more-stuff

more stuff
2026-02-08 01:36:28 +01:00 · 2025-09-03 17:24:27 +02:00 · 2025-09-03 15:16:50 +02:00 · 2025-09-03 14:33:48 +02:00 · 2025-09-03 12:24:40 +02:00 · 2025-08-22 11:44:53 +02:00
138 changed files with 3904 additions and 61486 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -71,9 +71,23 @@ jobs:
    environment: release
    runs-on: ubuntu-latest
    steps:
-      - uses: release-drafter/release-drafter@v6
+      - id: create-release
+        uses: release-drafter/release-drafter@v6
        with:
          config-name: release-drafter-config.yml
          publish: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: actions/checkout@v4
+
+      - name: Upload Release Asset
+        id: upload-release-asset 
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create-release.outputs.upload_url }}
+          asset_path: ./operator.yaml
+          asset_name: operator.yaml
+          asset_content_type: application/yaml
--- a/.gitignore
+++ b/.gitignore
@@ -34,3 +34,5 @@ report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json
 .DS_Store

 /data/
+
+/cloudflare.yaml
--- a/.python-version
+++ b/.python-version
@@ -0,0 +1 @@
+3.13
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM node:23-alpine
+FROM node:23-slim
 RUN corepack enable
 COPY package.json pnpm-lock.yaml ./
 RUN pnpm install --frozen-lockfile --prod
--- a/13
+++ b/13
@@ -1,15 +1,14 @@
-.PHONY: setup dev-recreate dev-create dev-destroy
-
-setup:
-	./scripts/setup-server.sh
+.PHONY: dev-recreate dev-destroy server-install

 dev-destroy:
 	colima delete -f

-dev-create:
-	colima start --network-address --kubernetes -m 8 --mount ${PWD}/data:/data:w --k3s-arg="--disable=helm-controller,local-storage"
+dev-recreate: dev-destroy
+	colima start --network-address --kubernetes -m 8 --k3s-arg="--disable helm-controller,local-storage,traefik --docker" # --mount ${PWD}/data:/data:w 
+	flux install --components="source-controller,helm-controller"

-dev-recreate: dev-destroy dev-create setup
+setup-flux:
+	flux install --components="source-controller,helm-controller"

 server-install:
 	curl -sfL https://get.k3s.io | sh -s - --disable traefik,local-storage,helm-controller
--- a/README.md
+++ b/README.md
@@ -1,6 +0,0 @@
-## Bootstrap repo
-
-```
-brew install fluxcd/tap/flux
-make setup-server
-```
--- a/TODO.md
+++ b/TODO.md
@@ -1 +0,0 @@
- Fix issue with incompatible spec breaking the server
--- a/cert-issuer.yaml
+++ b/cert-issuer.yaml
@@ -1,19 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-prod
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: alice@alice.com
-    privateKeySecretRef:
-      name: letsencrypt-prod-account-key
-    solvers:
-      - dns01:
-          cloudflare:
-            email: alice@alice.com
-            apiTokenSecretRef:
-              name: cloudflare-api-token
-              key: api-token
--- a/chart/templates/clusterrole.yaml
+++ b/chart/templates/clusterrole.yaml
@@ -1,14 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "homelab-operator.fullname" . }}
-rules:
- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["create", "get", "watch", "list"]
- apiGroups: ["*"]
-  resources: ["*"]
-  verbs: ["get", "watch", "list", "patch"]
- apiGroups: ["apiextensions.k8s.io"]
-  resources: ["customresourcedefinitions"]
-  verbs: ["get", "create", "replace"]
--- a/charts/apps/bytestash/Chart.yaml
+++ b/charts/apps/bytestash/Chart.yaml
@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: ByteStash
--- a/charts/apps/bytestash/templates/_http-service.yaml
+++ b/charts/apps/bytestash/templates/_http-service.yaml
@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: HttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}'
+    port:
+      number: 80
--- a/charts/apps/bytestash/templates/client.yaml
+++ b/charts/apps/bytestash/templates/client.yaml
@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.environment }}'
+  redirectUris:
+    - path: /api/auth/oidc/callback
+      subdomain: bytestash
+      matchingMode: strict
--- a/charts/apps/bytestash/templates/external-http-service.yaml
+++ b/charts/apps/bytestash/templates/external-http-service.yaml
@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80
--- a/charts/apps/bytestash/templates/headless-service.yaml
+++ b/charts/apps/bytestash/templates/headless-service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}-headless'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  clusterIP: None
+  ports:
+    - port: 5000
+      name: http
+  selector:
+    app: '{{ .Release.Name }}'
--- a/charts/apps/bytestash/templates/service.yaml
+++ b/charts/apps/bytestash/templates/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 5000
+      protocol: TCP
+      name: http
+  selector:
+    app: '{{ .Release.Name }}'
--- a/charts/apps/bytestash/templates/stateful-set.yaml
+++ b/charts/apps/bytestash/templates/stateful-set.yaml
@@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  serviceName: '{{ .Release.Name }}-headless'
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}'
+    spec:
+      containers:
+        - name: '{{ .Release.Name }}'
+          image: ghcr.io/jordan-dalby/bytestash:latest
+          ports:
+            - containerPort: 5000
+              name: http
+          env:
+            - name: OIDC_ENABLED
+              value: 'true'
+            - name: OIDC_DISPLAY_NAME
+              value: OIDC
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: clientId
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: clientSecret
+            - name: OIDC_ISSUER_URL
+              valueFrom:
+                secretKeyRef:
+                  name: '{{ .Release.Name }}-client'
+                  key: configuration
+
+          volumeMounts:
+            - mountPath: /data/snippets
+              name: bytestash-data
+
+      # Defines security context for the pod to avoid running as root.
+      # securityContext:
+      #   runAsUser: 1000
+      #   runAsGroup: 1000
+      #   fsGroup: 1000
+
+  volumeClaimTemplates:
+    - metadata:
+        name: bytestash-data
+      spec:
+        accessModes: ['ReadWriteOnce']
+        storageClassName: '{{ .Values.environment }}'
+        resources:
+          requests:
+            storage: 5Gi
--- a/charts/apps/bytestash/values.yaml
+++ b/charts/apps/bytestash/values.yaml
@@ -0,0 +1,2 @@
+environment: prod
+subdomain: bytestash
--- a/charts/apps/jellyfin/Chart.yaml
+++ b/charts/apps/jellyfin/Chart.yaml
@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: Jellyfin
--- a/charts/apps/jellyfin/notes.md
+++ b/charts/apps/jellyfin/notes.md
@@ -0,0 +1 @@
+https://www.authelia.com/integration/openid-connect/clients/jellyfin/
--- a/charts/apps/jellyfin/templates/client.yaml
+++ b/charts/apps/jellyfin/templates/client.yaml
@@ -0,0 +1,10 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.environment }}'
+  redirectUris:
+    - path: /sso/OID/redirect/Authentik
+      subdomain: '{{ .Values.subdomain }}'
+      matchingMode: strict
--- a/charts/apps/jellyfin/templates/config-pvc.yaml
+++ b/charts/apps/jellyfin/templates/config-pvc.yaml
@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Release.Name }}-config'
+spec:
+  accessModes:
+    - 'ReadWriteOnce'
+  resources:
+    requests:
+      storage: '1Gi'
+  storageClassName: '{{ .Values.environment }}'
--- a/charts/apps/jellyfin/templates/deployment.yaml
+++ b/charts/apps/jellyfin/templates/deployment.yaml
@@ -0,0 +1,52 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  strategy:
+    type: Recreate
+    replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}'
+    spec:
+      containers:
+        - name: '{{ .Release.Name }}'
+          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+          ports:
+            - name: http
+              containerPort: 8096
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+          readinessProbe:
+            tcpSocket:
+              port: http
+          volumeMounts:
+            - mountPath: /config
+              name: config
+            - mountPath: /media/movies
+              name: movies
+            - mountPath: /media/tv-shows
+              name: tvshows
+            - mountPath: /media/music
+              name: music
+      volumes:
+        - name: config
+          persistentVolumeClaim:
+            claimName: '{{ .Release.Name }}-config'
+        - name: movies
+          persistentVolumeClaim:
+            claimName: movies
+        - name: tvshows
+          persistentVolumeClaim:
+            claimName: tvshows
+        - name: music
+          persistentVolumeClaim:
+            claimName: music
--- a/charts/apps/jellyfin/templates/external-http-service.yaml
+++ b/charts/apps/jellyfin/templates/external-http-service.yaml
@@ -0,0 +1,11 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: ExternalHttpService
+metadata:
+  name: '{{ .Release.Name }}'
+spec:
+  environment: '{{ .Values.environment }}'
+  subdomain: '{{ .Values.subdomain }}'
+  destination:
+    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
+    port:
+      number: 80
--- a/charts/apps/jellyfin/templates/service.yaml
+++ b/charts/apps/jellyfin/templates/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 8096
+      protocol: TCP
+      name: http
+  selector:
+    app: '{{ .Release.Name }}'
--- a/charts/apps/jellyfin/values.yaml
+++ b/charts/apps/jellyfin/values.yaml
@@ -0,0 +1,6 @@
+image:
+  repository: docker.io/jellyfin/jellyfin
+  tag: latest
+  pullPolicy: IfNotPresent
+environment: prod
+subdomain: jellyfin
--- a/charts/apps/ollama.disabled/Chart.yaml
+++ b/charts/apps/ollama.disabled/Chart.yaml
@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: Ollama
--- a/charts/apps/ollama.disabled/templates/deployment.yaml
+++ b/charts/apps/ollama.disabled/templates/deployment.yaml
@@ -0,0 +1,52 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: '{{ .Release.Name }}'
+  template:
+    metadata:
+      labels:
+        app: '{{ .Release.Name }}'
+    spec:
+      containers:
+        - name: ollama
+          image: ghcr.io/ollama/ollama:latest # Official image
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 11434
+              name: http
+          volumeMounts:
+            - name: ollama-data
+              mountPath: /root/.ollama
+          env:
+            # If you want to pre‑start a model, set this env var to the
+            # model name (e.g., "gpt-4o-mini").  The container will download
+            # it automatically at startup.
+            # - name: OLLAMA_MODEL
+            #   value: "gpt-4o-mini"
+          readinessProbe:
+            httpGet:
+              scheme: HTTP
+              path: /api/status
+              port: 11434
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: 500m
+              memory: 1Gi
+            limits:
+              cpu: 2000m
+              memory: 4Gi
+      volumes:
+        - name: ollama-data
+          persistentVolumeClaim:
+            claimName: '{{ .Release.Name }}-data'
--- a/charts/apps/ollama.disabled/templates/pvc.yaml
+++ b/charts/apps/ollama.disabled/templates/pvc.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: '{{ .Release.Name }}-data'
+spec:
+  storageClassName: '{{ .Values.environment }}'
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Gi
--- a/charts/apps/ollama.disabled/templates/service.yaml
+++ b/charts/apps/ollama.disabled/templates/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: '{{ .Release.Name }}'
+  labels:
+    app: '{{ .Release.Name }}'
+spec:
+  type: LoadBalancer # Set to NodePort/ClusterIP if you prefer
+  ports:
+    - name: http
+      port: 11434
+      targetPort: http
+      protocol: TCP
+  selector:
+    app: '{{ .Release.Name }}'
--- a/charts/apps/ollama.disabled/values.yaml
+++ b/charts/apps/ollama.disabled/values.yaml
@@ -0,0 +1,2 @@
+environment: dev
+subdomain: bytestash
--- a/charts/apps/values.yaml
+++ b/charts/apps/values.yaml
--- a/charts/operator/Chart.yaml
+++ b/charts/operator/Chart.yaml
--- a/charts/operator/templates/_helpers.tpl
+++ b/charts/operator/templates/_helpers.tpl
--- a/charts/operator/templates/_storageclass.yaml
+++ b/charts/operator/templates/_storageclass.yaml
@@ -0,0 +1,12 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: {{ include "homelab-operator.fullname" . }}-local-path
+  labels:
+    {{- include "homelab-operator.labels" . | nindent 4 }}
+provisioner: reuse-local-path-provisioner
+parameters:
+  # Add any provisioner-specific parameters here
+reclaimPolicy: {{ .Values.storage.reclaimPolicy | default "Retain" }}
+allowVolumeExpansion: {{ .Values.storage.allowVolumeExpansion | default false }}
+volumeBindingMode: {{ .Values.storage.volumeBindingMode | default "WaitForFirstConsumer" }}
--- a/charts/operator/templates/clusterrole.yaml
+++ b/charts/operator/templates/clusterrole.yaml
@@ -0,0 +1,32 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "homelab-operator.fullname" . }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "get", "watch", "list"]
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "list", "watch", "create", "update", "patch"]
+- apiGroups: [""]
+  resources: ["persistentvolumes"]
+  verbs: ["get", "list", "watch", "create", "delete", "patch", "update"]
+- apiGroups: [""]
+  resources: ["persistentvolumeclaims"]
+  verbs: ["get", "list", "watch", "update", "patch"]
+- apiGroups: [""]
+  resources: ["persistentvolumeclaims/status"]
+  verbs: ["update", "patch"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create", "patch"]
+- apiGroups: ["storage.k8s.io"]
+  resources: ["storageclasses"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["*"]
+  resources: ["*"]
+  verbs: ["get", "watch", "list", "patch", "create", "update", "replace"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get", "create", "update", "replace", "patch"]
--- a/charts/operator/templates/clusterrolebinding.yaml
+++ b/charts/operator/templates/clusterrolebinding.yaml
--- a/charts/operator/templates/deployment.yaml
+++ b/charts/operator/templates/deployment.yaml
--- a/charts/operator/templates/serviceaccount.yaml
+++ b/charts/operator/templates/serviceaccount.yaml
--- a/charts/operator/values.yaml
+++ b/charts/operator/values.yaml
@@ -4,7 +4,7 @@

 image:
  repository: ghcr.io/morten-olsen/homelab-operator
-  pullPolicy: Always
+  pullPolicy: IfNotPresent
  # Overrides the image tag whose default is the chart appVersion.
  tag: main

@@ -14,6 +14,9 @@ fullnameOverride: ''

 storage:
  path: /data/volumes
+  reclaimPolicy: Retain
+  allowVolumeExpansion: false
+  volumeBindingMode: WaitForFirstConsumer

 serviceAccount:
  # Specifies whether a service account should be created
--- a/charts/root/Chart.yaml
+++ b/charts/root/Chart.yaml
@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: root
--- a/charts/root/templates/apps.yaml
+++ b/charts/root/templates/apps.yaml
@@ -0,0 +1,33 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: homelab-apps
+  namespace: '{{ .Values.env }}-argo'
+spec:
+  generators:
+    - git:
+      repoURL: '{{ .Values.repo }}'
+      revision: '{{ .Values.ref }}'
+      directories:
+        - path: charts/apps/*
+          include: '.*'
+          exclude: '.*.disabled'
+  template:
+    metadata:
+      name: '{{`{{path.basename}}`}}'
+    spec:
+      project: default
+      source:
+        repoURL: '{{ .Values.repo }}'
+        targetRevision: '{{ .Values.ref }}'
+        path: charts/apps/{{`{{path.basename}}`}}
+        helm:
+          values: |
+            globals: {{ .Values.globals | toYaml | nindent 14 }}
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: '{{ .Values.globals.env }}'
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
--- a/charts/root/templates/root.yaml
+++ b/charts/root/templates/root.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: homelab-root
+  namespace: '{{ .Values.globals.env }}-argo'
+spec:
+  project: default
+  source:
+    repoURL: '{{ .Values.repo }}'
+    targetRevision: '{{ .Values.ref }}'
+    path: charts/root
+    helm:
+      valueFiles:
+        - values.yaml
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: '{{ .Values.globals.env }}-argo'
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
--- a/charts/root/values.yaml
+++ b/charts/root/values.yaml
@@ -0,0 +1,4 @@
+globals:
+  env: prod
+repo: https://github.com/morten-olsen/homelab-operator.git
+ref: HEAD
--- a/charts/volumes/Chart.yaml
+++ b/charts/volumes/Chart.yaml
@@ -0,0 +1,3 @@
+apiVersion: v2
+version: 1.0.0
+name: Resources
--- a/charts/volumes/templates/books-pvc.yaml
+++ b/charts/volumes/templates/books-pvc.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: books
+  labels:
+    type: nfs
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual
+  hostPath: null
+  nfs:
+    path: '{{ .Values.books.path }}'
+    server: '{{ .Values.host }}'
+    readOnly: true
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: books
+spec:
+  storageClassName: manual
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
--- a/charts/volumes/templates/movies-pvc.yaml
+++ b/charts/volumes/templates/movies-pvc.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: movies
+  labels:
+    type: nfs
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual
+  hostPath: null
+  nfs:
+    path: '{{ .Values.movies.path }}'
+    server: '{{ .Values.host }}'
+    readOnly: true
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: movies
+spec:
+  storageClassName: manual
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
--- a/charts/volumes/templates/music-pvc.yaml
+++ b/charts/volumes/templates/music-pvc.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: music
+  labels:
+    type: nfs
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual
+  hostPath: null
+  nfs:
+    path: '{{ .Values.music.path }}'
+    server: '{{ .Values.host }}'
+    readOnly: true
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: music
+spec:
+  storageClassName: manual
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
--- a/charts/volumes/templates/podcasts-pvc.yaml
+++ b/charts/volumes/templates/podcasts-pvc.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: podcasts
+  labels:
+    type: nfs
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual
+  hostPath: null
+  nfs:
+    path: '{{ .Values.podcasts.path }}'
+    server: '{{ .Values.host }}'
+    readOnly: true
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: podcasts
+spec:
+  storageClassName: manual
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
--- a/charts/volumes/templates/tv-pvc.yaml
+++ b/charts/volumes/templates/tv-pvc.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: tvshows
+  labels:
+    type: nfs
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: manual
+  hostPath: null
+  nfs:
+    path: '{{ .Values.tvshows.path }}'
+    server: '{{ .Values.host }}'
+    readOnly: true
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: tvshows
+spec:
+  storageClassName: manual
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
--- a/charts/volumes/values.yaml
+++ b/charts/volumes/values.yaml
@@ -0,0 +1,11 @@
+host: 192.168.20.106
+movies:
+  path: /mnt/HDD/Movies
+tvshows:
+  path: /mnt/HDD/TV-Shows
+music:
+  path: /mnt/HDD/Music2
+books:
+  path: /mnt/HDD/Books
+podcasts:
+  path: /mnt/HDD/Podcasts
--- a/docker-compose.dev.yaml
+++ b/docker-compose.dev.yaml
@@ -1,12 +0,0 @@
-name: homelab
-services:
-  postgres:
-    image: postgres:17
-    ports:
-      - 5432:5432
-    environment:
-      POSTGRES_USER: $POSTGRES_USER
-      POSTGRES_PASSWORD: $POSTGRES_PASSWORD
-      POSTGRES_DB: ${POSTGRES_DB:-postgres}
-    volumes:
-      - $PWD/.data/local/postgres:/var/lib/postgresql/data
--- a/docs/writing-custom-resources.md
+++ b/docs/writing-custom-resources.md
@@ -1,901 +0,0 @@
-# Writing Custom Resources
-
-This guide explains how to create and implement custom resources in the
-homelab-operator.
-
-## Overview
-
-Custom resources in this operator follow a structured pattern that includes:
-
- **Specification schemas** using Zod for runtime validation
- **Resource implementations** that extend the base `CustomResource` class
- **Manifest creation** helpers for generating Kubernetes resources
- **Reconciliation logic** to manage the desired state
-
-## Project Structure
-
-Each custom resource should be organized in its own directory under
-`src/custom-resouces/` with the following structure:
-
-```
-src/custom-resouces/{resource-name}/
-├── {resource-name}.ts              # Main definition file
-├── {resource-name}.schemas.ts      # Zod validation schemas
-├── {resource-name}.resource.ts     # Resource implementation
-└── {resource-name}.create-manifests.ts # Manifest generation helpers
-```
-
-## Quick Start
-
-This section walks through creating a complete custom resource from scratch.
-We'll build a `MyResource` that manages a web application with a deployment and
-service.
-
-### 1. Define Your Resource
-
-The main definition file registers your custom resource with the operator
-framework. This file serves as the entry point that ties together your schemas,
-implementation, and Kubernetes CRD definition.
-
-Create the main definition file (`{resource-name}.ts`):
-
-```typescript
-import { createCustomResourceDefinition } from "../../services/custom-resources/custom-resources.ts";
-import { GROUP } from "../../utils/consts.ts";
-
-import { MyResourceResource } from "./my-resource.resource.ts";
-import { myResourceSpecSchema } from "./my-resource.schemas.ts";
-
-const myResourceDefinition = createCustomResourceDefinition({
-  group: GROUP, // Uses your operator's API group (homelab.mortenolsen.pro)
-  version: "v1", // API version for this resource
-  kind: "MyResource", // The Kubernetes kind name (PascalCase)
-  names: {
-    plural: "myresources", // Plural name for kubectl (lowercase)
-    singular: "myresource", // Singular name for kubectl (lowercase)
-  },
-  spec: myResourceSpecSchema, // Zod schema for validation
-  create: (options) => new MyResourceResource(options), // Factory function
-});
-
-export { myResourceDefinition };
-```
-
-**Key Points:**
-
- The `group` should always use the `GROUP` constant to maintain consistency
- `kind` should be descriptive and follow Kubernetes naming conventions
-  (PascalCase)
- `names.plural` is used in kubectl commands (`kubectl get myresources`)
- The `create` function instantiates your resource implementation when a CR is
-  detected
-
-### 2. Create Validation Schemas
-
-Schemas define the structure and validation rules for your custom resource's
-specification. Using Zod provides runtime type safety and automatic validation
-of user input.
-
-Define your spec schema (`{resource-name}.schemas.ts`):
-
-```typescript
-import { z } from "zod";
-
-const myResourceSpecSchema = z.object({
-  // Required fields - these must be provided by users
-  hostname: z.string(), // Base hostname for the application
-  port: z.number().min(1).max(65535), // Container port (validated range)
-
-  // Optional fields with defaults - provide sensible fallbacks
-  replicas: z.number().min(1).default(1), // Number of pod replicas
-
-  // Enums - restrict to specific values with defaults
-  protocol: z.enum(["http", "https"]).default("https"),
-
-  // Nested objects - for complex configuration
-  database: z.object({
-    host: z.string(), // Database hostname
-    port: z.number(), // Database port
-    name: z.string(), // Database name
-  }).optional(), // Entire database config is optional
-});
-
-// Additional schemas for secrets, status, etc.
-// Separate schemas help organize different data types
-const myResourceSecretSchema = z.object({
-  apiKey: z.string(), // API key for external services
-  password: z.string(), // Database or service password
-});
-
-export { myResourceSecretSchema, myResourceSpecSchema };
-```
-
-**Schema Design Best Practices:**
-
- **Required vs Optional**: Make fields required only when absolutely necessary
- **Defaults**: Provide sensible defaults to reduce user configuration burden
- **Validation**: Use Zod's built-in validators (`.min()`, `.max()`, `.email()`,
-  etc.)
- **Enums**: Restrict values to prevent invalid configurations
- **Nested Objects**: Group related configuration together
- **Separate Schemas**: Create different schemas for different purposes (spec,
-  secrets, status)
-
-### 3. Implement the Resource
-
-The resource implementation is the core of your custom resource. It contains the
-business logic for managing Kubernetes resources and maintains the desired
-state. This class extends `CustomResource` and implements the reconciliation
-logic.
-
-Create the resource implementation (`{resource-name}.resource.ts`):
-
-```typescript
-import type { KubernetesObject } from "@kubernetes/client-node";
-import deepEqual from "deep-equal";
-
-import {
-  CustomResource,
-  type CustomResourceOptions,
-  type SubresourceResult,
-} from "../../services/custom-resources/custom-resources.custom-resource.ts";
-import {
-  ResourceReference,
-  ResourceService,
-} from "../../services/resources/resources.ts";
-
-import type { myResourceSpecSchema } from "./my-resource.schemas.ts";
-import {
-  createDeploymentManifest,
-  createServiceManifest,
-} from "./my-resource.create-manifests.ts";
-
-class MyResourceResource extends CustomResource<typeof myResourceSpecSchema> {
-  #deploymentResource = new ResourceReference();
-  #serviceResource = new ResourceReference();
-
-  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
-    super(options);
-    const resourceService = this.services.get(ResourceService);
-
-    // Initialize resource references
-    this.#deploymentResource.current = resourceService.get({
-      apiVersion: "apps/v1",
-      kind: "Deployment",
-      name: this.name,
-      namespace: this.namespace,
-    });
-
-    this.#serviceResource.current = resourceService.get({
-      apiVersion: "v1",
-      kind: "Service",
-      name: this.name,
-      namespace: this.namespace,
-    });
-
-    // Set up event handlers for reconciliation
-    this.#deploymentResource.on("changed", this.queueReconcile);
-    this.#serviceResource.on("changed", this.queueReconcile);
-  }
-
-  #reconcileDeployment = async (): Promise<SubresourceResult> => {
-    const manifest = createDeploymentManifest({
-      name: this.name,
-      namespace: this.namespace,
-      ref: this.ref,
-      spec: this.spec,
-    });
-
-    if (!this.#deploymentResource.current?.exists) {
-      await this.#deploymentResource.current?.patch(manifest);
-      return {
-        ready: false,
-        syncing: true,
-        reason: "Creating",
-        message: "Creating deployment",
-      };
-    }
-
-    if (!deepEqual(this.#deploymentResource.current.spec, manifest.spec)) {
-      await this.#deploymentResource.current.patch(manifest);
-      return {
-        ready: false,
-        syncing: true,
-        reason: "Updating",
-        message: "Deployment needs updates",
-      };
-    }
-
-    // Check if deployment is ready
-    const deployment = this.#deploymentResource.current;
-    const isReady =
-      deployment.status?.readyReplicas === deployment.status?.replicas;
-
-    return {
-      ready: isReady,
-      reason: isReady ? "Ready" : "Pending",
-      message: isReady ? "Deployment is ready" : "Waiting for pods to be ready",
-    };
-  };
-
-  #reconcileService = async (): Promise<SubresourceResult> => {
-    const manifest = createServiceManifest({
-      name: this.name,
-      namespace: this.namespace,
-      ref: this.ref,
-      spec: this.spec,
-    });
-
-    if (!deepEqual(this.#serviceResource.current?.spec, manifest.spec)) {
-      await this.#serviceResource.current?.patch(manifest);
-      return {
-        ready: false,
-        syncing: true,
-        reason: "Updating",
-        message: "Service needs updates",
-      };
-    }
-
-    return { ready: true };
-  };
-
-  public reconcile = async () => {
-    if (!this.exists || this.metadata.deletionTimestamp) {
-      return;
-    }
-
-    // Reconcile subresources
-    await this.reconcileSubresource("Deployment", this.#reconcileDeployment);
-    await this.reconcileSubresource("Service", this.#reconcileService);
-
-    // Update overall ready condition
-    const deploymentReady =
-      this.conditions.get("Deployment")?.status === "True";
-    const serviceReady = this.conditions.get("Service")?.status === "True";
-
-    await this.conditions.set("Ready", {
-      status: deploymentReady && serviceReady ? "True" : "False",
-      reason: deploymentReady && serviceReady ? "Ready" : "Pending",
-      message: deploymentReady && serviceReady
-        ? "All resources are ready"
-        : "Waiting for resources to be ready",
-    });
-  };
-}
-
-export { MyResourceResource };
-```
-
-**Resource Implementation Breakdown:**
-
-**Constructor Setup:**
-
- **Resource References**: Create `ResourceReference` objects to track managed
-  Kubernetes resources
- **Service Access**: Use dependency injection to access operator services
-  (`ResourceService`)
- **Event Handlers**: Listen for changes in managed resources to trigger
-  reconciliation
- **Resource Registration**: Register references for Deployment and Service that
-  will be managed
-
-**Reconciliation Methods:**
-
- **`#reconcileDeployment`**: Manages the application's Deployment resource
-  - Creates manifests using helper functions
-  - Checks if resource exists and creates/updates as needed
-  - Uses `deepEqual` to avoid unnecessary updates
-  - Returns status indicating readiness state
- **`#reconcileService`**: Manages the Service resource for network access
-  - Similar pattern to deployment but typically simpler
-  - Services are usually ready immediately after creation
-
-**Main Reconcile Loop:**
-
- **Deletion Check**: Early return if resource is being deleted
- **Subresource Management**: Calls individual reconciliation methods
- **Condition Updates**: Aggregates status from all subresources
- **Status Reporting**: Updates the overall "Ready" condition
-
-**Key Design Patterns:**
-
- **Private Methods**: Use `#` for private reconciliation methods
- **Async/Await**: All reconciliation is asynchronous
- **Resource References**: Track external resources with type safety
- **Condition Management**: Provide clear status through Kubernetes conditions
- **Event-Driven**: React to changes in managed resources automatically
-
-### 4. Create Manifest Helpers
-
-Manifest helpers are pure functions that generate Kubernetes resource
-definitions. They transform your custom resource's specification into standard
-Kubernetes objects. This separation keeps your reconciliation logic clean and
-makes manifests easy to test and modify.
-
-Define manifest creation functions (`{resource-name}.create-manifests.ts`):
-
-```typescript
-type CreateDeploymentManifestOptions = {
-  name: string;
-  namespace: string;
-  ref: any; // Owner reference
-  spec: {
-    hostname: string;
-    port: number;
-    replicas: number;
-  };
-};
-
-const createDeploymentManifest = (
-  options: CreateDeploymentManifestOptions,
-) => ({
-  apiVersion: "apps/v1",
-  kind: "Deployment",
-  metadata: {
-    name: options.name,
-    namespace: options.namespace,
-    ownerReferences: [options.ref],
-  },
-  spec: {
-    replicas: options.spec.replicas,
-    selector: {
-      matchLabels: {
-        app: options.name,
-      },
-    },
-    template: {
-      metadata: {
-        labels: {
-          app: options.name,
-        },
-      },
-      spec: {
-        containers: [
-          {
-            name: options.name,
-            image: "nginx:latest",
-            ports: [
-              {
-                containerPort: options.spec.port,
-              },
-            ],
-            env: [
-              {
-                name: "HOSTNAME",
-                value: options.spec.hostname,
-              },
-            ],
-          },
-        ],
-      },
-    },
-  },
-});
-
-type CreateServiceManifestOptions = {
-  name: string;
-  namespace: string;
-  ref: any;
-  spec: {
-    port: number;
-  };
-};
-
-const createServiceManifest = (options: CreateServiceManifestOptions) => ({
-  apiVersion: "v1",
-  kind: "Service",
-  metadata: {
-    name: options.name,
-    namespace: options.namespace,
-    ownerReferences: [options.ref],
-  },
-  spec: {
-    selector: {
-      app: options.name,
-    },
-    ports: [
-      {
-        port: 80,
-        targetPort: options.spec.port,
-      },
-    ],
-  },
-});
-
-export { createDeploymentManifest, createServiceManifest };
-```
-
-**Manifest Helper Patterns:**
-
-**Type Definitions:**
-
- **Options Types**: Define clear interfaces for function parameters
- **Structured Input**: Group related parameters in nested objects
- **Type Safety**: Leverage TypeScript to catch configuration errors at compile
-  time
-
-**Deployment Manifest:**
-
- **Owner References**: Ensures garbage collection when parent resource is
-  deleted
- **Labels & Selectors**: Consistent labeling for pod selection and organization
- **Container Configuration**: Maps custom resource spec to container settings
- **Environment Variables**: Passes configuration from spec to running
-  containers
- **Port Configuration**: Exposes application ports based on spec
-
-**Service Manifest:**
-
- **Service Discovery**: Creates stable network endpoint for the deployment
- **Port Mapping**: Routes external traffic to container ports
- **Selector Matching**: Uses same labels as deployment for proper routing
- **Owner References**: Links service lifecycle to custom resource
-
-**Best Practices for Manifest Helpers:**
-
- **Pure Functions**: No side effects, same input always produces same output
- **Immutable Objects**: Return new objects rather than modifying inputs
- **Validation**: Let TypeScript catch type mismatches
- **Consistent Naming**: Use predictable patterns for resource names
- **Owner References**: Always set for proper cleanup
- **Documentation**: Comment non-obvious configuration choices
-
-### 5. Register Your Resource
-
-Add your resource to `src/custom-resouces/custom-resources.ts`:
-
-```typescript
-import { myResourceDefinition } from "./my-resource/my-resource.ts";
-
-const customResources = [
-  // ... existing resources
-  myResourceDefinition,
-];
-```
-
-## Core Concepts
-
-These fundamental patterns are used throughout the operator framework.
-Understanding them is essential for building robust custom resources.
-
-### Resource References
-
-`ResourceReference` objects provide a strongly-typed way to track and manage
-Kubernetes resources that your custom resource creates or depends on. They
-automatically handle resource watching, caching, and change notifications.
-
-Use `ResourceReference` to manage related Kubernetes resources:
-
-```typescript
-import {
-  ResourceReference,
-  ResourceService,
-} from "../../services/resources/resources.ts";
-
-class MyResource extends CustomResource<typeof myResourceSpecSchema> {
-  #deploymentResource = new ResourceReference();
-
-  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
-    super(options);
-    const resourceService = this.services.get(ResourceService);
-
-    this.#deploymentResource.current = resourceService.get({
-      apiVersion: "apps/v1",
-      kind: "Deployment",
-      name: this.name,
-      namespace: this.namespace,
-    });
-
-    // Listen for changes
-    this.#deploymentResource.on("changed", this.queueReconcile);
-  }
-}
-```
-
-**Why Resource References Matter:**
-
- **Automatic Watching**: Changes to referenced resources trigger reconciliation
- **Type Safety**: Get compile-time checking for resource properties
- **Lifecycle Management**: Easily check if resources exist and their current
-  state
- **Event Handling**: React to external changes without polling
- **Caching**: Avoid repeated API calls for the same resource data
-
-### Conditions
-
-Kubernetes conditions provide a standardized way to communicate resource status.
-They follow the Kubernetes convention of expressing current state, reasons for
-that state, and human-readable messages. Conditions are crucial for operators
-and users to understand what's happening with resources.
-
-Use conditions to track the status of your resource:
-
-```typescript
-// Set a condition
-await this.conditions.set("Ready", {
-  status: "True",
-  reason: "AllResourcesReady",
-  message: "All subresources are ready",
-});
-
-// Get a condition
-const isReady = this.conditions.get("Ready")?.status === "True";
-```
-
-**Condition Best Practices:**
-
- **Standard Names**: Use common condition types like "Ready", "Available",
-  "Progressing"
- **Clear Status**: Use "True", "False", or "Unknown" following Kubernetes
-  conventions
- **Descriptive Reasons**: Provide specific reason codes for troubleshooting
- **Helpful Messages**: Include actionable information for users
- **Consistent Updates**: Always update conditions during reconciliation
-
-### Subresource Reconciliation
-
-The `reconcileSubresource` method provides a standardized way to manage
-individual components of your custom resource. It automatically handles
-condition updates, error management, and status aggregation. This pattern keeps
-your main reconciliation loop clean and ensures consistent error handling.
-
-Use `reconcileSubresource` to manage individual components:
-
-```typescript
-public reconcile = async () => {
-  // This automatically manages conditions and error handling
-  await this.reconcileSubresource("Deployment", this.#reconcileDeployment);
-  await this.reconcileSubresource("Service", this.#reconcileService);
-};
-```
-
-**Subresource Reconciliation Benefits:**
-
- **Automatic Condition Management**: Sets conditions based on reconciliation
-  results
- **Error Isolation**: Failures in one subresource don't stop others
- **Status Aggregation**: Combines individual component status into overall
-  status
- **Consistent Patterns**: Same error handling and retry logic across all
-  components
- **Observability**: Clear visibility into which components are having issues
-
-### Deep Equality Checks
-
-Deep equality checks prevent unnecessary API calls and resource churn.
-Kubernetes resources should only be updated when their desired state actually
-differs from their current state. This improves performance and reduces cluster
-load.
-
-Use `deepEqual` to avoid unnecessary updates:
-
-```typescript
-import deepEqual from "deep-equal";
-
-if (!deepEqual(currentResource.spec, desiredManifest.spec)) {
-  await currentResource.patch(desiredManifest);
-}
-```
-
-**Deep Equality Benefits:**
-
- **Performance**: Avoids unnecessary API calls to Kubernetes
- **Reduced Churn**: Prevents resource version conflicts and unnecessary events
- **Stability**: Reduces reconciliation loops and system noise
- **Efficiency**: Lets you focus compute on actual changes
- **Observability**: Cleaner audit logs with only meaningful changes
-
-**When to Use Deep Equality:**
-
- **Spec Comparisons**: Before updating any Kubernetes resource
- **Status Updates**: Only update status when values actually change
- **Metadata Updates**: Check labels and annotations before patching
- **Complex Objects**: Especially useful for nested configuration objects
-
-## Advanced Patterns
-
-These patterns handle more complex scenarios like secret management, resource
-dependencies, and sophisticated error handling. Use these when building
-production-ready operators that need to handle real-world complexity.
-
-### Working with Secrets
-
-Many resources need to manage secrets. Here's a pattern for secret management:
-
-```typescript
-import { SecretService } from "../../services/secrets/secrets.ts";
-
-class MyResource extends CustomResource<typeof myResourceSpecSchema> {
-  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
-    super(options);
-    const secretService = this.services.get(SecretService);
-
-    // Get or create a secret
-    this.secretRef = secretService.get({
-      name: `${this.name}-secret`,
-      namespace: this.namespace,
-    });
-  }
-
-  #ensureSecret = async () => {
-    const secretData = {
-      apiKey: generateApiKey(),
-      password: generatePassword(),
-    };
-
-    if (!this.secretRef.current?.exists) {
-      await this.secretRef.current?.patch({
-        apiVersion: "v1",
-        kind: "Secret",
-        metadata: {
-          name: this.secretRef.current.name,
-          namespace: this.secretRef.current.namespace,
-          ownerReferences: [this.ref],
-        },
-        data: secretData,
-      });
-    }
-  };
-}
-```
-
-### Cross-Resource Dependencies
-
-When your resource depends on other custom resources:
-
-```typescript
-class MyResource extends CustomResource<typeof myResourceSpecSchema> {
-  #dependentResource = new ResourceReference();
-
-  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
-    super(options);
-    const resourceService = this.services.get(ResourceService);
-
-    // Reference another custom resource
-    this.#dependentResource.current = resourceService.get({
-      apiVersion: "homelab.mortenolsen.pro/v1",
-      kind: "PostgresDatabase",
-      name: this.spec.database,
-      namespace: this.namespace,
-    });
-
-    this.#dependentResource.on("changed", this.queueReconcile);
-  }
-
-  #reconcileApp = async (): Promise<SubresourceResult> => {
-    // Check if dependency is ready
-    const dependency = this.#dependentResource.current;
-    if (!dependency?.exists) {
-      return {
-        ready: false,
-        failed: true,
-        reason: "MissingDependency",
-        message: `PostgresDatabase ${this.spec.database} not found`,
-      };
-    }
-
-    const dependencyReady = dependency.status?.conditions?.find(
-      (c) => c.type === "Ready" && c.status === "True",
-    );
-
-    if (!dependencyReady) {
-      return {
-        ready: false,
-        reason: "WaitingForDependency",
-        message:
-          `Waiting for PostgresDatabase ${this.spec.database} to be ready`,
-      };
-    }
-
-    // Continue with reconciliation...
-  };
-}
-```
-
-### Error Handling
-
-Proper error handling in reconciliation:
-
-```typescript
-#reconcileDeployment = async (): Promise<SubresourceResult> => {
-  try {
-    // Reconciliation logic...
-    return { ready: true };
-  } catch (error) {
-    return {
-      ready: false,
-      failed: true,
-      reason: 'ReconciliationError',
-      message: `Failed to reconcile deployment: ${error.message}`,
-    };
-  }
-};
-```
-
-## Example Usage
-
-Once your custom resource is implemented and registered, users can create
-instances using standard Kubernetes manifests. The operator will automatically
-detect new resources and begin reconciliation based on your implementation
-logic.
-
-```yaml
-apiVersion: homelab.mortenolsen.pro/v1
-kind: MyResource
-metadata:
-  name: my-app
-  namespace: default
-spec:
-  hostname: my-app.example.com
-  port: 8080
-  replicas: 3
-  protocol: https
-  database:
-    host: postgres.default.svc.cluster.local
-    port: 5432
-    name: myapp
-```
-
-**What happens when this resource is created:**
-
-1. **Validation**: The operator validates the spec against your Zod schema
-2. **Resource Creation**: Your `MyResourceResource` class is instantiated
-3. **Reconciliation**: The operator creates a Deployment with 3 replicas and a
-   Service
-4. **Status Updates**: Conditions are set to track deployment and service
-   readiness
-5. **Event Handling**: The operator watches for changes and re-reconciles as
-   needed
-
-Users can then monitor the resource status with:
-
-```bash
-kubectl get myresources my-app -o yaml
-kubectl describe myresource my-app
-```
-
-## Real Examples
-
-These examples show how the patterns described above are used in practice within
-the homelab-operator.
-
-### Simple Resource: Domain
-
-The `Domain` resource demonstrates a straightforward custom resource that
-manages external dependencies. It creates and manages TLS certificates through
-cert-manager and configures Istio gateways for HTTPS traffic routing.
-
-**What it does:**
-
- Creates a cert-manager Certificate for TLS termination
- Configures an Istio Gateway for traffic routing
- Manages the lifecycle of both resources through owner references
- Provides wildcard certificate support for subdomains
-
-```yaml
-apiVersion: homelab.mortenolsen.pro/v1
-kind: Domain
-metadata:
-  name: homelab
-  namespace: homelab
-spec:
-  hostname: local.olsen.cloud # Domain for certificate and gateway
-  issuer: letsencrypt-prod # cert-manager ClusterIssuer to use
-```
-
-**Key Implementation Features:**
-
- **CRD Dependency Checking**: Validates that cert-manager and Istio CRDs exist
- **Cross-Namespace Resources**: Certificate is created in the istio-ingress
-  namespace
- **Status Aggregation**: Combines certificate and gateway readiness into
-  overall status
- **Wildcard Support**: Automatically configures `*.hostname` for subdomains
-
-### Complex Resource: AuthentikServer
-
-The `AuthentikServer` resource showcases a complex custom resource with multiple
-dependencies and sophisticated reconciliation logic. It deploys a complete
-identity provider solution with database and Redis dependencies.
-
-**What it does:**
-
- Deploys Authentik identity provider with proper configuration
- Manages database schema and user creation
- Configures Redis connection for session storage
- Sets up domain integration for SSO endpoints
- Handles secret generation and rotation
-
-```yaml
-apiVersion: homelab.mortenolsen.pro/v1
-kind: AuthentikServer
-metadata:
-  name: homelab
-  namespace: homelab
-spec:
-  domain: homelab # References a Domain resource
-  database: test2 # References a PostgresDatabase resource
-  redis: redis # References a Redis connection
-```
-
-**Key Implementation Features:**
-
- **Resource Dependencies**: Waits for Domain, PostgresDatabase, and Redis
-  resources
- **Secret Management**: Generates and manages API keys, passwords, and tokens
- **Service Configuration**: Creates comprehensive Kubernetes manifests
-  (Deployment, Service, Ingress)
- **Health Checking**: Monitors application readiness and database connectivity
- **Cross-Resource Communication**: Uses other custom resources' status and
-  outputs
-
-### Database Resource: PostgresDatabase
-
-The `PostgresDatabase` resource illustrates how to manage stateful resources and
-external system integration. It creates databases within an existing PostgreSQL
-instance and manages user permissions.
-
-**What it does:**
-
- Creates a new database in an existing PostgreSQL server
- Generates dedicated database user with appropriate permissions
- Manages connection secrets for applications
- Handles database cleanup and user removal
-
-```yaml
-apiVersion: homelab.mortenolsen.pro/v1
-kind: PostgresDatabase
-metadata:
-  name: test2
-  namespace: homelab
-spec:
-  connection: homelab/db # References PostgreSQL connection (namespace/name)
-```
-
-**Key Implementation Features:**
-
- **External System Integration**: Connects to existing PostgreSQL instances
- **User Management**: Creates database-specific users with minimal required
-  permissions
- **Secret Generation**: Provides connection details to consuming applications
- **Cleanup Handling**: Safely removes databases and users when resource is
-  deleted
- **Connection Validation**: Verifies connectivity before marking as ready
-
-**Common Patterns Across Examples:**
-
- **Owner References**: All managed resources have proper ownership for garbage
-  collection
- **Condition Management**: Consistent status reporting through Kubernetes
-  conditions
- **Resource Dependencies**: Graceful handling of missing or unready
-  dependencies
- **Secret Management**: Secure generation and storage of credentials
- **Cross-Resource Integration**: Resources reference and depend on each other
-  appropriately
-
-## Best Practices
-
-1. **Validation**: Always use Zod schemas for comprehensive spec validation
-2. **Idempotency**: Use `deepEqual` checks to avoid unnecessary updates
-3. **Conditions**: Provide clear status information through conditions
-4. **Owner References**: Always set owner references for created resources
-5. **Error Handling**: Provide meaningful error messages and failure reasons
-6. **Dependencies**: Handle missing dependencies gracefully
-7. **Cleanup**: Leverage Kubernetes garbage collection through owner references
-8. **Testing**: Create test manifests in `test-manifests/` for your resources
-
-## Troubleshooting
-
- **Resource not reconciling**: Check if the resource is properly registered in
-  `custom-resources.ts`
- **Validation errors**: Ensure your Zod schema matches the expected spec
-  structure
- **Missing dependencies**: Verify that referenced resources exist and are ready
- **Owner reference issues**: Make sure `ownerReferences` are set correctly for
-  garbage collection
- **Condition not updating**: Ensure you're calling `this.conditions.set()` with
-  proper status values
-
-For more examples, refer to the existing custom resources in
-`src/custom-resouces/`.
--- a/istio-test.yaml
+++ b/istio-test.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: dev-authentik-override
+  namespace: dev
+spec:
+  hosts:
+    - authentik.mortenolsen.nett
+  ports:
+    - number: 443
+      name: https
+      protocol: HTTPS
+    - number: 80
+      name: http
+      protocol: HTTP
+  location: MESH_EXTERNAL
+  resolution: STATIC
+  endpoints:
+    - address: 1.1.1.1
+      ports:
+        https: 443
+        http: 80
--- a/manifests/client.yaml
+++ b/manifests/client.yaml
@@ -0,0 +1,9 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: OidcClient
+metadata:
+  name: test-client
+spec:
+  environment: dev
+  redirectUris:
+    - url: https://localhost:3000/api/v1/authentik/oauth2/callback
+      matchingMode: strict
--- a/manifests/environment.yaml
+++ b/manifests/environment.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dev
+---
+apiVersion: homelab.mortenolsen.pro/v1
+kind: Environment
+metadata:
+  name: prod
+spec:
+  domain: olsen.cloud
+  networkIp: 192.168.20.180
+  tls:
+    issuer: lets-encrypt-prod
--- a/manifests/example-pvc.yaml
+++ b/manifests/example-pvc.yaml
@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: example-pvc
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: homelab-operator-local-path
+
+---
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: example-pod
+  namespace: default
+spec:
+  containers:
+    - name: example-container
+      image: alpine
+      command: ["/bin/sh", "-c", "sleep infinity"]
+      volumeMounts:
+        - name: example-volume
+          mountPath: /data
+      resources:
+        limits:
+          memory: 100Mi
+          cpu: "0.1"
+        requests:
+          memory: 50Mi
+          cpu: "0.05"
+  volumes:
+    - name: example-volume
+      persistentVolumeClaim:
+        claimName: example-pvc
--- a/manifests/test-service.yaml
+++ b/manifests/test-service.yaml
@@ -0,0 +1,14 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: test-example-com
+  namespace: dev
+spec:
+  hosts:
+    - authentik.one.dev.olsen.cloud
+      # (the address field is optional if you use 'resolution: DNS')
+  ports:
+    - number: 80
+      name: https
+      protocol: HTTPS
+  resolution: DNS
--- a/operator.yaml
+++ b/operator.yaml
@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: homelab
+
+---
+
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: homelab
+  namespace: homelab
+spec:
+  interval: 60m
+  url: https://github.com/morten-olsen/homelab-operator
+  ref:
+    branch: main
+
+---
+
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: operator
+  namespace: homelab
+spec:
+  releaseName: operator
+  interval: 60m
+  chart:
+    spec:
+      chart: charts/operator
+      sourceRef:
+        kind: GitRepository
+        name: homelab
+        namespace: homelab
--- a/package.json
+++ b/package.json
@@ -22,6 +22,8 @@
  "dependencies": {
    "@goauthentik/api": "2025.6.3-1751754396",
    "@kubernetes/client-node": "^1.3.0",
+    "cloudflare": "^4.5.0",
+    "cron": "^4.3.3",
    "debounce": "^2.2.0",
    "deep-equal": "^2.2.3",
    "dotenv": "^17.2.1",
@@ -35,6 +37,12 @@
    "yaml": "^2.8.0",
    "zod": "^4.0.14"
  },
+  "imports": {
+    "#services/*": "./src/services/*",
+    "#resources/*": "./src/resources/*",
+    "#bootstrap/*": "./src/bootstrap/*",
+    "#utils/*": "./src/utils/*"
+  },
  "packageManager": "pnpm@10.6.0",
  "pnpm": {
    "onlyBuiltDependencies": [
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -14,6 +14,12 @@ importers:
      '@kubernetes/client-node':
        specifier: ^1.3.0
        version: 1.3.0(encoding@0.1.13)
+      cloudflare:
+        specifier: ^4.5.0
+        version: 4.5.0(encoding@0.1.13)
+      cron:
+        specifier: ^4.3.3
+        version: 4.3.3
      debounce:
        specifier: ^2.2.0
        version: 2.2.0
@@ -229,9 +235,15 @@ packages:
  '@types/lodash@4.17.20':
    resolution: {integrity: sha512-H3MHACvFUEiujabxhaI/ImO6gUrd8oOurg7LQtS7mbwIXA/cUqWrvBsaeJ23aZEPk1TAYkurjfMbSELfoCXlGA==}

+  '@types/luxon@3.7.1':
+    resolution: {integrity: sha512-H3iskjFIAn5SlJU7OuxUmTEpebK6TKB8rxZShDslBMZJ5u9S//KM1sbdAisiSrqwLQncVjnpi2OK2J51h+4lsg==}
+
  '@types/node-fetch@2.6.12':
    resolution: {integrity: sha512-8nneRWKCg3rMtF69nLQJnOYUcbafYeFSjqkw3jCRLsqkWFlHaoQrr5mXmofFGOx3DKn7UfmBMyov8ySvLRVldA==}

+  '@types/node@18.19.123':
+    resolution: {integrity: sha512-K7DIaHnh0mzVxreCR9qwgNxp3MH9dltPNIEddW9MYUlcKAzm+3grKNSTe2vCJHI1FaLpvpL5JGJrz1UZDKYvDg==}
+
  '@types/node@22.16.5':
    resolution: {integrity: sha512-bJFoMATwIGaxxx8VJPeM8TonI8t579oRvgAuT8zFugJsJZgzqv0Fu8Mhp68iecjzG7cnN3mO2dJQ5uUM2EFrgQ==}

@@ -303,6 +315,10 @@ packages:
  abbrev@1.1.1:
    resolution: {integrity: sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==}

+  abort-controller@3.0.0:
+    resolution: {integrity: sha512-h8lQ8tacZYnR3vNQTgibj+tODHI5/+l06Au2Pcriv/Gmet0eaj4TwWH41sO9wnHDiQsEj19q0drzdWdeAHtweg==}
+    engines: {node: '>=6.5'}
+
  acorn-jsx@5.3.2:
    resolution: {integrity: sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ==}
    peerDependencies:
@@ -479,6 +495,9 @@ packages:
    resolution: {integrity: sha512-4diC9HaTE+KRAMWhDhrGOECgWZxoevMc5TlkObMqNSsVU62PYzXZ/SMTjzyGAFF1YusgxGcSWTEXBhp0CPwQ1A==}
    engines: {node: '>=6'}

+  cloudflare@4.5.0:
+    resolution: {integrity: sha512-fPcbPKx4zF45jBvQ0z7PCdgejVAPBBCZxwqk1k7krQNfpM07Cfj97/Q6wBzvYqlWXx/zt1S9+m8vnfCe06umbQ==}
+
  color-convert@2.0.1:
    resolution: {integrity: sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==}
    engines: {node: '>=7.0.0'}
@@ -507,6 +526,10 @@ packages:
  console-control-strings@1.1.0:
    resolution: {integrity: sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==}

+  cron@4.3.3:
+    resolution: {integrity: sha512-B/CJj5yL3sjtlun6RtYHvoSB26EmQ2NUmhq9ZiJSyKIM4K/fqfh9aelDFlIayD2YMeFZqWLi9hHV+c+pq2Djkw==}
+    engines: {node: '>=18.x'}
+
  cross-spawn@7.0.6:
    resolution: {integrity: sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==}
    engines: {node: '>= 8'}
@@ -754,6 +777,10 @@ packages:
    resolution: {integrity: sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==}
    engines: {node: '>=0.10.0'}

+  event-target-shim@5.0.1:
+    resolution: {integrity: sha512-i/2XbnSz/uxRCU6+NdVJgKWDTM427+MqYbkQzD321DuCQJUqOuJKIA0IM2+W2xtYHdKOmZ4dR6fExsd4SXL+WQ==}
+    engines: {node: '>=6'}
+
  eventemitter3@5.0.1:
    resolution: {integrity: sha512-GWkBvjiSZK87ELrYOSESUYeVIc9mvLLf/nXalMOS5dYrgZq9o5OVkbZAVM06CVxYsCwH9BDZFPlQTlPA1j4ahA==}

@@ -825,10 +852,17 @@ packages:
    resolution: {integrity: sha512-dKx12eRCVIzqCxFGplyFKJMPvLEWgmNtUrpTiJIR5u97zEhRG8ySrtboPHZXx7daLxQVrl643cTzbab2tkQjxg==}
    engines: {node: '>= 0.4'}

+  form-data-encoder@1.7.2:
+    resolution: {integrity: sha512-qfqtYan3rxrnCk1VYaA4H+Ms9xdpPqvLZa6xmMgFvhO32x7/3J/ExcTd6qpxM0vH2GdMI+poehyBZvqfMTto8A==}
+
  form-data@4.0.4:
    resolution: {integrity: sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==}
    engines: {node: '>= 6'}

+  formdata-node@4.4.1:
+    resolution: {integrity: sha512-0iirZp3uVDjVGt9p49aTaqjk84TrglENEDuqfdlZQ1roC9CWlPk6Avf8EEnZNcAqPonwkG35x4n3ww/1THYAeQ==}
+    engines: {node: '>= 12.20'}
+
  fs-constants@1.0.0:
    resolution: {integrity: sha512-y6OAwoSIf7FyjMIv94u+b5rdheZEjzR63GTyZJm5qh4Bi+2YgwLCcI/fPFZkL5PSixOt6ZNKm+w+Hfp/Bciwow==}

@@ -1238,6 +1272,10 @@ packages:
    resolution: {integrity: sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==}
    engines: {node: '>=10'}

+  luxon@3.7.1:
+    resolution: {integrity: sha512-RkRWjA926cTvz5rAb1BqyWkKbbjzCGchDUIKMCUvNi17j6f6j8uHGDV82Aqcqtzd+icoYpELmG3ksgGiFNNcNg==}
+    engines: {node: '>=12'}
+
  make-fetch-happen@9.1.0:
    resolution: {integrity: sha512-+zopwDy7DNknmwPQplem5lAZX/eCOzSvSNNcSKm5eVwTkOBzoktEfXsa9L23J/GIRhxRsaxzkPEhrJEpE2F4Gg==}
    engines: {node: '>= 10'}
@@ -1339,6 +1377,11 @@ packages:
  node-addon-api@7.1.1:
    resolution: {integrity: sha512-5m3bsyrjFWE1xf7nz7YXdN4udnVtXK6/Yfgn5qnahL6bCkf2yKt4k3nuTKAtT4r3IG8JNR2ncsIMdZuAzJjHQQ==}

+  node-domexception@1.0.0:
+    resolution: {integrity: sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==}
+    engines: {node: '>=10.5.0'}
+    deprecated: Use your platform's native DOMException instead
+
  node-fetch@2.7.0:
    resolution: {integrity: sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==}
    engines: {node: 4.x || >=6.0.0}
@@ -1886,6 +1929,9 @@ packages:
    resolution: {integrity: sha512-nWJ91DjeOkej/TA8pXQ3myruKpKEYgqvpw9lz4OPHj/NWFNluYrjbz9j01CJ8yKQd2g4jFoOkINCTW2I5LEEyw==}
    engines: {node: '>= 0.4'}

+  undici-types@5.26.5:
+    resolution: {integrity: sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==}
+
  undici-types@6.21.0:
    resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==}

@@ -1905,6 +1951,10 @@ packages:
  util-deprecate@1.0.2:
    resolution: {integrity: sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==}

+  web-streams-polyfill@4.0.0-beta.3:
+    resolution: {integrity: sha512-QW95TCTaHmsYfHDybGMwO5IJIM93I/6vTRk+daHTWFPhwh+C8Cg7j7XyKrwrj8Ib6vYXe0ocYNrmzY4xAAN6ug==}
+    engines: {node: '>= 14'}
+
  webidl-conversions@3.0.1:
    resolution: {integrity: sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==}

@@ -2129,11 +2179,17 @@ snapshots:

  '@types/lodash@4.17.20': {}

+  '@types/luxon@3.7.1': {}
+
  '@types/node-fetch@2.6.12':
    dependencies:
      '@types/node': 22.16.5
      form-data: 4.0.4

+  '@types/node@18.19.123':
+    dependencies:
+      undici-types: 5.26.5
+
  '@types/node@22.16.5':
    dependencies:
      undici-types: 6.21.0
@@ -2240,6 +2296,10 @@ snapshots:
  abbrev@1.1.1:
    optional: true

+  abort-controller@3.0.0:
+    dependencies:
+      event-target-shim: 5.0.1
+
  acorn-jsx@5.3.2(acorn@8.15.0):
    dependencies:
      acorn: 8.15.0
@@ -2258,7 +2318,6 @@ snapshots:
  agentkeepalive@4.6.0:
    dependencies:
      humanize-ms: 1.2.1
-    optional: true

  aggregate-error@3.1.0:
    dependencies:
@@ -2463,6 +2522,18 @@ snapshots:
  clean-stack@2.2.0:
    optional: true

+  cloudflare@4.5.0(encoding@0.1.13):
+    dependencies:
+      '@types/node': 18.19.123
+      '@types/node-fetch': 2.6.12
+      abort-controller: 3.0.0
+      agentkeepalive: 4.6.0
+      form-data-encoder: 1.7.2
+      formdata-node: 4.4.1
+      node-fetch: 2.7.0(encoding@0.1.13)
+    transitivePeerDependencies:
+      - encoding
+
  color-convert@2.0.1:
    dependencies:
      color-name: 1.1.4
@@ -2485,6 +2556,11 @@ snapshots:
  console-control-strings@1.1.0:
    optional: true

+  cron@4.3.3:
+    dependencies:
+      '@types/luxon': 3.7.1
+      luxon: 3.7.1
+
  cross-spawn@7.0.6:
    dependencies:
      path-key: 3.1.1
@@ -2828,6 +2904,8 @@ snapshots:

  esutils@2.0.3: {}

+  event-target-shim@5.0.1: {}
+
  eventemitter3@5.0.1: {}

  execa@9.6.0:
@@ -2903,6 +2981,8 @@ snapshots:
    dependencies:
      is-callable: 1.2.7

+  form-data-encoder@1.7.2: {}
+
  form-data@4.0.4:
    dependencies:
      asynckit: 0.4.0
@@ -2911,6 +2991,11 @@ snapshots:
      hasown: 2.0.2
      mime-types: 2.1.35

+  formdata-node@4.4.1:
+    dependencies:
+      node-domexception: 1.0.0
+      web-streams-polyfill: 4.0.0-beta.3
+
  fs-constants@1.0.0: {}

  fs-minipass@2.1.0:
@@ -3064,7 +3149,6 @@ snapshots:
  humanize-ms@1.2.1:
    dependencies:
      ms: 2.1.3
-    optional: true

  iconv-lite@0.6.3:
    dependencies:
@@ -3329,6 +3413,8 @@ snapshots:
      yallist: 4.0.0
    optional: true

+  luxon@3.7.1: {}
+
  make-fetch-happen@9.1.0:
    dependencies:
      agentkeepalive: 4.6.0
@@ -3440,6 +3526,8 @@ snapshots:

  node-addon-api@7.1.1: {}

+  node-domexception@1.0.0: {}
+
  node-fetch@2.7.0(encoding@0.1.13):
    dependencies:
      whatwg-url: 5.0.0
@@ -4098,6 +4186,8 @@ snapshots:
      has-symbols: 1.1.0
      which-boxed-primitive: 1.1.1

+  undici-types@5.26.5: {}
+
  undici-types@6.21.0: {}

  unicorn-magic@0.3.0: {}
@@ -4118,6 +4208,8 @@ snapshots:

  util-deprecate@1.0.2: {}

+  web-streams-polyfill@4.0.0-beta.3: {}
+
  webidl-conversions@3.0.1: {}

  whatwg-url@5.0.0:
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -0,0 +1,9 @@
+[project]
+name = "homelab-operator"
+version = "0.1.0"
+description = "Add your description here"
+readme = "README.md"
+requires-python = ">=3.13"
+dependencies = [
+    "kubediagrams>=0.5.0",
+]
--- a/scripts/apply-test.sh
+++ b/scripts/apply-test.sh
@@ -1,4 +0,0 @@
-for f in "./test-manifests/"*; do
-  echo "Applying $f"
-  kubectl apply -f "$f"
-done
--- a/scripts/create-secrets.sh
+++ b/scripts/create-secrets.sh
@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# Load environment variables from .env file
-if [ -f .env ]; then
-  export $(cat .env | grep -v '#' | awk '/=/ {print $1}')
-fi
-
-# Check if CLOUDFLARE_API_KEY is set
-if [ -z "${CLOUDFLARE_API_KEY}" ]; then
-  echo "Error: CLOUDFLARE_API_KEY is not set. Please add it to your .env file."
-  exit 1
-fi
-
-# Create the postgres namespace if it doesn't exist
-kubectl get namespace postgres > /dev/null 2>&1 || kubectl create namespace postgres
-
-# Create the secret
-kubectl create secret generic cloudflare-api-token \
-  --namespace cert-manager \
-  --from-literal=api-token="${CLOUDFLARE_API_KEY}"
--- a/scripts/list-manifests.ts
+++ b/scripts/list-manifests.ts
@@ -1,15 +0,0 @@
-#!/usr/bin/env node
-
-import { K8sService } from '../src/services/k8s/k8s.ts';
-import { Services } from '../src/utils/service.ts';
-
-const services = new Services();
-const k8s = services.get(K8sService);
-
-const manifests = await k8s.extensionsApi.listCustomResourceDefinition();
-
-for (const manifest of manifests.items) {
-  for (const version of manifest.spec.versions) {
-    console.log(`group: ${manifest.spec.group}, plural: ${manifest.spec.names.plural}, version: ${version.name}`);
-  }
-}
--- a/scripts/setup-server.sh
+++ b/scripts/setup-server.sh
@@ -1,3 +0,0 @@
-#!/bin/bash
-flux install --components="source-controller,helm-controller"
-kubectl create namespace homelab
--- a/skaffold.yaml
+++ b/skaffold.yaml
@@ -0,0 +1,25 @@
+apiVersion: skaffold/v4beta7
+kind: Config
+metadata:
+  name: homelab-operator
+
+build:
+  cluster: {}
+  artifacts:
+    - image: homelaboperator
+      context: .
+      docker:
+        dockerfile: Dockerfile
+
+manifests:
+  helm:
+    releases:
+      - name: homelab-operator
+        chartPath: charts/operator
+        setValueTemplates:
+          image.repository: '{{.IMAGE_REPO_homelaboperator}}'
+          image.tag: '{{.IMAGE_TAG_homelaboperator}}'
+
+deploy:
+  # Use kubectl to apply the manifests.
+  kubectl: {}
--- a/src/bootstrap/bootstrap.ts
+++ b/src/bootstrap/bootstrap.ts
@@ -0,0 +1,42 @@
+import { CloudflareTunnel } from '#resources/homelab/cloudflare-tunnel/cloudflare-tunnel.ts';
+import { ResourceService } from '#services/resources/resources.ts';
+import type { Services } from '../utils/service.ts';
+
+import { NamespaceService } from './namespaces/namespaces.ts';
+import { ReleaseService } from './releases/releases.ts';
+import { RepoService } from './repos/repos.ts';
+
+class BootstrapService {
+  #services: Services;
+
+  constructor(services: Services) {
+    this.#services = services;
+  }
+  public get namespaces() {
+    return this.#services.get(NamespaceService);
+  }
+
+  public get repos() {
+    return this.#services.get(RepoService);
+  }
+
+  public get releases() {
+    return this.#services.get(ReleaseService);
+  }
+
+  public get cloudflareTunnel() {
+    const resourceService = this.#services.get(ResourceService);
+    return resourceService.get(CloudflareTunnel, 'cloudflare-tunnel', this.namespaces.homelab.name);
+  }
+
+  public ensure = async () => {
+    await this.namespaces.ensure();
+    await this.repos.ensure();
+    await this.releases.ensure();
+    await this.cloudflareTunnel.ensure({
+      spec: {},
+    });
+  };
+}
+
+export { BootstrapService };
--- a/src/bootstrap/namespaces/namespaces.ts
+++ b/src/bootstrap/namespaces/namespaces.ts
@@ -0,0 +1,45 @@
+import type { Services } from '../../utils/service.ts';
+import { ResourceService } from '../../services/resources/resources.ts';
+
+import { Namespace } from '#resources/core/namespace/namespace.ts';
+
+class NamespaceService {
+  #homelab: Namespace;
+  #istioSystem: Namespace;
+  #certManager: Namespace;
+
+  constructor(services: Services) {
+    const resourceService = services.get(ResourceService);
+    this.#homelab = resourceService.get(Namespace, 'homelab');
+    this.#istioSystem = resourceService.get(Namespace, 'istio-system');
+    this.#certManager = resourceService.get(Namespace, 'cert-manager');
+
+    this.#homelab.on('changed', this.ensure);
+    this.#istioSystem.on('changed', this.ensure);
+    this.#certManager.on('changed', this.ensure);
+  }
+
+  public get homelab() {
+    return this.#homelab;
+  }
+  public get istioSystem() {
+    return this.#istioSystem;
+  }
+  public get certManager() {
+    return this.#certManager;
+  }
+
+  public ensure = async () => {
+    await this.#homelab.ensure({
+      metadata: {
+        labels: {
+          'istio-injection': 'enabled',
+        },
+      },
+    });
+    await this.#istioSystem.ensure({});
+    await this.#certManager.ensure({});
+  };
+}
+
+export { NamespaceService };
--- a/src/bootstrap/releases/releases.ts
+++ b/src/bootstrap/releases/releases.ts
@@ -0,0 +1,141 @@
+import { ResourceService } from '../../services/resources/resources.ts';
+import { NAMESPACE } from '../../utils/consts.ts';
+import { Services } from '../../utils/service.ts';
+import { NamespaceService } from '../namespaces/namespaces.ts';
+import { RepoService } from '../repos/repos.ts';
+
+import { HelmRelease } from '#resources/flux/helm-release/helm-release.ts';
+
+class ReleaseService {
+  #services: Services;
+  #certManager: HelmRelease;
+  #istioBase: HelmRelease;
+  #istiod: HelmRelease;
+  #istioGateway: HelmRelease;
+
+  constructor(services: Services) {
+    this.#services = services;
+    const resourceService = services.get(ResourceService);
+    this.#certManager = resourceService.get(HelmRelease, 'cert-manager', NAMESPACE);
+    this.#istioBase = resourceService.get(HelmRelease, 'istio-base', NAMESPACE);
+    this.#istiod = resourceService.get(HelmRelease, 'istiod', NAMESPACE);
+    this.#istioGateway = resourceService.get(HelmRelease, 'istio-gateway', NAMESPACE);
+
+    this.#certManager.on('changed', this.ensure);
+    this.#istioBase.on('changed', this.ensure);
+    this.#istiod.on('changed', this.ensure);
+    this.#istioGateway.on('changed', this.ensure);
+  }
+
+  public get certManager() {
+    return this.#certManager;
+  }
+  public get istioBase() {
+    return this.#istioBase;
+  }
+  public get istiod() {
+    return this.#istiod;
+  }
+
+  public ensure = async () => {
+    const namespaceService = this.#services.get(NamespaceService);
+    const repoService = this.#services.get(RepoService);
+    await this.#certManager.ensure({
+      spec: {
+        targetNamespace: namespaceService.certManager.name,
+        interval: '1h',
+        values: {
+          installCRDs: true,
+        },
+        chart: {
+          spec: {
+            chart: 'cert-manager',
+            version: 'v1.18.2',
+            sourceRef: {
+              apiVersion: 'source.toolkit.fluxcd.io/v1',
+              kind: 'HelmRepository',
+              name: repoService.jetstack.name,
+              namespace: repoService.jetstack.namespace,
+            },
+          },
+        },
+      },
+    });
+    await this.#istioBase.ensure({
+      spec: {
+        targetNamespace: namespaceService.istioSystem.name,
+        interval: '1h',
+        values: {
+          defaultRevision: 'default',
+          profile: 'ambient',
+        },
+        chart: {
+          spec: {
+            chart: 'base',
+            version: '1.24.3',
+            sourceRef: {
+              apiVersion: 'source.toolkit.fluxcd.io/v1',
+              kind: 'HelmRepository',
+              name: repoService.istio.name,
+              namespace: repoService.istio.namespace,
+            },
+          },
+        },
+      },
+    });
+    await this.#istiod.ensure({
+      spec: {
+        targetNamespace: namespaceService.istioSystem.name,
+        interval: '1h',
+        dependsOn: [
+          {
+            name: this.#istioBase.name,
+            namespace: this.#istioBase.namespace,
+          },
+        ],
+        chart: {
+          spec: {
+            chart: 'istiod',
+            version: '1.24.3',
+            sourceRef: {
+              apiVersion: 'source.toolkit.fluxcd.io/v1',
+              kind: 'HelmRepository',
+              name: repoService.istio.name,
+              namespace: repoService.istio.namespace,
+            },
+          },
+        },
+      },
+    });
+    await this.#istioGateway.ensure({
+      spec: {
+        targetNamespace: NAMESPACE,
+        interval: '1h',
+        dependsOn: [
+          {
+            name: this.#istioBase.name,
+            namespace: this.#istioBase.namespace,
+          },
+          {
+            name: this.#istiod.name,
+            namespace: this.#istiod.namespace,
+          },
+        ],
+        chart: {
+          spec: {
+            chart: 'gateway',
+            version: '1.24.3',
+            sourceRef: {
+              apiVersion: 'source.toolkit.fluxcd.io/v1',
+              kind: 'HelmRepository',
+              name: repoService.istio.name,
+              namespace: repoService.istio.namespace,
+            },
+          },
+        },
+      },
+    });
+  };
+}
+
+export { ReleaseService };
--- a/src/bootstrap/repos/repos.ts
+++ b/src/bootstrap/repos/repos.ts
@@ -0,0 +1,72 @@
+import type { Services } from '../../utils/service.ts';
+import { ResourceService } from '../../services/resources/resources.ts';
+import { NAMESPACE } from '../../utils/consts.ts';
+
+import { HelmRepo } from '#resources/flux/helm-repo/helm-repo.ts';
+
+class RepoService {
+  #jetstack: HelmRepo;
+  #istio: HelmRepo;
+  #authentik: HelmRepo;
+  #cloudflare: HelmRepo;
+  #argo: HelmRepo;
+
+  constructor(services: Services) {
+    const resourceService = services.get(ResourceService);
+    this.#jetstack = resourceService.get(HelmRepo, 'jetstack', NAMESPACE);
+    this.#istio = resourceService.get(HelmRepo, 'istio', NAMESPACE);
+    this.#authentik = resourceService.get(HelmRepo, 'authentik', NAMESPACE);
+    this.#cloudflare = resourceService.get(HelmRepo, 'cloudflare', NAMESPACE);
+    this.#argo = resourceService.get(HelmRepo, 'argo', NAMESPACE);
+
+    this.#jetstack.on('changed', this.ensure);
+    this.#istio.on('changed', this.ensure);
+    this.#authentik.on('changed', this.ensure);
+    this.#cloudflare.on('changed', this.ensure);
+    this.#argo.on('changed', this.ensure);
+  }
+
+  public get jetstack() {
+    return this.#jetstack;
+  }
+
+  public get istio() {
+    return this.#istio;
+  }
+
+  public get authentik() {
+    return this.#authentik;
+  }
+
+  public get cloudflare() {
+    return this.#cloudflare;
+  }
+
+  public get argo() {
+    return this.#argo;
+  }
+
+  public ensure = async () => {
+    await this.#jetstack.set({
+      url: 'https://charts.jetstack.io',
+    });
+
+    await this.#istio.set({
+      url: 'https://istio-release.storage.googleapis.com/charts',
+    });
+
+    await this.#authentik.set({
+      url: 'https://charts.goauthentik.io',
+    });
+
+    await this.#cloudflare.set({
+      url: 'https://cloudflare.github.io/helm-charts',
+    });
+
+    await this.#argo.set({
+      url: 'https://argoproj.github.io/argo-helm',
+    });
+  };
+}
+
+export { RepoService };
--- a/src/clients/authentik/authentik.types.d.ts
+++ b/src/clients/authentik/authentik.types.d.ts
--- a/src/custom-resouces/authentik-client/authentik-client.resource.ts
+++ b/src/custom-resouces/authentik-client/authentik-client.resource.ts
@@ -1,178 +0,0 @@
-import type { V1Secret } from '@kubernetes/client-node';
-import type { z } from 'zod';
-
-import {
-  CustomResource,
-  type CustomResourceOptions,
-  type SubresourceResult,
-} from '../../services/custom-resources/custom-resources.custom-resource.ts';
-import { ResourceReference } from '../../services/resources/resources.ref.ts';
-import { ResourceService, type Resource } from '../../services/resources/resources.ts';
-import { getWithNamespace } from '../../utils/naming.ts';
-import { decodeSecret, encodeSecret } from '../../utils/secrets.ts';
-import { CONTROLLED_LABEL } from '../../utils/consts.ts';
-import { isDeepSubset } from '../../utils/objects.ts';
-import { AuthentikService } from '../../services/authentik/authentik.service.ts';
-
-import {
-  authentikClientSecretSchema,
-  authentikClientServerSecretSchema,
-  type authentikClientSpecSchema,
-} from './authentik-client.schemas.ts';
-
-class AuthentikClientResource extends CustomResource<typeof authentikClientSpecSchema> {
-  #serverSecret: ResourceReference<V1Secret>;
-  #clientSecretResource: Resource<V1Secret>;
-
-  constructor(options: CustomResourceOptions<typeof authentikClientSpecSchema>) {
-    super(options);
-    const resourceService = this.services.get(ResourceService);
-
-    this.#serverSecret = new ResourceReference();
-    this.#clientSecretResource = resourceService.get({
-      apiVersion: 'v1',
-      kind: 'Secret',
-      name: `authentik-client-${this.name}`,
-      namespace: this.namespace,
-    });
-
-    this.#updateResouces();
-
-    this.#serverSecret.on('changed', this.queueReconcile);
-    this.#clientSecretResource.on('changed', this.queueReconcile);
-  }
-
-  #updateResouces = () => {
-    const serverSecretNames = getWithNamespace(this.spec.secretRef, this.namespace);
-    const resourceService = this.services.get(ResourceService);
-    this.#serverSecret.current = resourceService.get({
-      apiVersion: 'v1',
-      kind: 'Secret',
-      name: serverSecretNames.name,
-      namespace: serverSecretNames.namespace,
-    });
-  };
-
-  #reconcileClientSecret = async (): Promise<SubresourceResult> => {
-    const serverSecret = this.#serverSecret.current;
-    if (!serverSecret?.exists || !serverSecret.data) {
-      return {
-        ready: false,
-        failed: true,
-        message: 'Server or server secret not found',
-      };
-    }
-    const serverSecretData = authentikClientServerSecretSchema.safeParse(decodeSecret(serverSecret.data));
-    if (!serverSecretData.success || !serverSecretData.data) {
-      return {
-        ready: false,
-        failed: true,
-        message: 'Server secret not found',
-      };
-    }
-    const url = serverSecretData.data.external_url;
-    const appName = this.name;
-    const clientSecretData = authentikClientSecretSchema.safeParse(decodeSecret(this.#clientSecretResource.data));
-
-    const expectedValues: z.infer<typeof authentikClientSecretSchema> = {
-      clientId: this.name,
-      clientSecret: clientSecretData.data?.clientSecret || crypto.randomUUID(),
-      configuration: new URL(`/application/o/${appName}/.well-known/openid-configuration`, url).toString(),
-      configurationIssuer: new URL(`/application/o/${appName}/`, url).toString(),
-      authorization: new URL(`/application/o/${appName}/authorize/`, url).toString(),
-      token: new URL(`/application/o/${appName}/token/`, url).toString(),
-      userinfo: new URL(`/application/o/${appName}/userinfo/`, url).toString(),
-      endSession: new URL(`/application/o/${appName}/end-session/`, url).toString(),
-      jwks: new URL(`/application/o/${appName}/jwks/`, url).toString(),
-    };
-    if (!isDeepSubset(clientSecretData.data, expectedValues)) {
-      await this.#clientSecretResource.patch({
-        metadata: {
-          ownerReferences: [this.ref],
-          labels: {
-            ...CONTROLLED_LABEL,
-          },
-        },
-        data: encodeSecret(expectedValues),
-      });
-      return {
-        ready: false,
-        syncing: true,
-        message: 'UpdatingManifest',
-      };
-    }
-    return {
-      ready: true,
-    };
-  };
-
-  #reconcileServer = async (): Promise<SubresourceResult> => {
-    const serverSecret = this.#serverSecret.current;
-    const clientSecret = this.#clientSecretResource;
-
-    if (!serverSecret?.exists || !serverSecret.data) {
-      return {
-        ready: false,
-        failed: true,
-        message: 'Server secret not found',
-      };
-    }
-
-    const serverSecretData = authentikClientServerSecretSchema.safeParse(decodeSecret(serverSecret.data));
-    if (!serverSecretData.success || !serverSecretData.data) {
-      return {
-        ready: false,
-        failed: true,
-        message: 'Server secret not found',
-      };
-    }
-
-    const clientSecretData = authentikClientSecretSchema.safeParse(decodeSecret(clientSecret.data));
-    if (!clientSecretData.success || !clientSecretData.data) {
-      return {
-        ready: false,
-        failed: true,
-        message: 'Client secret not found',
-      };
-    }
-
-    const authentikService = this.services.get(AuthentikService);
-    const authentikServer = authentikService.get({
-      url: {
-        internal: serverSecretData.data.internal_url,
-        external: serverSecretData.data.external_url,
-      },
-      token: serverSecretData.data.token,
-    });
-
-    (await authentikServer).upsertClient({
-      ...this.spec,
-      name: this.name,
-      secret: clientSecretData.data.clientSecret,
-    });
-
-    return {
-      ready: true,
-    };
-  };
-
-  public reconcile = async () => {
-    if (!this.exists || this.metadata?.deletionTimestamp) {
-      return;
-    }
-    this.#updateResouces();
-    await Promise.all([
-      this.reconcileSubresource('Secret', this.#reconcileClientSecret),
-      this.reconcileSubresource('Server', this.#reconcileServer),
-    ]);
-
-    const secretReady = this.conditions.get('Secret')?.status === 'True';
-    const serverReady = this.conditions.get('Server')?.status === 'True';
-
-    await this.conditions.set('Ready', {
-      status: secretReady && serverReady ? 'True' : 'False',
-    });
-  };
-}
-
-export { AuthentikClientResource };
--- a/src/custom-resouces/authentik-client/authentik-client.schemas.ts
+++ b/src/custom-resouces/authentik-client/authentik-client.schemas.ts
@@ -1,34 +0,0 @@
-import { ClientTypeEnum, SubModeEnum } from '@goauthentik/api';
-import { z } from 'zod';
-
-const authentikClientSpecSchema = z.object({
-  secretRef: z.string(),
-  subMode: z.enum(SubModeEnum).optional(),
-  clientType: z.enum(ClientTypeEnum).optional(),
-  redirectUris: z.array(
-    z.object({
-      url: z.string(),
-      matchingMode: z.enum(['strict', 'regex']),
-    }),
-  ),
-});
-
-const authentikClientServerSecretSchema = z.object({
-  internal_url: z.string(),
-  external_url: z.string(),
-  token: z.string(),
-});
-
-const authentikClientSecretSchema = z.object({
-  clientId: z.string(),
-  clientSecret: z.string().optional(),
-  configuration: z.string(),
-  configurationIssuer: z.string(),
-  authorization: z.string(),
-  token: z.string(),
-  userinfo: z.string(),
-  endSession: z.string(),
-  jwks: z.string(),
-});
-
-export { authentikClientSpecSchema, authentikClientSecretSchema, authentikClientServerSecretSchema };
--- a/src/custom-resouces/authentik-client/authentik-client.ts
+++ b/src/custom-resouces/authentik-client/authentik-client.ts
@@ -1,19 +0,0 @@
-import { createCustomResourceDefinition } from '../../services/custom-resources/custom-resources.ts';
-import { GROUP } from '../../utils/consts.ts';
-
-import { AuthentikClientResource } from './authentik-client.resource.ts';
-import { authentikClientSpecSchema } from './authentik-client.schemas.ts';
-
-const authentikClientDefinition = createCustomResourceDefinition({
-  group: GROUP,
-  version: 'v1',
-  kind: 'AuthentikClient',
-  names: {
-    plural: 'authentikclients',
-    singular: 'authentikclient',
-  },
-  create: (options) => new AuthentikClientResource(options),
-  spec: authentikClientSpecSchema,
-});
-
-export { authentikClientDefinition };
--- a/src/custom-resouces/custom-resources.ts
+++ b/src/custom-resouces/custom-resources.ts
@@ -1,7 +0,0 @@
-import { authentikClientDefinition } from './authentik-client/authentik-client.ts';
-import { generateSecretDefinition } from './generate-secret/generate-secret.ts';
-import { postgresDatabaseDefinition } from './postgres-database/postgres-database.ts';
-
-const customResources = [postgresDatabaseDefinition, authentikClientDefinition, generateSecretDefinition];
-
-export { customResources };
--- a/src/custom-resouces/generate-secret/generate-secret.resource.ts
+++ b/src/custom-resouces/generate-secret/generate-secret.resource.ts
@@ -1,61 +0,0 @@
-import type { V1Secret } from '@kubernetes/client-node';
-
-import {
-  CustomResource,
-  type CustomResourceOptions,
-} from '../../services/custom-resources/custom-resources.custom-resource.ts';
-import { Resource, ResourceService } from '../../services/resources/resources.ts';
-import { decodeSecret, encodeSecret } from '../../utils/secrets.ts';
-import { isDeepSubset } from '../../utils/objects.ts';
-
-import { generateSecrets } from './generate-secret.utils.ts';
-import { generateSecretSpecSchema } from './generate-secret.schemas.ts';
-
-class GenerateSecretResource extends CustomResource<typeof generateSecretSpecSchema> {
-  #secretResource: Resource<V1Secret>;
-
-  constructor(options: CustomResourceOptions<typeof generateSecretSpecSchema>) {
-    super(options);
-    const resourceService = this.services.get(ResourceService);
-
-    this.#secretResource = resourceService.get({
-      apiVersion: 'v1',
-      kind: 'Secret',
-      name: this.name,
-      namespace: this.namespace,
-    });
-
-    this.#secretResource.on('changed', this.queueReconcile);
-  }
-
-  public reconcile = async () => {
-    if (!this.exists || this.metadata?.deletionTimestamp) {
-      return;
-    }
-
-    const secrets = generateSecrets(this.spec);
-    const current = decodeSecret(this.#secretResource.data) || {};
-
-    const expected = {
-      ...secrets,
-      ...current,
-    };
-
-    if (!isDeepSubset(current, expected)) {
-      this.#secretResource.patch({
-        data: encodeSecret(expected),
-      });
-      this.conditions.set('SecretUpdated', {
-        status: 'False',
-        reason: 'SecretUpdated',
-      });
-    }
-
-    this.conditions.set('Ready', {
-      status: 'True',
-      reason: 'Ready',
-    });
-  };
-}
-
-export { GenerateSecretResource };
--- a/src/custom-resouces/generate-secret/generate-secret.schemas.ts
+++ b/src/custom-resouces/generate-secret/generate-secret.schemas.ts
@@ -1,17 +0,0 @@
-import { z } from 'zod';
-
-const generateSecretFieldSchema = z.object({
-  name: z.string(),
-  value: z.string().optional(),
-  encoding: z.enum(['base64', 'base64url', 'hex', 'utf8', 'numeric']).optional(),
-  length: z.number().optional(),
-});
-
-const generateSecretSpecSchema = z.object({
-  fields: z.array(generateSecretFieldSchema),
-});
-
-type GenerateSecretField = z.infer<typeof generateSecretFieldSchema>;
-type GenerateSecretSpec = z.infer<typeof generateSecretSpecSchema>;
-
-export { generateSecretSpecSchema, type GenerateSecretField, type GenerateSecretSpec };
--- a/src/custom-resouces/generate-secret/generate-secret.ts
+++ b/src/custom-resouces/generate-secret/generate-secret.ts
@@ -1,19 +0,0 @@
-import { createCustomResourceDefinition } from '../../services/custom-resources/custom-resources.ts';
-import { GROUP } from '../../utils/consts.ts';
-
-import { GenerateSecretResource } from './generate-secret.resource.ts';
-import { generateSecretSpecSchema } from './generate-secret.schemas.ts';
-
-const generateSecretDefinition = createCustomResourceDefinition({
-  group: GROUP,
-  version: 'v1',
-  kind: 'GenerateSecret',
-  names: {
-    plural: 'generate-secrets',
-    singular: 'generate-secret',
-  },
-  spec: generateSecretSpecSchema,
-  create: (options) => new GenerateSecretResource(options),
-});
-
-export { generateSecretDefinition };
--- a/src/custom-resouces/postgres-database/portgres-database.schemas.ts
+++ b/src/custom-resouces/postgres-database/portgres-database.schemas.ts
@@ -1,23 +0,0 @@
-import { z } from 'zod';
-
-const postgresDatabaseSpecSchema = z.object({
-  secretRef: z.string(),
-});
-
-const postgresDatabaseSecretSchema = z.object({
-  host: z.string(),
-  port: z.string(),
-  user: z.string(),
-  password: z.string(),
-  database: z.string().optional(),
-});
-
-const postgresDatabaseConnectionSecretSchema = z.object({
-  host: z.string(),
-  port: z.string(),
-  user: z.string(),
-  password: z.string(),
-  database: z.string(),
-});
-
-export { postgresDatabaseSpecSchema, postgresDatabaseSecretSchema, postgresDatabaseConnectionSecretSchema };
--- a/src/custom-resouces/postgres-database/postgres-database.resource.ts
+++ b/src/custom-resouces/postgres-database/postgres-database.resource.ts
@@ -1,183 +0,0 @@
-import { z } from 'zod';
-import type { V1Secret } from '@kubernetes/client-node';
-
-import {
-  CustomResource,
-  type CustomResourceOptions,
-  type SubresourceResult,
-} from '../../services/custom-resources/custom-resources.custom-resource.ts';
-import { PostgresService } from '../../services/postgres/postgres.service.ts';
-import { ResourceReference } from '../../services/resources/resources.ref.ts';
-import { Resource, ResourceService } from '../../services/resources/resources.ts';
-import { getWithNamespace } from '../../utils/naming.ts';
-import { decodeSecret, encodeSecret } from '../../utils/secrets.ts';
-import { isDeepSubset } from '../../utils/objects.ts';
-
-import {
-  postgresDatabaseConnectionSecretSchema,
-  postgresDatabaseSecretSchema,
-  type postgresDatabaseSpecSchema,
-} from './portgres-database.schemas.ts';
-
-const SECRET_READY_CONDITION = 'Secret';
-const DATABASE_READY_CONDITION = 'Database';
-
-const secretDataSchema = z.object({
-  host: z.string(),
-  port: z.string().optional(),
-  database: z.string(),
-  user: z.string(),
-  password: z.string(),
-});
-
-class PostgresDatabaseResource extends CustomResource<typeof postgresDatabaseSpecSchema> {
-  #serverSecret: ResourceReference<V1Secret>;
-  #databaseSecret: Resource<V1Secret>;
-
-  constructor(options: CustomResourceOptions<typeof postgresDatabaseSpecSchema>) {
-    super(options);
-    this.#serverSecret = new ResourceReference();
-
-    const resourceService = this.services.get(ResourceService);
-    this.#databaseSecret = resourceService.get({
-      apiVersion: 'v1',
-      kind: 'Secret',
-      name: `${this.name}-connection`,
-      namespace: this.namespace,
-    });
-
-    this.#updateSecret();
-    this.#serverSecret.on('changed', this.queueReconcile);
-  }
-
-  get #dbName() {
-    return `${this.namespace}_${this.name}`;
-  }
-
-  get #userName() {
-    return `${this.namespace}_${this.name}`;
-  }
-
-  #updateSecret = () => {
-    const resourceService = this.services.get(ResourceService);
-    const secretNames = getWithNamespace(this.spec.secretRef, this.namespace);
-    this.#serverSecret.current = resourceService.get({
-      apiVersion: 'v1',
-      kind: 'Secret',
-      name: secretNames.name,
-      namespace: secretNames.namespace,
-    });
-  };
-
-  #reconcileSecret = async (): Promise<SubresourceResult> => {
-    const serverSecret = this.#serverSecret.current;
-    const databaseSecret = this.#databaseSecret;
-
-    if (!serverSecret?.exists || !serverSecret.data) {
-      return {
-        ready: false,
-        failed: true,
-        reason: 'MissingConnectionSecret',
-      };
-    }
-    const serverSecretData = postgresDatabaseSecretSchema.safeParse(decodeSecret(serverSecret.data));
-    if (!serverSecretData.success || !serverSecretData.data) {
-      return {
-        ready: false,
-        syncing: true,
-        reason: 'SecretMissing',
-      };
-    }
-    const databaseSecretData = postgresDatabaseConnectionSecretSchema.safeParse(decodeSecret(databaseSecret.data));
-    const expectedSecret = {
-      password: crypto.randomUUID(),
-      host: serverSecretData.data.host,
-      port: serverSecretData.data.port,
-      user: this.#userName,
-      database: this.#dbName,
-      ...databaseSecretData.data,
-    };
-
-    if (!isDeepSubset(databaseSecretData.data, expectedSecret)) {
-      databaseSecret.patch({
-        data: encodeSecret(expectedSecret),
-      });
-      return {
-        ready: false,
-        syncing: true,
-        reason: 'SecretNotReady',
-      };
-    }
-
-    return {
-      ready: true,
-    };
-  };
-
-  #reconcileDatabase = async (): Promise<SubresourceResult> => {
-    const connectionSecret = this.#serverSecret.current;
-    if (!connectionSecret?.exists || !connectionSecret.data) {
-      return {
-        ready: false,
-        failed: true,
-        reason: 'MissingConnectionSecret',
-      };
-    }
-
-    const connectionSecretData = postgresDatabaseSecretSchema.safeParse(decodeSecret(connectionSecret.data));
-    if (!connectionSecretData.success || !connectionSecretData.data) {
-      return {
-        ready: false,
-        syncing: true,
-        reason: 'SecretMissing',
-      };
-    }
-
-    const secretData = postgresDatabaseConnectionSecretSchema.safeParse(decodeSecret(this.#databaseSecret.data));
-    if (!secretData.success || !secretData.data) {
-      return {
-        ready: false,
-        syncing: true,
-        reason: 'ConnectionSecretMissing',
-      };
-    }
-
-    const postgresService = this.services.get(PostgresService);
-    const database = postgresService.get({
-      ...connectionSecretData.data,
-      port: connectionSecretData.data.port ? Number(connectionSecretData.data.port) : 5432,
-      database: connectionSecretData.data.database,
-    });
-    await database.upsertRole({
-      name: secretData.data.user,
-      password: secretData.data.password,
-    });
-    await database.upsertDatabase({
-      name: secretData.data.database,
-      owner: secretData.data.user,
-    });
-
-    return {
-      ready: true,
-    };
-  };
-
-  public reconcile = async () => {
-    if (!this.exists || this.metadata?.deletionTimestamp) {
-      return;
-    }
-    this.#updateSecret();
-    await Promise.allSettled([
-      await this.reconcileSubresource(DATABASE_READY_CONDITION, this.#reconcileDatabase),
-      await this.reconcileSubresource(SECRET_READY_CONDITION, this.#reconcileSecret),
-    ]);
-
-    const secretReady = this.conditions.get(SECRET_READY_CONDITION)?.status === 'True';
-    const databaseReady = this.conditions.get(DATABASE_READY_CONDITION)?.status === 'True';
-    await this.conditions.set('Ready', {
-      status: secretReady && databaseReady ? 'True' : 'False',
-    });
-  };
-}
-
-export { PostgresDatabaseResource, secretDataSchema as postgresDatabaseSecretSchema };
--- a/src/custom-resouces/postgres-database/postgres-database.ts
+++ b/src/custom-resouces/postgres-database/postgres-database.ts
@@ -1,19 +0,0 @@
-import { createCustomResourceDefinition } from '../../services/custom-resources/custom-resources.ts';
-import { GROUP } from '../../utils/consts.ts';
-
-import { postgresDatabaseSpecSchema } from './portgres-database.schemas.ts';
-import { PostgresDatabaseResource } from './postgres-database.resource.ts';
-
-const postgresDatabaseDefinition = createCustomResourceDefinition({
-  group: GROUP,
-  version: 'v1',
-  kind: 'PostgresDatabase',
-  names: {
-    plural: 'postgresdatabases',
-    singular: 'postgresdatabase',
-  },
-  spec: postgresDatabaseSpecSchema,
-  create: (options) => new PostgresDatabaseResource(options),
-});
-
-export { postgresDatabaseDefinition };
--- a/src/index.ts
+++ b/src/index.ts
@@ -1,82 +1,17 @@
-import 'dotenv/config';
-import { ApiException } from '@kubernetes/client-node';
-
+import { ResourceService } from './services/resources/resources.ts';
 import { Services } from './utils/service.ts';
-import { CustomResourceService } from './services/custom-resources/custom-resources.ts';
-import { WatcherService } from './services/watchers/watchers.ts';
-import { customResources } from './custom-resouces/custom-resources.ts';
-import { StorageProvider } from './storage-provider/storage-provider.ts';
+import { BootstrapService } from './bootstrap/bootstrap.ts';

-process.on('uncaughtException', (error) => {
-  console.log('UNCAUGHT EXCEPTION');
-  if (error instanceof ApiException) {
-    return console.error(error.body);
-  }
-  console.error(error);
-  process.exit(1);
-});
-
-process.on('unhandledRejection', (error) => {
-  console.log('UNHANDLED REJECTION');
-  if (error instanceof Error) {
-    console.error(error.stack);
-  }
-  if (error instanceof ApiException) {
-    return console.error(error.body);
-  }
-  console.error(error);
-  process.exit(1);
-});
+import { resources } from '#resources/resources.ts';
+import { homelab } from '#resources/homelab/homelab.ts';

 const services = new Services();
-const watcherService = services.get(WatcherService);
-const storageProvider = services.get(StorageProvider);
-await storageProvider.start();
-await watcherService
-  .create({
-    path: '/apis/apiextensions.k8s.io/v1/customresourcedefinitions',
-    list: async (k8s) => {
-      return await k8s.extensionsApi.listCustomResourceDefinition();
-    },
-    verbs: ['add', 'update', 'delete'],
-    transform: (manifest) => ({
-      apiVersion: 'apiextensions.k8s.io/v1',
-      kind: 'CustomResourceDefinition',
-      ...manifest,
-    }),
-  })
-  .start();
-await watcherService
-  .create({
-    path: '/api/v1/secrets',
-    list: async (k8s) => {
-      return await k8s.api.listSecretForAllNamespaces();
-    },
-    verbs: ['add', 'update', 'delete'],
-    transform: (manifest) => ({
-      apiVersion: 'v1',
-      kind: 'Secret',
-      ...manifest,
-    }),
-  })
-  .start();
-await watcherService
-  .create({
-    path: '/apis/apps/v1/deployments',
-    list: async (k8s) => {
-      return await k8s.apps.listDeploymentForAllNamespaces({});
-    },
-    verbs: ['add', 'update', 'delete'],
-    transform: (manifest) => ({
-      apiVersion: 'apps/v1',
-      kind: 'Deployment',
-      ...manifest,
-    }),
-  })
-  .start();
+const resourceService = services.get(ResourceService);

-const customResourceService = services.get(CustomResourceService);
-customResourceService.register(...customResources);
+await resourceService.install(...Object.values(homelab));
+await resourceService.register(...Object.values(resources));

-await customResourceService.install(true);
-await customResourceService.watch();
+const bootstrapService = services.get(BootstrapService);
+await bootstrapService.ensure();
+
+console.log('Started');
--- a/src/resources/cert-manager/cert-manager.ts
+++ b/src/resources/cert-manager/cert-manager.ts
@@ -0,0 +1,9 @@
+import { Certificate } from './certificate/certificate.ts';
+
+import type { ResourceClass } from '#services/resources/resources.ts';
+
+const certManager = {
+  certificate: Certificate,
+} satisfies Record<string, ResourceClass<ExpectedAny>>;
+
+export { certManager };
--- a/src/resources/cert-manager/certificate/certificate.ts
+++ b/src/resources/cert-manager/certificate/certificate.ts
@@ -0,0 +1,37 @@
+import type { KubernetesObject } from '@kubernetes/client-node';
+import type { K8SCertificateV1 } from 'src/__generated__/resources/K8SCertificateV1.ts';
+
+import { CRD } from '#resources/core/crd/crd.ts';
+import { Resource, ResourceService, type ResourceOptions } from '#services/resources/resources.ts';
+import { NotReadyError } from '#utils/errors.ts';
+
+class Certificate extends Resource<KubernetesObject & K8SCertificateV1> {
+  public static readonly apiVersion = 'cert-manager.io/v1';
+  public static readonly kind = 'Certificate';
+
+  #crd: CRD;
+
+  constructor(options: ResourceOptions<KubernetesObject & K8SCertificateV1>) {
+    super(options);
+    const resourceService = this.services.get(ResourceService);
+    this.#crd = resourceService.get(CRD, 'certificates.cert-manager.io');
+    this.#crd.on('changed', this.#handleCrdChanged);
+  }
+
+  #handleCrdChanged = () => {
+    this.emit('changed', this.manifest);
+  };
+
+  public get hasCRD() {
+    return this.#crd.exists;
+  }
+
+  public set = async (manifest: KubernetesObject & K8SCertificateV1) => {
+    if (!this.hasCRD) {
+      throw new NotReadyError('MissingCRD', 'certificates.cert-manager.io does not exist');
+    }
+    return this.ensure(manifest);
+  };
+}
+
+export { Certificate };
--- a/src/resources/core/core.ts
+++ b/src/resources/core/core.ts
@@ -0,0 +1,23 @@
+import { CRD } from './crd/crd.ts';
+import { Deployment } from './deployment/deployment.ts';
+import { Namespace } from './namespace/namespace.ts';
+import { PersistentVolume } from './pv/pv.ts';
+import { PVC } from './pvc/pvc.ts';
+import { Secret } from './secret/secret.ts';
+import { Service } from './service/service.ts';
+import { StatefulSet } from './stateful-set/stateful-set.ts';
+import { StorageClass } from './storage-class/storage-class.ts';
+
+const core = {
+  namespace: Namespace,
+  storageClass: StorageClass,
+  pvc: PVC,
+  pv: PersistentVolume,
+  secret: Secret,
+  crd: CRD,
+  service: Service,
+  deployment: Deployment,
+  statefulSet: StatefulSet,
+};
+
+export { core };
--- a/src/resources/core/crd/crd.ts
+++ b/src/resources/core/crd/crd.ts
@@ -0,0 +1,10 @@
+import type { V1CustomResourceDefinition } from '@kubernetes/client-node';
+
+import { Resource } from '#services/resources/resources.ts';
+
+class CRD extends Resource<V1CustomResourceDefinition> {
+  public static readonly apiVersion = 'apiextensions.k8s.io/v1';
+  public static readonly kind = 'CustomResourceDefinition';
+}
+
+export { CRD };
--- a/src/resources/core/deployment/deployment.ts
+++ b/src/resources/core/deployment/deployment.ts
@@ -0,0 +1,10 @@
+import type { V1Deployment } from '@kubernetes/client-node';
+
+import { Resource } from '#services/resources/resources.ts';
+
+class Deployment extends Resource<V1Deployment> {
+  public static readonly apiVersion = 'apps/v1';
+  public static readonly kind = 'Deployment';
+}
+
+export { Deployment };
--- a/src/resources/core/namespace/namespace.ts
+++ b/src/resources/core/namespace/namespace.ts
@@ -0,0 +1,10 @@
+import type { V1Namespace } from '@kubernetes/client-node';
+
+import { Resource } from '#services/resources/resources.ts';
+
+class Namespace extends Resource<V1Namespace> {
+  public static readonly apiVersion = 'v1';
+  public static readonly kind = 'Namespace';
+}
+
+export { Namespace };
--- a/src/resources/core/pv/pv.ts
+++ b/src/resources/core/pv/pv.ts
@@ -0,0 +1,10 @@
+import type { V1PersistentVolume } from '@kubernetes/client-node';
+
+import { Resource } from '#services/resources/resources.ts';
+
+class PersistentVolume extends Resource<V1PersistentVolume> {
+  public static readonly apiVersion = 'v1';
+  public static readonly kind = 'PersistentVolume';
+}
+
+export { PersistentVolume };
--- a/src/resources/core/pvc/pvc.ts
+++ b/src/resources/core/pvc/pvc.ts
@@ -0,0 +1,80 @@
+import type { V1PersistentVolumeClaim } from '@kubernetes/client-node';
+
+import { StorageClass } from '../storage-class/storage-class.ts';
+import { PersistentVolume } from '../pv/pv.ts';
+
+import { Resource, ResourceService, type ResourceOptions } from '#services/resources/resources.ts';
+
+const PROVISIONER = 'homelab-operator';
+
+class PVC extends Resource<V1PersistentVolumeClaim> {
+  public static readonly apiVersion = 'v1';
+  public static readonly kind = 'PersistentVolumeClaim';
+
+  constructor(options: ResourceOptions<V1PersistentVolumeClaim>) {
+    super(options);
+    this.on('changed', this.reconcile);
+  }
+
+  public reconcile = async () => {
+    const storageClassName = this.spec?.storageClassName;
+    console.log('PVC', this.name, storageClassName);
+    if (!storageClassName) {
+      return;
+    }
+    const resourceService = this.services.get(ResourceService);
+    const storageClass = resourceService.get(StorageClass, storageClassName);
+
+    if (!storageClass.exists || storageClass.manifest?.provisioner !== PROVISIONER) {
+      return;
+    }
+    if (this.status?.phase === 'Pending' && !this.spec?.volumeName) {
+      await this.#provisionVolume(storageClass);
+    }
+  };
+
+  #provisionVolume = async (storageClass: StorageClass) => {
+    const pvName = `pv-${this.namespace}-${this.name}`;
+    const storageLocation = storageClass.manifest?.parameters?.storageLocation || '/data/volumes';
+    const target = `${storageLocation}/${this.namespace}/${this.name}`;
+
+    const resourceService = this.services.get(ResourceService);
+    const pv = resourceService.get(PersistentVolume, pvName);
+
+    await pv.ensure({
+      metadata: {
+        name: pvName,
+        labels: {
+          provisioner: PROVISIONER,
+          'pvc-namespace': this.namespace || 'default',
+          'pvc-name': this.name || 'unknown',
+        },
+        annotations: {
+          'pv.kubernetes.io/provisioned-by': PROVISIONER,
+        },
+      },
+      spec: {
+        hostPath: {
+          path: target,
+          type: 'DirectoryOrCreate',
+        },
+        capacity: {
+          storage: this.spec?.resources?.requests?.storage ?? '1Gi',
+        },
+        persistentVolumeReclaimPolicy: 'Retain',
+        accessModes: this.spec?.accessModes ?? ['ReadWriteOnce'],
+        storageClassName: this.spec?.storageClassName,
+        claimRef: {
+          uid: this.metadata?.uid,
+          resourceVersion: this.metadata?.resourceVersion,
+          apiVersion: this.apiVersion,
+          kind: 'PersistentVolumeClaim',
+          name: this.name,
+          namespace: this.namespace,
+        },
+      },
+    });
+  };
+}
+
+export { PVC, PROVISIONER };
--- a/src/resources/core/secret/secret.ts
+++ b/src/resources/core/secret/secret.ts
@@ -0,0 +1,25 @@
+import type { KubernetesObject, V1Secret } from '@kubernetes/client-node';
+
+import { Resource } from '#services/resources/resources.ts';
+import { decodeSecret, encodeSecret } from '#utils/secrets.ts';
+
+type SetOptions<T extends Record<string, string | undefined>> = T | ((current: T | undefined) => T | Promise<T>);
+
+class Secret<T extends Record<string, string> = Record<string, string>> extends Resource<V1Secret> {
+  public static readonly apiVersion = 'v1';
+  public static readonly kind = 'Secret';
+
+  public get value() {
+    return decodeSecret(this.data) as T | undefined;
+  }
+
+  public set = async (options: SetOptions<T>, data?: KubernetesObject) => {
+    const value = typeof options === 'function' ? await Promise.resolve(options(this.value)) : options;
+    await this.ensure({
+      ...data,
+      data: encodeSecret(value),
+    });
+  };
+}
+
+export { Secret };
--- a/src/resources/core/service/service.ts
+++ b/src/resources/core/service/service.ts
@@ -0,0 +1,14 @@
+import type { V1Service } from '@kubernetes/client-node';
+
+import { Resource } from '#services/resources/resources.ts';
+
+class Service extends Resource<V1Service> {
+  public static readonly apiVersion = 'v1';
+  public static readonly kind = 'Service';
+
+  public get hostname() {
+    return `${this.name}.${this.namespace}.svc.cluster.local`;
+  }
+}
+
+export { Service };
--- a/src/resources/core/stateful-set/stateful-set.ts
+++ b/src/resources/core/stateful-set/stateful-set.ts
@@ -0,0 +1,10 @@
+import type { V1StatefulSet } from '@kubernetes/client-node';
+
+import { Resource } from '#services/resources/resources.ts';
+
+class StatefulSet extends Resource<V1StatefulSet> {
+  public static readonly apiVersion = 'apps/v1';
+  public static readonly kind = 'StatefulSet';
+}
+
+export { StatefulSet };
--- a/src/resources/core/storage-class/storage-class.ts
+++ b/src/resources/core/storage-class/storage-class.ts
@@ -0,0 +1,11 @@
+import type { V1StorageClass } from '@kubernetes/client-node';
+
+import { Resource } from '#services/resources/resources.ts';
+
+class StorageClass extends Resource<V1StorageClass> {
+  public static readonly apiVersion = 'storage.k8s.io/v1';
+  public static readonly kind = 'StorageClass';
+  public static readonly plural = 'storageclasses';
+}
+
+export { StorageClass };
--- a/src/resources/flux/flux.ts
+++ b/src/resources/flux/flux.ts
@@ -0,0 +1,11 @@
+import { HelmRelease } from './helm-release/helm-release.ts';
+import { HelmRepo } from './helm-repo/helm-repo.ts';
+
+import type { ResourceClass } from '#services/resources/resources.ts';
+
+const flux = {
+  helmRelease: HelmRelease,
+  helmRepo: HelmRepo,
+} satisfies Record<string, ResourceClass<ExpectedAny>>;
+
+export { flux };
--- a/src/resources/flux/helm-release/helm-release.ts
+++ b/src/resources/flux/helm-release/helm-release.ts
@@ -0,0 +1,42 @@
+import type { KubernetesObject } from '@kubernetes/client-node';
+import type { K8SHelmReleaseV2 } from 'src/__generated__/resources/K8SHelmReleaseV2.ts';
+
+import { Resource } from '#services/resources/resources.ts';
+
+type SetOptions = {
+  namespace?: string;
+  values?: Record<string, unknown>;
+  chart: {
+    name: string;
+    namespace?: string;
+  };
+};
+
+class HelmRelease extends Resource<KubernetesObject & K8SHelmReleaseV2> {
+  public static readonly apiVersion = 'helm.toolkit.fluxcd.io/v2';
+  public static readonly kind = 'HelmRelease';
+
+  public set = async (options: SetOptions) => {
+    return await this.ensure({
+      spec: {
+        targetNamespace: options.namespace,
+        interval: '1h',
+        values: options.values,
+        chart: {
+          spec: {
+            chart: 'cert-manager',
+            version: 'v1.18.2',
+            sourceRef: {
+              apiVersion: 'source.toolkit.fluxcd.io/v1',
+              kind: 'HelmRepository',
+              name: options.chart.name,
+              namespace: options.chart.namespace,
+            },
+          },
+        },
+      },
+    });
+  };
+}
+
+export { HelmRelease };
--- a/src/resources/flux/helm-repo/helm-repo.ts
+++ b/src/resources/flux/helm-repo/helm-repo.ts
@@ -0,0 +1,24 @@
+import type { KubernetesObject } from '@kubernetes/client-node';
+import type { K8SHelmRepositoryV1 } from 'src/__generated__/resources/K8SHelmRepositoryV1.ts';
+
+import { Resource } from '#services/resources/resources.ts';
+
+type SetOptions = {
+  url: string;
+};
+class HelmRepo extends Resource<KubernetesObject & K8SHelmRepositoryV1> {
+  public static readonly apiVersion = 'source.toolkit.fluxcd.io/v1';
+  public static readonly kind = 'HelmRepository';
+  public static readonly plural = 'helmrepositories';
+
+  public set = async ({ url }: SetOptions) => {
+    await this.ensure({
+      spec: {
+        interval: '1h',
+        url,
+      },
+    });
+  };
+}
+
+export { HelmRepo };
--- a/src/resources/homelab/authentik-server/authentik-server.ts
+++ b/src/resources/homelab/authentik-server/authentik-server.ts
@@ -0,0 +1,274 @@
+import { z } from 'zod';
+
+import { PostgresDatabase } from '../postgres-database/postgres-database.ts';
+import { Environment } from '../environment/environment.ts';
+
+import {
+  CustomResource,
+  ResourceReference,
+  ResourceService,
+  type CustomResourceOptions,
+} from '#services/resources/resources.ts';
+import { API_VERSION } from '#utils/consts.ts';
+import { Secret } from '#resources/core/secret/secret.ts';
+import { generateRandomHexPass } from '#utils/secrets.ts';
+import { Service } from '#resources/core/service/service.ts';
+import { HelmRelease } from '#resources/flux/helm-release/helm-release.ts';
+import { RepoService } from '#bootstrap/repos/repos.ts';
+import { DestinationRule } from '#resources/istio/destination-rule/destination-rule.ts';
+import { NotReadyError } from '#utils/errors.ts';
+import { ExternalHttpService } from '../external-http-service.ts/external-http-service.ts';
+
+const specSchema = z.object({
+  environment: z.string(),
+  subdomain: z.string().optional(),
+});
+
+type SecretData = { url: string; host: string; token: string };
+type InitSecretData = {
+  AUTHENTIK_BOOTSTRAP_TOKEN: string;
+  AUTHENTIK_BOOTSTRAP_PASSWORD: string;
+  AUTHENTIK_BOOTSTRAP_EMAIL: string;
+  AUTHENTIK_SECRET_KEY: string;
+};
+
+class AuthentikServer extends CustomResource<typeof specSchema> {
+  public static readonly apiVersion = API_VERSION;
+  public static readonly kind = 'AuthentikServer';
+  public static readonly spec = specSchema;
+  public static readonly scope = 'Namespaced';
+
+  #environment: ResourceReference<typeof Environment>;
+  #database: PostgresDatabase;
+  #secret: Secret<SecretData>;
+  #initSecret: Secret<InitSecretData>;
+  #service: Service;
+  #helmRelease: HelmRelease;
+  #externalHttpService: ExternalHttpService;
+  #destinationRule: DestinationRule;
+
+  constructor(options: CustomResourceOptions<typeof specSchema>) {
+    super(options);
+
+    const resourceService = this.services.get(ResourceService);
+    this.#environment = new ResourceReference();
+    this.#environment.on('changed', this.queueReconcile);
+
+    this.#database = resourceService.get(PostgresDatabase, this.name, this.namespace);
+    this.#database.on('changed', this.queueReconcile);
+
+    this.#secret = resourceService.get(Secret<SecretData>, this.name, this.namespace);
+    this.#secret.on('changed', this.queueReconcile);
+
+    this.#initSecret = resourceService.get(Secret<InitSecretData>, `${this.name}-init`, this.namespace);
+
+    this.#service = resourceService.get(Service, `${this.name}-server`, this.namespace);
+    // this.#service.on('changed', this.queueReconcile);
+
+    this.#helmRelease = resourceService.get(HelmRelease, this.name, this.namespace);
+    this.#helmRelease.on('changed', this.queueReconcile);
+
+    this.#destinationRule = resourceService.get(DestinationRule, this.name, this.namespace);
+    this.#destinationRule.on('changed', this.queueReconcile);
+
+    this.#externalHttpService = resourceService.get(ExternalHttpService, this.name, this.namespace);
+  }
+
+  public get service() {
+    return this.#service;
+  }
+
+  public get secret() {
+    return this.#secret;
+  }
+
+  public get subdomain() {
+    return this.spec?.subdomain || 'authentik';
+  }
+
+  public get domain() {
+    return `${this.subdomain}.${this.#environment.current?.spec?.domain}`;
+  }
+
+  public get url() {
+    return `https://${this.domain}`;
+  }
+
+  public reconcile = async () => {
+    if (!this.spec) {
+      throw new NotReadyError('MissingSpec');
+    }
+    const resourceService = this.services.get(ResourceService);
+
+    this.#environment.current = resourceService.get(Environment, this.spec.environment);
+    if (!this.#environment.current.spec) {
+      throw new NotReadyError('MissingEnvSpev');
+    }
+
+    await this.#database.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {
+        environment: this.#environment.current.name,
+      },
+    });
+
+    const databaseSecret = this.#database.secret.value;
+    if (!databaseSecret) {
+      throw new NotReadyError('MissingDatabaseSecret');
+    }
+
+    await this.#initSecret.set(
+      (current) => ({
+        AUTHENTIK_BOOTSTRAP_EMAIL: 'admin@example.com',
+        AUTHENTIK_BOOTSTRAP_PASSWORD: generateRandomHexPass(24),
+        AUTHENTIK_BOOTSTRAP_TOKEN: generateRandomHexPass(32),
+        AUTHENTIK_SECRET_KEY: generateRandomHexPass(32),
+        ...current,
+      }),
+      {
+        metadata: {
+          ownerReferences: [this.ref],
+        },
+      },
+    );
+
+    const initSecret = this.#initSecret.value;
+    if (!initSecret) {
+      throw new NotReadyError('MissingInitSecret');
+    }
+
+    const domain = `${this.spec?.subdomain || 'authentik'}.${this.#environment.current.spec.domain}`;
+    await this.#secret.set(
+      {
+        url: `https://${domain}`,
+        host: this.#service.hostname,
+        token: initSecret.AUTHENTIK_BOOTSTRAP_TOKEN,
+      },
+      {
+        metadata: {
+          ownerReferences: [this.ref],
+        },
+      },
+    );
+    const secret = this.#secret.value;
+    if (!secret) {
+      throw new NotReadyError('MissingSecret');
+    }
+
+    const repoService = this.services.get(RepoService);
+
+    await this.#helmRelease.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {
+        interval: '60m',
+        chart: {
+          spec: {
+            chart: 'authentik',
+            version: '2025.6.4',
+            sourceRef: {
+              apiVersion: 'source.toolkit.fluxcd.io/v1',
+              kind: 'HelmRepository',
+              name: repoService.authentik.name,
+              namespace: repoService.authentik.namespace,
+            },
+          },
+        },
+        values: {
+          global: {
+            envFrom: [
+              {
+                secretRef: {
+                  name: this.#initSecret.name,
+                },
+              },
+            ],
+          },
+          authentik: {
+            error_reporting: {
+              enabled: false,
+            },
+            postgresql: {
+              host: databaseSecret.host,
+              name: databaseSecret.database,
+              user: databaseSecret.user,
+              password: 'file:///postgres-creds/password',
+            },
+            redis: {
+              host: this.#environment.current.redisServer.service.hostname,
+            },
+          },
+          server: {
+            volumes: [
+              {
+                name: 'postgres-creds',
+                secret: {
+                  secretName: this.#database.secret.name,
+                },
+              },
+            ],
+            volumeMounts: [
+              {
+                name: 'postgres-creds',
+                mountPath: '/postgres-creds',
+                readOnly: true,
+              },
+            ],
+          },
+          worker: {
+            volumes: [
+              {
+                name: 'postgres-creds',
+                secret: {
+                  secretName: this.#database.secret.name,
+                },
+              },
+            ],
+            volumeMounts: [
+              {
+                name: 'postgres-creds',
+                mountPath: '/postgres-creds',
+                readOnly: true,
+              },
+            ],
+          },
+        },
+      },
+    });
+
+    await this.#destinationRule.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {
+        host: this.#service.hostname,
+        trafficPolicy: {
+          tls: {
+            mode: 'DISABLE',
+          },
+        },
+      },
+    });
+
+    await this.#externalHttpService.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {
+        environment: this.spec.environment,
+        subdomain: this.spec.subdomain || 'authentik',
+        destination: {
+          host: this.#service.hostname,
+          port: {
+            number: 80,
+          },
+        },
+      },
+    });
+  };
+}
+
+export { AuthentikServer };
--- a/src/resources/homelab/cloudflare-tunnel/cloudflare-tunnel.ts
+++ b/src/resources/homelab/cloudflare-tunnel/cloudflare-tunnel.ts
@@ -0,0 +1,111 @@
+import {
+  CustomResource,
+  Resource,
+  ResourceService,
+  type CustomResourceOptions,
+} from '#services/resources/resources.ts';
+import z from 'zod';
+import { ExternalHttpService } from '../external-http-service.ts/external-http-service.ts';
+import { API_VERSION } from '#utils/consts.ts';
+import { HelmRelease } from '#resources/flux/helm-release/helm-release.ts';
+import { RepoService } from '#bootstrap/repos/repos.ts';
+import { Secret } from '#resources/core/secret/secret.ts';
+import { NotReadyError } from '#utils/errors.ts';
+import { NamespaceService } from '#bootstrap/namespaces/namespaces.ts';
+import { CloudflareService } from '#services/cloudflare/cloudflare.ts';
+
+const specSchema = z.object({});
+
+type SecretData = {
+  account: string;
+  tunnelName: string;
+  tunnelId: string;
+  secret: string;
+};
+class CloudflareTunnel extends CustomResource<typeof specSchema> {
+  public static readonly apiVersion = API_VERSION;
+  public static readonly kind = 'CloudflareTunnel';
+  public static readonly spec = specSchema;
+  public static readonly scope = 'Cluster';
+
+  #helmRelease: HelmRelease;
+  #secret: Secret<SecretData>;
+  #cloudflareService;
+
+  constructor(options: CustomResourceOptions<typeof specSchema>) {
+    super(options);
+    const resourceService = this.services.get(ResourceService);
+    const namespaceService = this.services.get(NamespaceService);
+    const namespace = namespaceService.homelab.name;
+    resourceService.on('changed', this.#handleResourceChanged);
+
+    this.#helmRelease = resourceService.get(HelmRelease, this.name, namespace);
+    this.#secret = resourceService.get(Secret<SecretData>, 'cloudflare', namespace);
+    this.#secret.on('changed', this.queueReconcile);
+
+    this.#cloudflareService = this.services.get(CloudflareService);
+    this.#cloudflareService.on('changed', this.queueReconcile);
+  }
+
+  #handleResourceChanged = (resource: Resource<ExpectedAny>) => {
+    if (resource instanceof CloudflareTunnel) {
+      this.queueReconcile();
+    }
+  };
+
+  public reconcile = async () => {
+    const secret = this.#secret.value;
+    if (!secret) {
+      throw new NotReadyError('MissingSecret', `Secret ${this.#secret.namespace}/${this.#secret.name} does not exist`);
+    }
+    const resourceService = this.services.get(ResourceService);
+    const repoService = this.services.get(RepoService);
+    const routes = resourceService.getAllOfKind(ExternalHttpService);
+    const ingress = routes.map(({ rule }) => ({
+      hostname: rule?.hostname,
+      service: `http://${rule?.destination.host}:${rule?.destination.port.number}`,
+    }));
+    if (this.#cloudflareService.ready) {
+      for (const route of ingress) {
+        if (!route.hostname) {
+          continue;
+        }
+        try {
+          await this.#cloudflareService.ensureTunnel(route.hostname);
+        } catch (err) {
+          console.error(err);
+        }
+      }
+    }
+    await this.#helmRelease.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {
+        interval: '1h',
+        values: {
+          cloudflare: {
+            account: secret.account,
+            tunnelName: secret.tunnelName,
+            tunnelId: secret.tunnelId,
+            secret: secret.secret,
+            ingress,
+          },
+        },
+        chart: {
+          spec: {
+            chart: 'cloudflare-tunnel',
+            sourceRef: {
+              apiVersion: 'source.toolkit.fluxcd.io/v1',
+              kind: 'HelmRepository',
+              name: repoService.cloudflare.name,
+              namespace: repoService.cloudflare.namespace,
+            },
+          },
+        },
+      },
+    });
+  };
+}
+
+export { CloudflareTunnel };
--- a/src/resources/homelab/environment/environment.ts
+++ b/src/resources/homelab/environment/environment.ts
@@ -0,0 +1,229 @@
+import { z } from 'zod';
+
+import { PostgresCluster } from '../postgres-cluster/postgres-cluster.ts';
+import { RedisServer } from '../redis-server/redis-server.ts';
+import { AuthentikServer } from '../authentik-server/authentik-server.ts';
+
+import { CustomResource, ResourceService, type CustomResourceOptions } from '#services/resources/resources.ts';
+import { API_VERSION } from '#utils/consts.ts';
+import { Namespace } from '#resources/core/namespace/namespace.ts';
+import { Certificate } from '#resources/cert-manager/certificate/certificate.ts';
+import { StorageClass } from '#resources/core/storage-class/storage-class.ts';
+import { PROVISIONER } from '#resources/core/pvc/pvc.ts';
+import { Gateway } from '#resources/istio/gateway/gateway.ts';
+import { NotReadyError } from '#utils/errors.ts';
+import { NamespaceService } from '#bootstrap/namespaces/namespaces.ts';
+import { CloudflareService } from '#services/cloudflare/cloudflare.ts';
+import { HelmRelease } from '#resources/flux/helm-release/helm-release.ts';
+import { RepoService } from '#bootstrap/repos/repos.ts';
+
+const specSchema = z.object({
+  domain: z.string(),
+  networkIp: z.string().optional(),
+  tls: z.object({
+    issuer: z.string(),
+  }),
+});
+
+class Environment extends CustomResource<typeof specSchema> {
+  public static readonly apiVersion = API_VERSION;
+  public static readonly kind = 'Environment';
+  public static readonly spec = specSchema;
+  public static readonly scope = 'Cluster';
+
+  #namespace: Namespace;
+  #certificate: Certificate;
+  #storageClass: StorageClass;
+  #gateway: Gateway;
+  #postgresCluster: PostgresCluster;
+  #redisServer: RedisServer;
+  #authentikServer: AuthentikServer;
+  #cloudflareService: CloudflareService;
+  #argoRelease: HelmRelease;
+  #argoNamespace: Namespace;
+
+  constructor(options: CustomResourceOptions<typeof specSchema>) {
+    super(options);
+    const resourceService = this.services.get(ResourceService);
+    const namespaceService = this.services.get(NamespaceService);
+    const homelabNamespace = namespaceService.homelab.name;
+
+    this.#cloudflareService = this.services.get(CloudflareService);
+    this.#cloudflareService.on('changed', this.queueReconcile);
+
+    this.#namespace = resourceService.get(Namespace, this.name);
+    this.#namespace.on('changed', this.queueReconcile);
+
+    this.#certificate = resourceService.get(Certificate, this.name, homelabNamespace);
+    this.#certificate.on('changed', this.queueReconcile);
+
+    this.#storageClass = resourceService.get(StorageClass, this.name);
+    this.#storageClass.on('changed', this.queueReconcile);
+
+    this.#postgresCluster = resourceService.get(PostgresCluster, `${this.name}-postgres-cluster`, homelabNamespace);
+    this.#postgresCluster.on('changed', this.queueReconcile);
+
+    this.#redisServer = resourceService.get(RedisServer, `${this.name}-redis-server`, homelabNamespace);
+    this.#redisServer.on('changed', this.queueReconcile);
+
+    this.#gateway = resourceService.get(Gateway, this.name, homelabNamespace);
+    this.#gateway.on('changed', this.queueReconcile);
+
+    this.#authentikServer = resourceService.get(AuthentikServer, `${this.name}-authentik`, homelabNamespace);
+    this.#authentikServer.on('changed', this.queueReconcile);
+
+    this.#argoNamespace = resourceService.get(Namespace, `${this.name}-argo`);
+
+    this.#argoRelease = resourceService.get(HelmRelease, `${this.name}-argo`, homelabNamespace);
+    this.#argoRelease.on('changed', this.queueReconcile);
+  }
+
+  public get certificate() {
+    return this.#certificate;
+  }
+
+  public get storageClass() {
+    return this.#storageClass;
+  }
+
+  public get postgresCluster() {
+    return this.#postgresCluster;
+  }
+
+  public get redisServer() {
+    return this.#redisServer;
+  }
+
+  public get gateway() {
+    return this.#gateway;
+  }
+
+  public get authentikServer() {
+    return this.#authentikServer;
+  }
+
+  public reconcile = async () => {
+    const { data: spec, success } = specSchema.safeParse(this.spec);
+    if (!success || !spec) {
+      throw new NotReadyError('InvalidSpec');
+    }
+
+    await this.#namespace.ensure({
+      metadata: {
+        labels: {
+          'istio-injection': 'enabled',
+        },
+      },
+    });
+    await this.#certificate.ensure({
+      spec: {
+        secretName: `${this.name}-tls`,
+        issuerRef: {
+          name: spec.tls.issuer,
+          kind: 'ClusterIssuer',
+        },
+        dnsNames: [`*.${spec.domain}`],
+        privateKey: {
+          rotationPolicy: 'Always',
+        },
+      },
+    });
+    await this.#storageClass.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      provisioner: PROVISIONER,
+      reclaimPolicy: 'Retain',
+    });
+
+    await this.#postgresCluster.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {
+        storageClass: this.name,
+      },
+    });
+
+    await this.#redisServer.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {},
+    });
+
+    await this.#authentikServer.ensure({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {
+        environment: this.name,
+      },
+    });
+
+    await this.#gateway.set({
+      metadata: {
+        ownerReferences: [this.ref],
+      },
+      spec: {
+        selector: {
+          istio: 'homelab-istio-gateway',
+        },
+        servers: [
+          {
+            hosts: [`*.${spec.domain}`],
+            port: {
+              name: 'http',
+              number: 80,
+              protocol: 'HTTP',
+            },
+            tls: {
+              httpsRedirect: true,
+            },
+          },
+          {
+            hosts: [`*.${spec.domain}`],
+            port: {
+              name: 'https',
+              number: 443,
+              protocol: 'HTTPS',
+            },
+            tls: {
+              mode: 'SIMPLE',
+              credentialName: `${this.name}-tls`,
+            },
+          },
+        ],
+      },
+    });
+
+    await this.#argoNamespace.ensure({});
+
+    const repoService = this.services.get(RepoService);
+    await this.#argoRelease.ensure({
+      spec: {
+        targetNamespace: this.#argoNamespace.name,
+        interval: '1h',
+        values: {
+          applicationset: {
+            enabled: true,
+          },
+        },
+        chart: {
+          spec: {
+            chart: 'argo-cd',
+            version: '3.9.0',
+            sourceRef: {
+              apiVersion: 'source.toolkit.fluxcd.io/v1',
+              kind: 'HelmRepository',
+              name: repoService.argo.name,
+              namespace: repoService.argo.namespace,
+            },
+          },
+        },
+      },
+    });
+  };
+}
+
+export { Environment };
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Morten Olsen	00d90bfa21	more-stuff	2025-09-03 17:24:27 +02:00
Morten Olsen	03e406322f	more stuff	2025-09-03 15:16:50 +02:00
Morten Olsen	5ee7a76443	more stuff	2025-09-03 14:33:48 +02:00
mortenolsenzn	683de402ff	Merge pull request #1 from morten-olsen/rewrite2 Rewrite2	2025-09-03 12:24:40 +02:00
Morten Olsen	e8e939ad19	fixes	2025-08-22 11:44:53 +02:00
Morten Olsen	1b5b5145b0	stuff	2025-08-22 07:35:50 +02:00
Morten Olsen	cfd2d76873	more	2025-08-20 22:45:30 +02:00
Morten Olsen	9e5081ed9b	updates	2025-08-20 14:58:34 +02:00
Morten Olsen	3ab2b1969a	stuff	2025-08-19 22:05:41 +02:00
Morten Olsen	a27b563113	rewrite2	2025-08-18 08:02:48 +02:00
Morten Olsen	295472a028	update	2025-08-15 22:01:18 +02:00
Morten Olsen	91298b3cf7	update	2025-08-15 21:20:23 +02:00
Morten Olsen	638c288a5c	update	2025-08-15 20:52:17 +02:00
Morten Olsen	2be6bdca84	update	2025-08-15 20:45:28 +02:00
Morten Olsen	f362f4afc4	fix: missing permissions	2025-08-13 09:01:30 +02:00
Morten Olsen	9fadbf75fb	publish operator yaml	2025-08-13 08:50:17 +02:00
Morten Olsen	2add15d283	fix: authentik port	2025-08-12 23:25:03 +02:00
Morten Olsen	5426495be5	updates	2025-08-12 23:22:47 +02:00
Morten Olsen	b8bb16ccbb	updates	2025-08-12 22:32:09 +02:00
Morten Olsen	d4b56007f1	add authentik connection crd	2025-08-12 08:36:29 +02:00
Morten Olsen	130bfec468	fix reconciliation of db	2025-08-11 20:00:01 +02:00
				`@@ -1 +0,0 @@`
				`- Fix issue with incompatible spec breaking the server`
				`@@ -0,0 +1 @@`
				`https://www.authelia.com/integration/openid-connect/clients/jellyfin/`