look for and replace
+            - name: PUBLIC_URL
+              value: 'https://{{ .Values.subdomain }}.olsen.cloud'
+            - name: OIDC_ISSUER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: configurationIssuer
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: clientId
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: clientSecret
+            # Add any other variables used in config.yaml.template here
+          volumeMounts:
+            - name: config-template
+              mountPath: /config-template # Mount the ConfigMap as a volume
+              readOnly: true
+            - name: headscale-config
+              mountPath: /etc/headscale # Destination for the generated config
+
+      containers:
+        - name: '{{ .Release.Name }}'
+          image: headscale/headscale:latest # Use the official image
+          command: ['headscale', 'serve']
+          ports:
+            - name: http-api
+              containerPort: 8080
+              protocol: TCP
+            - name: wireguard-udp
+              containerPort: 41641
+              protocol: UDP
+          volumeMounts:
+            - name: headscale-data
+              mountPath: /var/lib/headscale
+            - name: headscale-config
+              mountPath: /etc/headscale
+      volumes:
+        - name: config-template
+          configMap:
+            name: '{{ .Release.Name }}-config-template'
+        - name: headscale-config
+          emptyDir: {}
+        - name: headscale-data
+          persistentVolumeClaim:
+            claimName: '{{ .Release.Name }}-data'

charts/apps/headscale/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/headscale/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/headscale/templates/service.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 8080
+      protocol: TCP
+      name: http
+  selector:
+    app: '{{ .Release.Name }}'
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}-headscale'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 41641
+      targetPort: 41641
+      protocol: UDP
+      name: wireguard-udp
+  selector:
+    app: '{{ .Release.Name }}'

charts/apps/headscale/values.yaml

@@ -0,0 +1,7 @@
+globals:
+  environment: prod
+image:
+  repository: headscale/headscale
+  tag: latest@sha256:ea9b5ee06274d757a4d52103de56cd11a9c393acb19d9a35f4b9fe52ada410de
+  pullPolicy: IfNotPresent
+subdomain: headscale

charts/apps/homarr/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: openwebui

charts/apps/homarr/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+  redirectUris:
+    - path: /api/auth/callback/oidc
+      subdomain: "{{ .Values.subdomain }}"
+      matchingMode: strict

charts/apps/homarr/templates/deployment.yaml

@@ -0,0 +1,83 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: "{{ .Release.Name }}"
+  template:
+    metadata:
+      labels:
+        app: "{{ .Release.Name }}"
+    spec:
+      containers:
+        - name: "{{ .Release.Name }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+          ports:
+            - name: http
+              containerPort: 7575
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          volumeMounts:
+            - mountPath: /appdata
+              name: data
+          env:
+            - name: BASE_URL
+              value: https://homarr.olsen.cloud # TODO
+
+            - name: NEXTAUTH_URL
+              value: https://homarr.olsen.cloud
+
+            - name: AUTH_PROVIDERS
+              value: oidc
+
+            - name: AUTH_OIDC_CLIENT_NAME
+              value: Authentik
+
+            - name: AUTH_OIDC_SCOPE_OVERWRITE
+              value: openid email profile
+
+            - name: AUTH_OIDC_GROUPS_ATTRIBUTE
+              value: groups
+
+            - name: AUTH_OIDC_AUTO_LOGIN
+              value: "true"
+
+            - name: SECRET_ENCRYPTION_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-secrets"
+                  key: encryptionkey
+
+            - name: AUTH_OIDC_ISSUER
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-client"
+                  key: configurationIssuer
+
+            - name: AUTH_OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-client"
+                  key: clientId
+
+            - name: AUTH_OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-client"
+                  key: clientSecret
+
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: "{{ .Release.Name }}-data"

charts/apps/homarr/templates/external-http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.globals.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80

charts/apps/homarr/templates/http-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: HttpService
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+  subdomain: "{{ .Values.subdomain }}"
+  destination:
+    host: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local"
+    port:
+      number: 80

charts/apps/homarr/templates/pvc.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.globals.environment }}'

charts/apps/homarr/templates/secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: GenerateSecret
+metadata:
+  name: "{{ .Release.Name }}-secrets"
+spec:
+  fields:
+    - name: encryptionkey
+      encoding: hex
+      length: 64

charts/apps/homarr/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: "{{ .Release.Name }}"
+  labels:
+    app: "{{ .Release.Name }}"
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 7575
+      protocol: TCP
+      name: http
+  selector:
+    app: "{{ .Release.Name }}"

charts/apps/homarr/values.yaml

@@ -0,0 +1,7 @@
+globals:
+  environment: prod
+image:
+  repository: ghcr.io/homarr-labs/homarr
+  tag: latest@sha256:7d58149aa544037d173a48f41fbde86706068d2b8933a33a911dce26457ecf16
+  pullPolicy: IfNotPresent
+subdomain: homarr

charts/apps/home-assistant/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: home-assistant

charts/apps/home-assistant/templates/client.yaml

@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: "{{ .Release.Name }}"
+spec:
+  environment: "{{ .Values.globals.environment }}"
+  redirectUris:
+    - path: /auth/openid/callback
+      subdomain: "{{ .Values.subdomain }}"
+      matchingMode: strict