Added storage provisioner

.github/workflows/main.yml

@@ -71,23 +71,9 @@ jobs:
     environment: release
     runs-on: ubuntu-latest
     steps:
-      - id: create-release
-        uses: release-drafter/release-drafter@v6
+      - uses: release-drafter/release-drafter@v6
         with:
           config-name: release-drafter-config.yml
           publish: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: actions/checkout@v4
-
-      - name: Upload Release Asset
-        id: upload-release-asset 
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create-release.outputs.upload_url }}
-          asset_path: ./operator.yaml
-          asset_name: operator.yaml
-          asset_content_type: application/yaml

.gitignore

@@ -34,5 +34,3 @@ report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json
 .DS_Store
 
 /data/
-
-/cloudflare.yaml

.python-version

@@ -1 +0,0 @@
-3.13

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:23-slim
+FROM node:23-alpine
 RUN corepack enable
 COPY package.json pnpm-lock.yaml ./
 RUN pnpm install --frozen-lockfile --prod

Makefile

@@ -1,14 +1,15 @@
-.PHONY: dev-recreate dev-destroy server-install
+.PHONY: setup dev-recreate dev-create dev-destroy
+
+setup:
+	./scripts/setup-server.sh
 
 dev-destroy:
 	colima delete -f
 
-dev-recreate: dev-destroy
-	colima start --network-address --kubernetes -m 8 --k3s-arg="--disable helm-controller,local-storage,traefik --docker" # --mount ${PWD}/data:/data:w 
-	flux install --components="source-controller,helm-controller"
+dev-create:
+	colima start --network-address --kubernetes -m 8 --mount ${PWD}/data:/data:w --k3s-arg="--disable=helm-controller,local-storage"
 
-setup-flux:
-	flux install --components="source-controller,helm-controller"
+dev-recreate: dev-destroy dev-create setup
 
 server-install:
 	curl -sfL https://get.k3s.io | sh -s - --disable traefik,local-storage,helm-controller

README.md

@@ -0,0 +1,6 @@
+## Bootstrap repo
+
+```
+brew install fluxcd/tap/flux
+make setup-server
+```

TODO.md

@@ -0,0 +1 @@
+- Fix issue with incompatible spec breaking the server

cert-issuer.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: alice@alice.com
+    privateKeySecretRef:
+      name: letsencrypt-prod-account-key
+    solvers:
+      - dns01:
+          cloudflare:
+            email: alice@alice.com
+            apiTokenSecretRef:
+              name: cloudflare-api-token
+              key: api-token

chart/templates/clusterrole.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "homelab-operator.fullname" . }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "get", "watch", "list"]
+- apiGroups: ["*"]
+  resources: ["*"]
+  verbs: ["get", "watch", "list", "patch"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["get", "create", "replace"]

chart/values.yaml

@@ -4,7 +4,7 @@
 
 image:
   repository: ghcr.io/morten-olsen/homelab-operator
-  pullPolicy: IfNotPresent
+  pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
   tag: main
 
@@ -14,9 +14,6 @@ fullnameOverride: ''
 
 storage:
   path: /data/volumes
-  reclaimPolicy: Retain
-  allowVolumeExpansion: false
-  volumeBindingMode: WaitForFirstConsumer
 
 serviceAccount:
   # Specifies whether a service account should be created

charts/apps/bytestash/Chart.yaml

@@ -1,3 +0,0 @@
-apiVersion: v2
-version: 1.0.0
-name: ByteStash

charts/apps/bytestash/templates/_http-service.yaml

@@ -1,11 +0,0 @@
-apiVersion: homelab.mortenolsen.pro/v1
-kind: HttpService
-metadata:
-  name: '{{ .Release.Name }}'
-spec:
-  environment: '{{ .Values.environment }}'
-  subdomain: '{{ .Values.subdomain }}'
-  destination:
-    host: '{{ .Release.Name }}'
-    port:
-      number: 80

charts/apps/bytestash/templates/client.yaml

@@ -1,10 +0,0 @@
-apiVersion: homelab.mortenolsen.pro/v1
-kind: OidcClient
-metadata:
-  name: '{{ .Release.Name }}'
-spec:
-  environment: '{{ .Values.environment }}'
-  redirectUris:
-    - path: /api/auth/oidc/callback
-      subdomain: bytestash
-      matchingMode: strict

charts/apps/bytestash/templates/external-http-service.yaml

@@ -1,11 +0,0 @@
-apiVersion: homelab.mortenolsen.pro/v1
-kind: ExternalHttpService
-metadata:
-  name: '{{ .Release.Name }}'
-spec:
-  environment: '{{ .Values.environment }}'
-  subdomain: '{{ .Values.subdomain }}'
-  destination:
-    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
-    port:
-      number: 80

charts/apps/bytestash/templates/headless-service.yaml

@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: '{{ .Release.Name }}-headless'
-  labels:
-    app: '{{ .Release.Name }}'
-spec:
-  clusterIP: None
-  ports:
-    - port: 5000
-      name: http
-  selector:
-    app: '{{ .Release.Name }}'

charts/apps/bytestash/templates/service.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: '{{ .Release.Name }}'
-  labels:
-    app: '{{ .Release.Name }}'
-spec:
-  type: ClusterIP
-  ports:
-    - port: 80
-      targetPort: 5000
-      protocol: TCP
-      name: http
-  selector:
-    app: '{{ .Release.Name }}'

charts/apps/bytestash/templates/stateful-set.yaml

@@ -1,63 +0,0 @@
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: '{{ .Release.Name }}'
-  labels:
-    app: '{{ .Release.Name }}'
-spec:
-  serviceName: '{{ .Release.Name }}-headless'
-  replicas: 1
-  selector:
-    matchLabels:
-      app: '{{ .Release.Name }}'
-  template:
-    metadata:
-      labels:
-        app: '{{ .Release.Name }}'
-    spec:
-      containers:
-        - name: '{{ .Release.Name }}'
-          image: ghcr.io/jordan-dalby/bytestash:latest
-          ports:
-            - containerPort: 5000
-              name: http
-          env:
-            - name: OIDC_ENABLED
-              value: 'true'
-            - name: OIDC_DISPLAY_NAME
-              value: OIDC
-            - name: OIDC_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: '{{ .Release.Name }}-client'
-                  key: clientId
-            - name: OIDC_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: '{{ .Release.Name }}-client'
-                  key: clientSecret
-            - name: OIDC_ISSUER_URL
-              valueFrom:
-                secretKeyRef:
-                  name: '{{ .Release.Name }}-client'
-                  key: configuration
-
-          volumeMounts:
-            - mountPath: /data/snippets
-              name: bytestash-data
-
-      # Defines security context for the pod to avoid running as root.
-      # securityContext:
-      #   runAsUser: 1000
-      #   runAsGroup: 1000
-      #   fsGroup: 1000
-
-  volumeClaimTemplates:
-    - metadata:
-        name: bytestash-data
-      spec:
-        accessModes: ['ReadWriteOnce']
-        storageClassName: '{{ .Values.environment }}'
-        resources:
-          requests:
-            storage: 5Gi

charts/apps/bytestash/values.yaml

@@ -1,2 +0,0 @@
-environment: prod
-subdomain: bytestash

charts/apps/jellyfin/Chart.yaml

@@ -1,3 +0,0 @@
-apiVersion: v2
-version: 1.0.0
-name: Jellyfin

charts/apps/jellyfin/notes.md

@@ -1 +0,0 @@
-https://www.authelia.com/integration/openid-connect/clients/jellyfin/

charts/apps/jellyfin/templates/client.yaml

@@ -1,10 +0,0 @@
-apiVersion: homelab.mortenolsen.pro/v1
-kind: OidcClient
-metadata:
-  name: '{{ .Release.Name }}'
-spec:
-  environment: '{{ .Values.environment }}'
-  redirectUris:
-    - path: /sso/OID/redirect/Authentik
-      subdomain: '{{ .Values.subdomain }}'
-      matchingMode: strict

charts/apps/jellyfin/templates/config-pvc.yaml

@@ -1,11 +0,0 @@
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: '{{ .Release.Name }}-config'
-spec:
-  accessModes:
-    - 'ReadWriteOnce'
-  resources:
-    requests:
-      storage: '1Gi'
-  storageClassName: '{{ .Values.environment }}'

charts/apps/jellyfin/templates/deployment.yaml

@@ -1,52 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: '{{ .Release.Name }}'
-spec:
-  strategy:
-    type: Recreate
-    replicas: 1
-  selector:
-    matchLabels:
-      app: '{{ .Release.Name }}'
-  template:
-    metadata:
-      labels:
-        app: '{{ .Release.Name }}'
-    spec:
-      containers:
-        - name: '{{ .Release.Name }}'
-          image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
-          imagePullPolicy: '{{ .Values.image.pullPolicy }}'
-          ports:
-            - name: http
-              containerPort: 8096
-              protocol: TCP
-          livenessProbe:
-            tcpSocket:
-              port: http
-          readinessProbe:
-            tcpSocket:
-              port: http
-          volumeMounts:
-            - mountPath: /config
-              name: config
-            - mountPath: /media/movies
-              name: movies
-            - mountPath: /media/tv-shows
-              name: tvshows
-            - mountPath: /media/music
-              name: music
-      volumes:
-        - name: config
-          persistentVolumeClaim:
-            claimName: '{{ .Release.Name }}-config'
-        - name: movies
-          persistentVolumeClaim:
-            claimName: movies
-        - name: tvshows
-          persistentVolumeClaim:
-            claimName: tvshows
-        - name: music
-          persistentVolumeClaim:
-            claimName: music

charts/apps/jellyfin/templates/external-http-service.yaml

@@ -1,11 +0,0 @@
-apiVersion: homelab.mortenolsen.pro/v1
-kind: ExternalHttpService
-metadata:
-  name: '{{ .Release.Name }}'
-spec:
-  environment: '{{ .Values.environment }}'
-  subdomain: '{{ .Values.subdomain }}'
-  destination:
-    host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local'
-    port:
-      number: 80

charts/apps/jellyfin/templates/service.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: '{{ .Release.Name }}'
-  labels:
-    app: '{{ .Release.Name }}'
-spec:
-  type: ClusterIP
-  ports:
-    - port: 80
-      targetPort: 8096
-      protocol: TCP
-      name: http
-  selector:
-    app: '{{ .Release.Name }}'

charts/apps/jellyfin/values.yaml

@@ -1,6 +0,0 @@
-image:
-  repository: docker.io/jellyfin/jellyfin
-  tag: latest
-  pullPolicy: IfNotPresent
-environment: prod
-subdomain: jellyfin

charts/apps/ollama/Chart.yaml

@@ -1,3 +0,0 @@
-apiVersion: v2
-version: 1.0.0
-name: Ollama

charts/apps/ollama/templates/deployment.yaml

@@ -1,52 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: '{{ .Release.Name }}'
-  labels:
-    app: '{{ .Release.Name }}'
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: '{{ .Release.Name }}'
-  template:
-    metadata:
-      labels:
-        app: '{{ .Release.Name }}'
-    spec:
-      containers:
-        - name: ollama
-          image: ghcr.io/ollama/ollama:latest # Official image
-          imagePullPolicy: IfNotPresent
-          ports:
-            - containerPort: 11434
-              name: http
-          volumeMounts:
-            - name: ollama-data
-              mountPath: /root/.ollama
-          env:
-            # If you want to pre‑start a model, set this env var to the
-            # model name (e.g., "gpt-4o-mini").  The container will download
-            # it automatically at startup.
-            # - name: OLLAMA_MODEL
-            #   value: "gpt-4o-mini"
-          readinessProbe:
-            httpGet:
-              scheme: HTTP
-              path: /api/status
-              port: 11434
-            initialDelaySeconds: 5
-            periodSeconds: 10
-            successThreshold: 1
-            failureThreshold: 3
-          resources:
-            requests:
-              cpu: 500m
-              memory: 1Gi
-            limits:
-              cpu: 2000m
-              memory: 4Gi
-      volumes:
-        - name: ollama-data
-          persistentVolumeClaim:
-            claimName: '{{ .Release.Name }}-data'

charts/apps/ollama/templates/pvc.yaml

@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: '{{ .Release.Name }}-data'
-spec:
-  storageClassName: '{{ .Values.environment }}'
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 20Gi

charts/apps/ollama/templates/service.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: '{{ .Release.Name }}'
-  labels:
-    app: '{{ .Release.Name }}'
-spec:
-  type: LoadBalancer # Set to NodePort/ClusterIP if you prefer
-  ports:
-    - name: http
-      port: 11434
-      targetPort: http
-      protocol: TCP
-  selector:
-    app: '{{ .Release.Name }}'

charts/apps/ollama/values.yaml

@@ -1,2 +0,0 @@
-environment: dev
-subdomain: bytestash

charts/operator/templates/_storageclass.yaml

@@ -1,12 +0,0 @@
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-  name: {{ include "homelab-operator.fullname" . }}-local-path
-  labels:
-    {{- include "homelab-operator.labels" . | nindent 4 }}
-provisioner: reuse-local-path-provisioner
-parameters:
-  # Add any provisioner-specific parameters here
-reclaimPolicy: {{ .Values.storage.reclaimPolicy | default "Retain" }}
-allowVolumeExpansion: {{ .Values.storage.allowVolumeExpansion | default false }}
-volumeBindingMode: {{ .Values.storage.volumeBindingMode | default "WaitForFirstConsumer" }}

charts/operator/templates/clusterrole.yaml

@@ -1,32 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "homelab-operator.fullname" . }}
-rules:
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["create", "get", "watch", "list"]
-- apiGroups: [""]
-  resources: ["namespaces"]
-  verbs: ["get", "list", "watch", "create", "update", "patch"]
-- apiGroups: [""]
-  resources: ["persistentvolumes"]
-  verbs: ["get", "list", "watch", "create", "delete", "patch", "update"]
-- apiGroups: [""]
-  resources: ["persistentvolumeclaims"]
-  verbs: ["get", "list", "watch", "update", "patch"]
-- apiGroups: [""]
-  resources: ["persistentvolumeclaims/status"]
-  verbs: ["update", "patch"]
-- apiGroups: [""]
-  resources: ["events"]
-  verbs: ["create", "patch"]
-- apiGroups: ["storage.k8s.io"]
-  resources: ["storageclasses"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["*"]
-  resources: ["*"]
-  verbs: ["get", "watch", "list", "patch", "create", "update", "replace"]
-- apiGroups: ["apiextensions.k8s.io"]
-  resources: ["customresourcedefinitions"]
-  verbs: ["get", "create", "update", "replace", "patch"]

charts/root/Chart.yaml

@@ -1,3 +0,0 @@
-apiVersion: v2
-version: 1.0.0
-name: root

charts/root/templates/apps.yaml

@@ -1,32 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: homelab-apps
-  namespace: '{{ .Values.env }}-argo'
-spec:
-  generators:
-    - directory:
-        path: charts/apps
-        recurse: false
-        include: '.*'
-        filter: |
-          .is_dir == true and (.path | endswith(".disabled") | not)
-  template:
-    metadata:
-      name: '{{path.basename}}'
-    spec:
-      project: default
-      source:
-        repoURL: '{{ .Values.repo }}'
-        targetRevision: '{{ .Values.ref }}'
-        path: charts/apps/{{path.basename}}
-        helm:
-          values: |
-            global: {{ .Values.global | toYaml | nindent 14 }}
-      destination:
-        server: https://kubernetes.default.svc
-        namespace: '{{ .Values.globals.env }}'
-      syncPolicy:
-        automated:
-          prune: true
-          selfHeal: true

charts/root/templates/root.yaml

@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: homelab-root
-  namespace: '{{ .Values.globals.env }}-argo'
-spec:
-  project: default
-  source:
-    repoURL: '{{ .Values.repo }}'
-    targetRevision: '{{ .Values.ref }}'
-    path: charts/root
-    helm:
-      valueFiles:
-        - values.yaml
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: '{{ .Values.globals.env }}-argo'
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true

charts/root/values.yaml

@@ -1,4 +0,0 @@
-globals:
-  env: prod
-repo: https://github.com/morten-olsen/homelab-operator.git
-ref: HEAD

charts/volumes/Chart.yaml

@@ -1,3 +0,0 @@
-apiVersion: v2
-version: 1.0.0
-name: Resources

charts/volumes/templates/books-pvc.yaml

@@ -1,30 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: books
-  labels:
-    type: nfs
-spec:
-  capacity:
-    storage: 10Gi
-  accessModes:
-    - ReadWriteMany
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: manual
-  hostPath: null
-  nfs:
-    path: '{{ .Values.books.path }}'
-    server: '{{ .Values.host }}'
-    readOnly: true
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: books
-spec:
-  storageClassName: manual
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 10Gi

charts/volumes/templates/movies-pvc.yaml

@@ -1,30 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: movies
-  labels:
-    type: nfs
-spec:
-  capacity:
-    storage: 10Gi
-  accessModes:
-    - ReadWriteMany
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: manual
-  hostPath: null
-  nfs:
-    path: '{{ .Values.movies.path }}'
-    server: '{{ .Values.host }}'
-    readOnly: true
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: movies
-spec:
-  storageClassName: manual
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 10Gi

charts/volumes/templates/music-pvc.yaml

@@ -1,30 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: music
-  labels:
-    type: nfs
-spec:
-  capacity:
-    storage: 10Gi
-  accessModes:
-    - ReadWriteMany
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: manual
-  hostPath: null
-  nfs:
-    path: '{{ .Values.music.path }}'
-    server: '{{ .Values.host }}'
-    readOnly: true
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: music
-spec:
-  storageClassName: manual
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 10Gi

charts/volumes/templates/podcasts-pvc.yaml

@@ -1,30 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: podcasts
-  labels:
-    type: nfs
-spec:
-  capacity:
-    storage: 10Gi
-  accessModes:
-    - ReadWriteMany
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: manual
-  hostPath: null
-  nfs:
-    path: '{{ .Values.podcasts.path }}'
-    server: '{{ .Values.host }}'
-    readOnly: true
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: podcasts
-spec:
-  storageClassName: manual
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 10Gi

charts/volumes/templates/tv-pvc.yaml

@@ -1,30 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: tvshows
-  labels:
-    type: nfs
-spec:
-  capacity:
-    storage: 10Gi
-  accessModes:
-    - ReadWriteMany
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: manual
-  hostPath: null
-  nfs:
-    path: '{{ .Values.tvshows.path }}'
-    server: '{{ .Values.host }}'
-    readOnly: true
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: tvshows
-spec:
-  storageClassName: manual
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 10Gi

charts/volumes/values.yaml

@@ -1,11 +0,0 @@
-host: 192.168.20.106
-movies:
-  path: /mnt/HDD/Movies
-tvshows:
-  path: /mnt/HDD/TV-Shows
-music:
-  path: /mnt/HDD/Music2
-books:
-  path: /mnt/HDD/Books
-podcasts:
-  path: /mnt/HDD/Podcasts

docker-compose.dev.yaml

@@ -0,0 +1,12 @@
+name: homelab
+services:
+  postgres:
+    image: postgres:17
+    ports:
+      - 5432:5432
+    environment:
+      POSTGRES_USER: $POSTGRES_USER
+      POSTGRES_PASSWORD: $POSTGRES_PASSWORD
+      POSTGRES_DB: ${POSTGRES_DB:-postgres}
+    volumes:
+      - $PWD/.data/local/postgres:/var/lib/postgresql/data

docs/writing-custom-resources.md

@@ -0,0 +1,901 @@
+# Writing Custom Resources
+
+This guide explains how to create and implement custom resources in the
+homelab-operator.
+
+## Overview
+
+Custom resources in this operator follow a structured pattern that includes:
+
+- **Specification schemas** using Zod for runtime validation
+- **Resource implementations** that extend the base `CustomResource` class
+- **Manifest creation** helpers for generating Kubernetes resources
+- **Reconciliation logic** to manage the desired state
+
+## Project Structure
+
+Each custom resource should be organized in its own directory under
+`src/custom-resouces/` with the following structure:
+
+```
+src/custom-resouces/{resource-name}/
+├── {resource-name}.ts              # Main definition file
+├── {resource-name}.schemas.ts      # Zod validation schemas
+├── {resource-name}.resource.ts     # Resource implementation
+└── {resource-name}.create-manifests.ts # Manifest generation helpers
+```
+
+## Quick Start
+
+This section walks through creating a complete custom resource from scratch.
+We'll build a `MyResource` that manages a web application with a deployment and
+service.
+
+### 1. Define Your Resource
+
+The main definition file registers your custom resource with the operator
+framework. This file serves as the entry point that ties together your schemas,
+implementation, and Kubernetes CRD definition.
+
+Create the main definition file (`{resource-name}.ts`):
+
+```typescript
+import { createCustomResourceDefinition } from "../../services/custom-resources/custom-resources.ts";
+import { GROUP } from "../../utils/consts.ts";
+
+import { MyResourceResource } from "./my-resource.resource.ts";
+import { myResourceSpecSchema } from "./my-resource.schemas.ts";
+
+const myResourceDefinition = createCustomResourceDefinition({
+  group: GROUP, // Uses your operator's API group (homelab.mortenolsen.pro)
+  version: "v1", // API version for this resource
+  kind: "MyResource", // The Kubernetes kind name (PascalCase)
+  names: {
+    plural: "myresources", // Plural name for kubectl (lowercase)
+    singular: "myresource", // Singular name for kubectl (lowercase)
+  },
+  spec: myResourceSpecSchema, // Zod schema for validation
+  create: (options) => new MyResourceResource(options), // Factory function
+});
+
+export { myResourceDefinition };
+```
+
+**Key Points:**
+
+- The `group` should always use the `GROUP` constant to maintain consistency
+- `kind` should be descriptive and follow Kubernetes naming conventions
+  (PascalCase)
+- `names.plural` is used in kubectl commands (`kubectl get myresources`)
+- The `create` function instantiates your resource implementation when a CR is
+  detected
+
+### 2. Create Validation Schemas
+
+Schemas define the structure and validation rules for your custom resource's
+specification. Using Zod provides runtime type safety and automatic validation
+of user input.
+
+Define your spec schema (`{resource-name}.schemas.ts`):
+
+```typescript
+import { z } from "zod";
+
+const myResourceSpecSchema = z.object({
+  // Required fields - these must be provided by users
+  hostname: z.string(), // Base hostname for the application
+  port: z.number().min(1).max(65535), // Container port (validated range)
+
+  // Optional fields with defaults - provide sensible fallbacks
+  replicas: z.number().min(1).default(1), // Number of pod replicas
+
+  // Enums - restrict to specific values with defaults
+  protocol: z.enum(["http", "https"]).default("https"),
+
+  // Nested objects - for complex configuration
+  database: z.object({
+    host: z.string(), // Database hostname
+    port: z.number(), // Database port
+    name: z.string(), // Database name
+  }).optional(), // Entire database config is optional
+});
+
+// Additional schemas for secrets, status, etc.
+// Separate schemas help organize different data types
+const myResourceSecretSchema = z.object({
+  apiKey: z.string(), // API key for external services
+  password: z.string(), // Database or service password
+});
+
+export { myResourceSecretSchema, myResourceSpecSchema };
+```
+
+**Schema Design Best Practices:**
+
+- **Required vs Optional**: Make fields required only when absolutely necessary
+- **Defaults**: Provide sensible defaults to reduce user configuration burden
+- **Validation**: Use Zod's built-in validators (`.min()`, `.max()`, `.email()`,
+  etc.)
+- **Enums**: Restrict values to prevent invalid configurations
+- **Nested Objects**: Group related configuration together
+- **Separate Schemas**: Create different schemas for different purposes (spec,
+  secrets, status)
+
+### 3. Implement the Resource
+
+The resource implementation is the core of your custom resource. It contains the
+business logic for managing Kubernetes resources and maintains the desired
+state. This class extends `CustomResource` and implements the reconciliation
+logic.
+
+Create the resource implementation (`{resource-name}.resource.ts`):
+
+```typescript
+import type { KubernetesObject } from "@kubernetes/client-node";
+import deepEqual from "deep-equal";
+
+import {
+  CustomResource,
+  type CustomResourceOptions,
+  type SubresourceResult,
+} from "../../services/custom-resources/custom-resources.custom-resource.ts";
+import {
+  ResourceReference,
+  ResourceService,
+} from "../../services/resources/resources.ts";
+
+import type { myResourceSpecSchema } from "./my-resource.schemas.ts";
+import {
+  createDeploymentManifest,
+  createServiceManifest,
+} from "./my-resource.create-manifests.ts";
+
+class MyResourceResource extends CustomResource<typeof myResourceSpecSchema> {
+  #deploymentResource = new ResourceReference();
+  #serviceResource = new ResourceReference();
+
+  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
+    super(options);
+    const resourceService = this.services.get(ResourceService);
+
+    // Initialize resource references
+    this.#deploymentResource.current = resourceService.get({
+      apiVersion: "apps/v1",
+      kind: "Deployment",
+      name: this.name,
+      namespace: this.namespace,
+    });
+
+    this.#serviceResource.current = resourceService.get({
+      apiVersion: "v1",
+      kind: "Service",
+      name: this.name,
+      namespace: this.namespace,
+    });
+
+    // Set up event handlers for reconciliation
+    this.#deploymentResource.on("changed", this.queueReconcile);
+    this.#serviceResource.on("changed", this.queueReconcile);
+  }
+
+  #reconcileDeployment = async (): Promise<SubresourceResult> => {
+    const manifest = createDeploymentManifest({
+      name: this.name,
+      namespace: this.namespace,
+      ref: this.ref,
+      spec: this.spec,
+    });
+
+    if (!this.#deploymentResource.current?.exists) {
+      await this.#deploymentResource.current?.patch(manifest);
+      return {
+        ready: false,
+        syncing: true,
+        reason: "Creating",
+        message: "Creating deployment",
+      };
+    }
+
+    if (!deepEqual(this.#deploymentResource.current.spec, manifest.spec)) {
+      await this.#deploymentResource.current.patch(manifest);
+      return {
+        ready: false,
+        syncing: true,
+        reason: "Updating",
+        message: "Deployment needs updates",
+      };
+    }
+
+    // Check if deployment is ready
+    const deployment = this.#deploymentResource.current;
+    const isReady =
+      deployment.status?.readyReplicas === deployment.status?.replicas;
+
+    return {
+      ready: isReady,
+      reason: isReady ? "Ready" : "Pending",
+      message: isReady ? "Deployment is ready" : "Waiting for pods to be ready",
+    };
+  };
+
+  #reconcileService = async (): Promise<SubresourceResult> => {
+    const manifest = createServiceManifest({
+      name: this.name,
+      namespace: this.namespace,
+      ref: this.ref,
+      spec: this.spec,
+    });
+
+    if (!deepEqual(this.#serviceResource.current?.spec, manifest.spec)) {
+      await this.#serviceResource.current?.patch(manifest);
+      return {
+        ready: false,
+        syncing: true,
+        reason: "Updating",
+        message: "Service needs updates",
+      };
+    }
+
+    return { ready: true };
+  };
+
+  public reconcile = async () => {
+    if (!this.exists || this.metadata.deletionTimestamp) {
+      return;
+    }
+
+    // Reconcile subresources
+    await this.reconcileSubresource("Deployment", this.#reconcileDeployment);
+    await this.reconcileSubresource("Service", this.#reconcileService);
+
+    // Update overall ready condition
+    const deploymentReady =
+      this.conditions.get("Deployment")?.status === "True";
+    const serviceReady = this.conditions.get("Service")?.status === "True";
+
+    await this.conditions.set("Ready", {
+      status: deploymentReady && serviceReady ? "True" : "False",
+      reason: deploymentReady && serviceReady ? "Ready" : "Pending",
+      message: deploymentReady && serviceReady
+        ? "All resources are ready"
+        : "Waiting for resources to be ready",
+    });
+  };
+}
+
+export { MyResourceResource };
+```
+
+**Resource Implementation Breakdown:**
+
+**Constructor Setup:**
+
+- **Resource References**: Create `ResourceReference` objects to track managed
+  Kubernetes resources
+- **Service Access**: Use dependency injection to access operator services
+  (`ResourceService`)
+- **Event Handlers**: Listen for changes in managed resources to trigger
+  reconciliation
+- **Resource Registration**: Register references for Deployment and Service that
+  will be managed
+
+**Reconciliation Methods:**
+
+- **`#reconcileDeployment`**: Manages the application's Deployment resource
+  - Creates manifests using helper functions
+  - Checks if resource exists and creates/updates as needed
+  - Uses `deepEqual` to avoid unnecessary updates
+  - Returns status indicating readiness state
+- **`#reconcileService`**: Manages the Service resource for network access
+  - Similar pattern to deployment but typically simpler
+  - Services are usually ready immediately after creation
+
+**Main Reconcile Loop:**
+
+- **Deletion Check**: Early return if resource is being deleted
+- **Subresource Management**: Calls individual reconciliation methods
+- **Condition Updates**: Aggregates status from all subresources
+- **Status Reporting**: Updates the overall "Ready" condition
+
+**Key Design Patterns:**
+
+- **Private Methods**: Use `#` for private reconciliation methods
+- **Async/Await**: All reconciliation is asynchronous
+- **Resource References**: Track external resources with type safety
+- **Condition Management**: Provide clear status through Kubernetes conditions
+- **Event-Driven**: React to changes in managed resources automatically
+
+### 4. Create Manifest Helpers
+
+Manifest helpers are pure functions that generate Kubernetes resource
+definitions. They transform your custom resource's specification into standard
+Kubernetes objects. This separation keeps your reconciliation logic clean and
+makes manifests easy to test and modify.
+
+Define manifest creation functions (`{resource-name}.create-manifests.ts`):
+
+```typescript
+type CreateDeploymentManifestOptions = {
+  name: string;
+  namespace: string;
+  ref: any; // Owner reference
+  spec: {
+    hostname: string;
+    port: number;
+    replicas: number;
+  };
+};
+
+const createDeploymentManifest = (
+  options: CreateDeploymentManifestOptions,
+) => ({
+  apiVersion: "apps/v1",
+  kind: "Deployment",
+  metadata: {
+    name: options.name,
+    namespace: options.namespace,
+    ownerReferences: [options.ref],
+  },
+  spec: {
+    replicas: options.spec.replicas,
+    selector: {
+      matchLabels: {
+        app: options.name,
+      },
+    },
+    template: {
+      metadata: {
+        labels: {
+          app: options.name,
+        },
+      },
+      spec: {
+        containers: [
+          {
+            name: options.name,
+            image: "nginx:latest",
+            ports: [
+              {
+                containerPort: options.spec.port,
+              },
+            ],
+            env: [
+              {
+                name: "HOSTNAME",
+                value: options.spec.hostname,
+              },
+            ],
+          },
+        ],
+      },
+    },
+  },
+});
+
+type CreateServiceManifestOptions = {
+  name: string;
+  namespace: string;
+  ref: any;
+  spec: {
+    port: number;
+  };
+};
+
+const createServiceManifest = (options: CreateServiceManifestOptions) => ({
+  apiVersion: "v1",
+  kind: "Service",
+  metadata: {
+    name: options.name,
+    namespace: options.namespace,
+    ownerReferences: [options.ref],
+  },
+  spec: {
+    selector: {
+      app: options.name,
+    },
+    ports: [
+      {
+        port: 80,
+        targetPort: options.spec.port,
+      },
+    ],
+  },
+});
+
+export { createDeploymentManifest, createServiceManifest };
+```
+
+**Manifest Helper Patterns:**
+
+**Type Definitions:**
+
+- **Options Types**: Define clear interfaces for function parameters
+- **Structured Input**: Group related parameters in nested objects
+- **Type Safety**: Leverage TypeScript to catch configuration errors at compile
+  time
+
+**Deployment Manifest:**
+
+- **Owner References**: Ensures garbage collection when parent resource is
+  deleted
+- **Labels & Selectors**: Consistent labeling for pod selection and organization
+- **Container Configuration**: Maps custom resource spec to container settings
+- **Environment Variables**: Passes configuration from spec to running
+  containers
+- **Port Configuration**: Exposes application ports based on spec
+
+**Service Manifest:**
+
+- **Service Discovery**: Creates stable network endpoint for the deployment
+- **Port Mapping**: Routes external traffic to container ports
+- **Selector Matching**: Uses same labels as deployment for proper routing
+- **Owner References**: Links service lifecycle to custom resource
+
+**Best Practices for Manifest Helpers:**
+
+- **Pure Functions**: No side effects, same input always produces same output
+- **Immutable Objects**: Return new objects rather than modifying inputs
+- **Validation**: Let TypeScript catch type mismatches
+- **Consistent Naming**: Use predictable patterns for resource names
+- **Owner References**: Always set for proper cleanup
+- **Documentation**: Comment non-obvious configuration choices
+
+### 5. Register Your Resource
+
+Add your resource to `src/custom-resouces/custom-resources.ts`:
+
+```typescript
+import { myResourceDefinition } from "./my-resource/my-resource.ts";
+
+const customResources = [
+  // ... existing resources
+  myResourceDefinition,
+];
+```
+
+## Core Concepts
+
+These fundamental patterns are used throughout the operator framework.
+Understanding them is essential for building robust custom resources.
+
+### Resource References
+
+`ResourceReference` objects provide a strongly-typed way to track and manage
+Kubernetes resources that your custom resource creates or depends on. They
+automatically handle resource watching, caching, and change notifications.
+
+Use `ResourceReference` to manage related Kubernetes resources:
+
+```typescript
+import {
+  ResourceReference,
+  ResourceService,
+} from "../../services/resources/resources.ts";
+
+class MyResource extends CustomResource<typeof myResourceSpecSchema> {
+  #deploymentResource = new ResourceReference();
+
+  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
+    super(options);
+    const resourceService = this.services.get(ResourceService);
+
+    this.#deploymentResource.current = resourceService.get({
+      apiVersion: "apps/v1",
+      kind: "Deployment",
+      name: this.name,
+      namespace: this.namespace,
+    });
+
+    // Listen for changes
+    this.#deploymentResource.on("changed", this.queueReconcile);
+  }
+}
+```
+
+**Why Resource References Matter:**
+
+- **Automatic Watching**: Changes to referenced resources trigger reconciliation
+- **Type Safety**: Get compile-time checking for resource properties
+- **Lifecycle Management**: Easily check if resources exist and their current
+  state
+- **Event Handling**: React to external changes without polling
+- **Caching**: Avoid repeated API calls for the same resource data
+
+### Conditions
+
+Kubernetes conditions provide a standardized way to communicate resource status.
+They follow the Kubernetes convention of expressing current state, reasons for
+that state, and human-readable messages. Conditions are crucial for operators
+and users to understand what's happening with resources.
+
+Use conditions to track the status of your resource:
+
+```typescript
+// Set a condition
+await this.conditions.set("Ready", {
+  status: "True",
+  reason: "AllResourcesReady",
+  message: "All subresources are ready",
+});
+
+// Get a condition
+const isReady = this.conditions.get("Ready")?.status === "True";
+```
+
+**Condition Best Practices:**
+
+- **Standard Names**: Use common condition types like "Ready", "Available",
+  "Progressing"
+- **Clear Status**: Use "True", "False", or "Unknown" following Kubernetes
+  conventions
+- **Descriptive Reasons**: Provide specific reason codes for troubleshooting
+- **Helpful Messages**: Include actionable information for users
+- **Consistent Updates**: Always update conditions during reconciliation
+
+### Subresource Reconciliation
+
+The `reconcileSubresource` method provides a standardized way to manage
+individual components of your custom resource. It automatically handles
+condition updates, error management, and status aggregation. This pattern keeps
+your main reconciliation loop clean and ensures consistent error handling.
+
+Use `reconcileSubresource` to manage individual components:
+
+```typescript
+public reconcile = async () => {
+  // This automatically manages conditions and error handling
+  await this.reconcileSubresource("Deployment", this.#reconcileDeployment);
+  await this.reconcileSubresource("Service", this.#reconcileService);
+};
+```
+
+**Subresource Reconciliation Benefits:**
+
+- **Automatic Condition Management**: Sets conditions based on reconciliation
+  results
+- **Error Isolation**: Failures in one subresource don't stop others
+- **Status Aggregation**: Combines individual component status into overall
+  status
+- **Consistent Patterns**: Same error handling and retry logic across all
+  components
+- **Observability**: Clear visibility into which components are having issues
+
+### Deep Equality Checks
+
+Deep equality checks prevent unnecessary API calls and resource churn.
+Kubernetes resources should only be updated when their desired state actually
+differs from their current state. This improves performance and reduces cluster
+load.
+
+Use `deepEqual` to avoid unnecessary updates:
+
+```typescript
+import deepEqual from "deep-equal";
+
+if (!deepEqual(currentResource.spec, desiredManifest.spec)) {
+  await currentResource.patch(desiredManifest);
+}
+```
+
+**Deep Equality Benefits:**
+
+- **Performance**: Avoids unnecessary API calls to Kubernetes
+- **Reduced Churn**: Prevents resource version conflicts and unnecessary events
+- **Stability**: Reduces reconciliation loops and system noise
+- **Efficiency**: Lets you focus compute on actual changes
+- **Observability**: Cleaner audit logs with only meaningful changes
+
+**When to Use Deep Equality:**
+
+- **Spec Comparisons**: Before updating any Kubernetes resource
+- **Status Updates**: Only update status when values actually change
+- **Metadata Updates**: Check labels and annotations before patching
+- **Complex Objects**: Especially useful for nested configuration objects
+
+## Advanced Patterns
+
+These patterns handle more complex scenarios like secret management, resource
+dependencies, and sophisticated error handling. Use these when building
+production-ready operators that need to handle real-world complexity.
+
+### Working with Secrets
+
+Many resources need to manage secrets. Here's a pattern for secret management:
+
+```typescript
+import { SecretService } from "../../services/secrets/secrets.ts";
+
+class MyResource extends CustomResource<typeof myResourceSpecSchema> {
+  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
+    super(options);
+    const secretService = this.services.get(SecretService);
+
+    // Get or create a secret
+    this.secretRef = secretService.get({
+      name: `${this.name}-secret`,
+      namespace: this.namespace,
+    });
+  }
+
+  #ensureSecret = async () => {
+    const secretData = {
+      apiKey: generateApiKey(),
+      password: generatePassword(),
+    };
+
+    if (!this.secretRef.current?.exists) {
+      await this.secretRef.current?.patch({
+        apiVersion: "v1",
+        kind: "Secret",
+        metadata: {
+          name: this.secretRef.current.name,
+          namespace: this.secretRef.current.namespace,
+          ownerReferences: [this.ref],
+        },
+        data: secretData,
+      });
+    }
+  };
+}
+```
+
+### Cross-Resource Dependencies
+
+When your resource depends on other custom resources:
+
+```typescript
+class MyResource extends CustomResource<typeof myResourceSpecSchema> {
+  #dependentResource = new ResourceReference();
+
+  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
+    super(options);
+    const resourceService = this.services.get(ResourceService);
+
+    // Reference another custom resource
+    this.#dependentResource.current = resourceService.get({
+      apiVersion: "homelab.mortenolsen.pro/v1",
+      kind: "PostgresDatabase",
+      name: this.spec.database,
+      namespace: this.namespace,
+    });
+
+    this.#dependentResource.on("changed", this.queueReconcile);
+  }
+
+  #reconcileApp = async (): Promise<SubresourceResult> => {
+    // Check if dependency is ready
+    const dependency = this.#dependentResource.current;
+    if (!dependency?.exists) {
+      return {
+        ready: false,
+        failed: true,
+        reason: "MissingDependency",
+        message: `PostgresDatabase ${this.spec.database} not found`,
+      };
+    }
+
+    const dependencyReady = dependency.status?.conditions?.find(
+      (c) => c.type === "Ready" && c.status === "True",
+    );
+
+    if (!dependencyReady) {
+      return {
+        ready: false,
+        reason: "WaitingForDependency",
+        message:
+          `Waiting for PostgresDatabase ${this.spec.database} to be ready`,
+      };
+    }
+
+    // Continue with reconciliation...
+  };
+}
+```
+
+### Error Handling
+
+Proper error handling in reconciliation:
+
+```typescript
+#reconcileDeployment = async (): Promise<SubresourceResult> => {
+  try {
+    // Reconciliation logic...
+    return { ready: true };
+  } catch (error) {
+    return {
+      ready: false,
+      failed: true,
+      reason: 'ReconciliationError',
+      message: `Failed to reconcile deployment: ${error.message}`,
+    };
+  }
+};
+```
+
+## Example Usage
+
+Once your custom resource is implemented and registered, users can create
+instances using standard Kubernetes manifests. The operator will automatically
+detect new resources and begin reconciliation based on your implementation
+logic.
+
+```yaml
+apiVersion: homelab.mortenolsen.pro/v1
+kind: MyResource
+metadata:
+  name: my-app
+  namespace: default
+spec:
+  hostname: my-app.example.com
+  port: 8080
+  replicas: 3
+  protocol: https
+  database:
+    host: postgres.default.svc.cluster.local
+    port: 5432
+    name: myapp
+```
+
+**What happens when this resource is created:**
+
+1. **Validation**: The operator validates the spec against your Zod schema
+2. **Resource Creation**: Your `MyResourceResource` class is instantiated
+3. **Reconciliation**: The operator creates a Deployment with 3 replicas and a
+   Service
+4. **Status Updates**: Conditions are set to track deployment and service
+   readiness
+5. **Event Handling**: The operator watches for changes and re-reconciles as
+   needed
+
+Users can then monitor the resource status with:
+
+```bash
+kubectl get myresources my-app -o yaml
+kubectl describe myresource my-app
+```
+
+## Real Examples
+
+These examples show how the patterns described above are used in practice within
+the homelab-operator.
+
+### Simple Resource: Domain
+
+The `Domain` resource demonstrates a straightforward custom resource that
+manages external dependencies. It creates and manages TLS certificates through
+cert-manager and configures Istio gateways for HTTPS traffic routing.
+
+**What it does:**
+
+- Creates a cert-manager Certificate for TLS termination
+- Configures an Istio Gateway for traffic routing
+- Manages the lifecycle of both resources through owner references
+- Provides wildcard certificate support for subdomains
+
+```yaml
+apiVersion: homelab.mortenolsen.pro/v1
+kind: Domain
+metadata:
+  name: homelab
+  namespace: homelab
+spec:
+  hostname: local.olsen.cloud # Domain for certificate and gateway
+  issuer: letsencrypt-prod # cert-manager ClusterIssuer to use
+```
+
+**Key Implementation Features:**
+
+- **CRD Dependency Checking**: Validates that cert-manager and Istio CRDs exist
+- **Cross-Namespace Resources**: Certificate is created in the istio-ingress
+  namespace
+- **Status Aggregation**: Combines certificate and gateway readiness into
+  overall status
+- **Wildcard Support**: Automatically configures `*.hostname` for subdomains
+
+### Complex Resource: AuthentikServer
+
+The `AuthentikServer` resource showcases a complex custom resource with multiple
+dependencies and sophisticated reconciliation logic. It deploys a complete
+identity provider solution with database and Redis dependencies.
+
+**What it does:**
+
+- Deploys Authentik identity provider with proper configuration
+- Manages database schema and user creation
+- Configures Redis connection for session storage
+- Sets up domain integration for SSO endpoints
+- Handles secret generation and rotation
+
+```yaml
+apiVersion: homelab.mortenolsen.pro/v1
+kind: AuthentikServer
+metadata:
+  name: homelab
+  namespace: homelab
+spec:
+  domain: homelab # References a Domain resource
+  database: test2 # References a PostgresDatabase resource
+  redis: redis # References a Redis connection
+```
+
+**Key Implementation Features:**
+
+- **Resource Dependencies**: Waits for Domain, PostgresDatabase, and Redis
+  resources
+- **Secret Management**: Generates and manages API keys, passwords, and tokens
+- **Service Configuration**: Creates comprehensive Kubernetes manifests
+  (Deployment, Service, Ingress)
+- **Health Checking**: Monitors application readiness and database connectivity
+- **Cross-Resource Communication**: Uses other custom resources' status and
+  outputs
+
+### Database Resource: PostgresDatabase
+
+The `PostgresDatabase` resource illustrates how to manage stateful resources and
+external system integration. It creates databases within an existing PostgreSQL
+instance and manages user permissions.
+
+**What it does:**
+
+- Creates a new database in an existing PostgreSQL server
+- Generates dedicated database user with appropriate permissions
+- Manages connection secrets for applications
+- Handles database cleanup and user removal
+
+```yaml
+apiVersion: homelab.mortenolsen.pro/v1
+kind: PostgresDatabase
+metadata:
+  name: test2
+  namespace: homelab
+spec:
+  connection: homelab/db # References PostgreSQL connection (namespace/name)
+```
+
+**Key Implementation Features:**
+
+- **External System Integration**: Connects to existing PostgreSQL instances
+- **User Management**: Creates database-specific users with minimal required
+  permissions
+- **Secret Generation**: Provides connection details to consuming applications
+- **Cleanup Handling**: Safely removes databases and users when resource is
+  deleted
+- **Connection Validation**: Verifies connectivity before marking as ready
+
+**Common Patterns Across Examples:**
+
+- **Owner References**: All managed resources have proper ownership for garbage
+  collection
+- **Condition Management**: Consistent status reporting through Kubernetes
+  conditions
+- **Resource Dependencies**: Graceful handling of missing or unready
+  dependencies
+- **Secret Management**: Secure generation and storage of credentials
+- **Cross-Resource Integration**: Resources reference and depend on each other
+  appropriately
+
+## Best Practices
+
+1. **Validation**: Always use Zod schemas for comprehensive spec validation
+2. **Idempotency**: Use `deepEqual` checks to avoid unnecessary updates
+3. **Conditions**: Provide clear status information through conditions
+4. **Owner References**: Always set owner references for created resources
+5. **Error Handling**: Provide meaningful error messages and failure reasons
+6. **Dependencies**: Handle missing dependencies gracefully
+7. **Cleanup**: Leverage Kubernetes garbage collection through owner references
+8. **Testing**: Create test manifests in `test-manifests/` for your resources
+
+## Troubleshooting
+
+- **Resource not reconciling**: Check if the resource is properly registered in
+  `custom-resources.ts`
+- **Validation errors**: Ensure your Zod schema matches the expected spec
+  structure
+- **Missing dependencies**: Verify that referenced resources exist and are ready
+- **Owner reference issues**: Make sure `ownerReferences` are set correctly for
+  garbage collection
+- **Condition not updating**: Ensure you're calling `this.conditions.set()` with
+  proper status values
+
+For more examples, refer to the existing custom resources in
+`src/custom-resouces/`.

istio-test.yaml

@@ -1,22 +0,0 @@
-apiVersion: networking.istio.io/v1beta1
-kind: ServiceEntry
-metadata:
-  name: dev-authentik-override
-  namespace: dev
-spec:
-  hosts:
-    - authentik.mortenolsen.nett
-  ports:
-    - number: 443
-      name: https
-      protocol: HTTPS
-    - number: 80
-      name: http
-      protocol: HTTP
-  location: MESH_EXTERNAL
-  resolution: STATIC
-  endpoints:
-    - address: 1.1.1.1
-      ports:
-        https: 443
-        http: 80

manifests/client.yaml

@@ -1,9 +0,0 @@
-apiVersion: homelab.mortenolsen.pro/v1
-kind: OidcClient
-metadata:
-  name: test-client
-spec:
-  environment: dev
-  redirectUris:
-    - url: https://localhost:3000/api/v1/authentik/oauth2/callback
-      matchingMode: strict

manifests/environment.yaml

@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: dev
----
-apiVersion: homelab.mortenolsen.pro/v1
-kind: Environment
-metadata:
-  name: prod
-spec:
-  domain: olsen.cloud
-  networkIp: 192.168.20.180
-  tls:
-    issuer: lets-encrypt-prod

manifests/example-pvc.yaml

@@ -1,39 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: example-pvc
-  namespace: default
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi
-  storageClassName: homelab-operator-local-path
-
----
-
-apiVersion: v1
-kind: Pod
-metadata:
-  name: example-pod
-  namespace: default
-spec:
-  containers:
-    - name: example-container
-      image: alpine
-      command: ["/bin/sh", "-c", "sleep infinity"]
-      volumeMounts:
-        - name: example-volume
-          mountPath: /data
-      resources:
-        limits:
-          memory: 100Mi
-          cpu: "0.1"
-        requests:
-          memory: 50Mi
-          cpu: "0.05"
-  volumes:
-    - name: example-volume
-      persistentVolumeClaim:
-        claimName: example-pvc

manifests/test-service.yaml

@@ -1,14 +0,0 @@
-apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: test-example-com
-  namespace: dev
-spec:
-  hosts:
-    - authentik.one.dev.olsen.cloud
-      # (the address field is optional if you use 'resolution: DNS')
-  ports:
-    - number: 80
-      name: https
-      protocol: HTTPS
-  resolution: DNS

operator.yaml

@@ -1,35 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: homelab
-
----
-
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: GitRepository
-metadata:
-  name: homelab
-  namespace: homelab
-spec:
-  interval: 60m
-  url: https://github.com/morten-olsen/homelab-operator
-  ref:
-    branch: main
-
----
-
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: operator
-  namespace: homelab
-spec:
-  releaseName: operator
-  interval: 60m
-  chart:
-    spec:
-      chart: charts/operator
-      sourceRef:
-        kind: GitRepository
-        name: homelab
-        namespace: homelab

package.json

@@ -22,8 +22,6 @@
   "dependencies": {
     "@goauthentik/api": "2025.6.3-1751754396",
     "@kubernetes/client-node": "^1.3.0",
-    "cloudflare": "^4.5.0",
-    "cron": "^4.3.3",
     "debounce": "^2.2.0",
     "deep-equal": "^2.2.3",
     "dotenv": "^17.2.1",
@@ -37,12 +35,6 @@
     "yaml": "^2.8.0",
     "zod": "^4.0.14"
   },
-  "imports": {
-    "#services/*": "./src/services/*",
-    "#resources/*": "./src/resources/*",
-    "#bootstrap/*": "./src/bootstrap/*",
-    "#utils/*": "./src/utils/*"
-  },
   "packageManager": "pnpm@10.6.0",
   "pnpm": {
     "onlyBuiltDependencies": [

pnpm-lock.yaml

@@ -14,12 +14,6 @@ importers:
       '@kubernetes/client-node':
         specifier: ^1.3.0
         version: 1.3.0(encoding@0.1.13)
-      cloudflare:
-        specifier: ^4.5.0
-        version: 4.5.0(encoding@0.1.13)
-      cron:
-        specifier: ^4.3.3
-        version: 4.3.3
       debounce:
         specifier: ^2.2.0
         version: 2.2.0
@@ -235,15 +229,9 @@ packages:
   '@types/lodash@4.17.20':
     resolution: {integrity: sha512-H3MHACvFUEiujabxhaI/ImO6gUrd8oOurg7LQtS7mbwIXA/cUqWrvBsaeJ23aZEPk1TAYkurjfMbSELfoCXlGA==}
 
-  '@types/luxon@3.7.1':
-    resolution: {integrity: sha512-H3iskjFIAn5SlJU7OuxUmTEpebK6TKB8rxZShDslBMZJ5u9S//KM1sbdAisiSrqwLQncVjnpi2OK2J51h+4lsg==}
-
   '@types/node-fetch@2.6.12':
     resolution: {integrity: sha512-8nneRWKCg3rMtF69nLQJnOYUcbafYeFSjqkw3jCRLsqkWFlHaoQrr5mXmofFGOx3DKn7UfmBMyov8ySvLRVldA==}
 
-  '@types/node@18.19.123':
-    resolution: {integrity: sha512-K7DIaHnh0mzVxreCR9qwgNxp3MH9dltPNIEddW9MYUlcKAzm+3grKNSTe2vCJHI1FaLpvpL5JGJrz1UZDKYvDg==}
-
   '@types/node@22.16.5':
     resolution: {integrity: sha512-bJFoMATwIGaxxx8VJPeM8TonI8t579oRvgAuT8zFugJsJZgzqv0Fu8Mhp68iecjzG7cnN3mO2dJQ5uUM2EFrgQ==}
 
@@ -315,10 +303,6 @@ packages:
   abbrev@1.1.1:
     resolution: {integrity: sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==}
 
-  abort-controller@3.0.0:
-    resolution: {integrity: sha512-h8lQ8tacZYnR3vNQTgibj+tODHI5/+l06Au2Pcriv/Gmet0eaj4TwWH41sO9wnHDiQsEj19q0drzdWdeAHtweg==}
-    engines: {node: '>=6.5'}
-
   acorn-jsx@5.3.2:
     resolution: {integrity: sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ==}
     peerDependencies:
@@ -495,9 +479,6 @@ packages:
     resolution: {integrity: sha512-4diC9HaTE+KRAMWhDhrGOECgWZxoevMc5TlkObMqNSsVU62PYzXZ/SMTjzyGAFF1YusgxGcSWTEXBhp0CPwQ1A==}
     engines: {node: '>=6'}
 
-  cloudflare@4.5.0:
-    resolution: {integrity: sha512-fPcbPKx4zF45jBvQ0z7PCdgejVAPBBCZxwqk1k7krQNfpM07Cfj97/Q6wBzvYqlWXx/zt1S9+m8vnfCe06umbQ==}
-
   color-convert@2.0.1:
     resolution: {integrity: sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==}
     engines: {node: '>=7.0.0'}
@@ -526,10 +507,6 @@ packages:
   console-control-strings@1.1.0:
     resolution: {integrity: sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==}
 
-  cron@4.3.3:
-    resolution: {integrity: sha512-B/CJj5yL3sjtlun6RtYHvoSB26EmQ2NUmhq9ZiJSyKIM4K/fqfh9aelDFlIayD2YMeFZqWLi9hHV+c+pq2Djkw==}
-    engines: {node: '>=18.x'}
-
   cross-spawn@7.0.6:
     resolution: {integrity: sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==}
     engines: {node: '>= 8'}
@@ -777,10 +754,6 @@ packages:
     resolution: {integrity: sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==}
     engines: {node: '>=0.10.0'}
 
-  event-target-shim@5.0.1:
-    resolution: {integrity: sha512-i/2XbnSz/uxRCU6+NdVJgKWDTM427+MqYbkQzD321DuCQJUqOuJKIA0IM2+W2xtYHdKOmZ4dR6fExsd4SXL+WQ==}
-    engines: {node: '>=6'}
-
   eventemitter3@5.0.1:
     resolution: {integrity: sha512-GWkBvjiSZK87ELrYOSESUYeVIc9mvLLf/nXalMOS5dYrgZq9o5OVkbZAVM06CVxYsCwH9BDZFPlQTlPA1j4ahA==}
 
@@ -852,17 +825,10 @@ packages:
     resolution: {integrity: sha512-dKx12eRCVIzqCxFGplyFKJMPvLEWgmNtUrpTiJIR5u97zEhRG8ySrtboPHZXx7daLxQVrl643cTzbab2tkQjxg==}
     engines: {node: '>= 0.4'}
 
-  form-data-encoder@1.7.2:
-    resolution: {integrity: sha512-qfqtYan3rxrnCk1VYaA4H+Ms9xdpPqvLZa6xmMgFvhO32x7/3J/ExcTd6qpxM0vH2GdMI+poehyBZvqfMTto8A==}
-
   form-data@4.0.4:
     resolution: {integrity: sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==}
     engines: {node: '>= 6'}
 
-  formdata-node@4.4.1:
-    resolution: {integrity: sha512-0iirZp3uVDjVGt9p49aTaqjk84TrglENEDuqfdlZQ1roC9CWlPk6Avf8EEnZNcAqPonwkG35x4n3ww/1THYAeQ==}
-    engines: {node: '>= 12.20'}
-
   fs-constants@1.0.0:
     resolution: {integrity: sha512-y6OAwoSIf7FyjMIv94u+b5rdheZEjzR63GTyZJm5qh4Bi+2YgwLCcI/fPFZkL5PSixOt6ZNKm+w+Hfp/Bciwow==}
 
@@ -1272,10 +1238,6 @@ packages:
     resolution: {integrity: sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==}
     engines: {node: '>=10'}
 
-  luxon@3.7.1:
-    resolution: {integrity: sha512-RkRWjA926cTvz5rAb1BqyWkKbbjzCGchDUIKMCUvNi17j6f6j8uHGDV82Aqcqtzd+icoYpELmG3ksgGiFNNcNg==}
-    engines: {node: '>=12'}
-
   make-fetch-happen@9.1.0:
     resolution: {integrity: sha512-+zopwDy7DNknmwPQplem5lAZX/eCOzSvSNNcSKm5eVwTkOBzoktEfXsa9L23J/GIRhxRsaxzkPEhrJEpE2F4Gg==}
     engines: {node: '>= 10'}
@@ -1377,11 +1339,6 @@ packages:
   node-addon-api@7.1.1:
     resolution: {integrity: sha512-5m3bsyrjFWE1xf7nz7YXdN4udnVtXK6/Yfgn5qnahL6bCkf2yKt4k3nuTKAtT4r3IG8JNR2ncsIMdZuAzJjHQQ==}
 
-  node-domexception@1.0.0:
-    resolution: {integrity: sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==}
-    engines: {node: '>=10.5.0'}
-    deprecated: Use your platform's native DOMException instead
-
   node-fetch@2.7.0:
     resolution: {integrity: sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==}
     engines: {node: 4.x || >=6.0.0}
@@ -1929,9 +1886,6 @@ packages:
     resolution: {integrity: sha512-nWJ91DjeOkej/TA8pXQ3myruKpKEYgqvpw9lz4OPHj/NWFNluYrjbz9j01CJ8yKQd2g4jFoOkINCTW2I5LEEyw==}
     engines: {node: '>= 0.4'}
 
-  undici-types@5.26.5:
-    resolution: {integrity: sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==}
-
   undici-types@6.21.0:
     resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==}
 
@@ -1951,10 +1905,6 @@ packages:
   util-deprecate@1.0.2:
     resolution: {integrity: sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==}
 
-  web-streams-polyfill@4.0.0-beta.3:
-    resolution: {integrity: sha512-QW95TCTaHmsYfHDybGMwO5IJIM93I/6vTRk+daHTWFPhwh+C8Cg7j7XyKrwrj8Ib6vYXe0ocYNrmzY4xAAN6ug==}
-    engines: {node: '>= 14'}
-
   webidl-conversions@3.0.1:
     resolution: {integrity: sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==}
 
@@ -2179,17 +2129,11 @@ snapshots:
 
   '@types/lodash@4.17.20': {}
 
-  '@types/luxon@3.7.1': {}
-
   '@types/node-fetch@2.6.12':
     dependencies:
       '@types/node': 22.16.5
       form-data: 4.0.4
 
-  '@types/node@18.19.123':
-    dependencies:
-      undici-types: 5.26.5
-
   '@types/node@22.16.5':
     dependencies:
       undici-types: 6.21.0
@@ -2296,10 +2240,6 @@ snapshots:
   abbrev@1.1.1:
     optional: true
 
-  abort-controller@3.0.0:
-    dependencies:
-      event-target-shim: 5.0.1
-
   acorn-jsx@5.3.2(acorn@8.15.0):
     dependencies:
       acorn: 8.15.0
@@ -2318,6 +2258,7 @@ snapshots:
   agentkeepalive@4.6.0:
     dependencies:
       humanize-ms: 1.2.1
+    optional: true
 
   aggregate-error@3.1.0:
     dependencies:
@@ -2522,18 +2463,6 @@ snapshots:
   clean-stack@2.2.0:
     optional: true
 
-  cloudflare@4.5.0(encoding@0.1.13):
-    dependencies:
-      '@types/node': 18.19.123
-      '@types/node-fetch': 2.6.12
-      abort-controller: 3.0.0
-      agentkeepalive: 4.6.0
-      form-data-encoder: 1.7.2
-      formdata-node: 4.4.1
-      node-fetch: 2.7.0(encoding@0.1.13)
-    transitivePeerDependencies:
-      - encoding
-
   color-convert@2.0.1:
     dependencies:
       color-name: 1.1.4
@@ -2556,11 +2485,6 @@ snapshots:
   console-control-strings@1.1.0:
     optional: true
 
-  cron@4.3.3:
-    dependencies:
-      '@types/luxon': 3.7.1
-      luxon: 3.7.1
-
   cross-spawn@7.0.6:
     dependencies:
       path-key: 3.1.1
@@ -2904,8 +2828,6 @@ snapshots:
 
   esutils@2.0.3: {}
 
-  event-target-shim@5.0.1: {}
-
   eventemitter3@5.0.1: {}
 
   execa@9.6.0:
@@ -2981,8 +2903,6 @@ snapshots:
     dependencies:
       is-callable: 1.2.7
 
-  form-data-encoder@1.7.2: {}
-
   form-data@4.0.4:
     dependencies:
       asynckit: 0.4.0
@@ -2991,11 +2911,6 @@ snapshots:
       hasown: 2.0.2
       mime-types: 2.1.35
 
-  formdata-node@4.4.1:
-    dependencies:
-      node-domexception: 1.0.0
-      web-streams-polyfill: 4.0.0-beta.3
-
   fs-constants@1.0.0: {}
 
   fs-minipass@2.1.0:
@@ -3149,6 +3064,7 @@ snapshots:
   humanize-ms@1.2.1:
     dependencies:
       ms: 2.1.3
+    optional: true
 
   iconv-lite@0.6.3:
     dependencies:
@@ -3413,8 +3329,6 @@ snapshots:
       yallist: 4.0.0
     optional: true
 
-  luxon@3.7.1: {}
-
   make-fetch-happen@9.1.0:
     dependencies:
       agentkeepalive: 4.6.0
@@ -3526,8 +3440,6 @@ snapshots:
 
   node-addon-api@7.1.1: {}
 
-  node-domexception@1.0.0: {}
-
   node-fetch@2.7.0(encoding@0.1.13):
     dependencies:
       whatwg-url: 5.0.0
@@ -4186,8 +4098,6 @@ snapshots:
       has-symbols: 1.1.0
       which-boxed-primitive: 1.1.1
 
-  undici-types@5.26.5: {}
-
   undici-types@6.21.0: {}
 
   unicorn-magic@0.3.0: {}
@@ -4208,8 +4118,6 @@ snapshots:
 
   util-deprecate@1.0.2: {}
 
-  web-streams-polyfill@4.0.0-beta.3: {}
-
   webidl-conversions@3.0.1: {}
 
   whatwg-url@5.0.0:

pyproject.toml

@@ -1,9 +0,0 @@
-[project]
-name = "homelab-operator"
-version = "0.1.0"
-description = "Add your description here"
-readme = "README.md"
-requires-python = ">=3.13"
-dependencies = [
-    "kubediagrams>=0.5.0",
-]

scripts/apply-test.sh

@@ -0,0 +1,4 @@
+for f in "./test-manifests/"*; do
+  echo "Applying $f"
+  kubectl apply -f "$f"
+done

scripts/create-secrets.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Load environment variables from .env file
+if [ -f .env ]; then
+  export $(cat .env | grep -v '#' | awk '/=/ {print $1}')
+fi
+
+# Check if CLOUDFLARE_API_KEY is set
+if [ -z "${CLOUDFLARE_API_KEY}" ]; then
+  echo "Error: CLOUDFLARE_API_KEY is not set. Please add it to your .env file."
+  exit 1
+fi
+
+# Create the postgres namespace if it doesn't exist
+kubectl get namespace postgres > /dev/null 2>&1 || kubectl create namespace postgres
+
+# Create the secret
+kubectl create secret generic cloudflare-api-token \
+  --namespace cert-manager \
+  --from-literal=api-token="${CLOUDFLARE_API_KEY}"

scripts/list-manifests.ts

@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+
+import { K8sService } from '../src/services/k8s/k8s.ts';
+import { Services } from '../src/utils/service.ts';
+
+const services = new Services();
+const k8s = services.get(K8sService);
+
+const manifests = await k8s.extensionsApi.listCustomResourceDefinition();
+
+for (const manifest of manifests.items) {
+  for (const version of manifest.spec.versions) {
+    console.log(`group: ${manifest.spec.group}, plural: ${manifest.spec.names.plural}, version: ${version.name}`);
+  }
+}

scripts/setup-server.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+flux install --components="source-controller,helm-controller"
+kubectl create namespace homelab

skaffold.yaml

@@ -1,25 +0,0 @@
-apiVersion: skaffold/v4beta7
-kind: Config
-metadata:
-  name: homelab-operator
-
-build:
-  cluster: {}
-  artifacts:
-    - image: homelaboperator
-      context: .
-      docker:
-        dockerfile: Dockerfile
-
-manifests:
-  helm:
-    releases:
-      - name: homelab-operator
-        chartPath: charts/operator
-        setValueTemplates:
-          image.repository: '{{.IMAGE_REPO_homelaboperator}}'
-          image.tag: '{{.IMAGE_TAG_homelaboperator}}'
-
-deploy:
-  # Use kubectl to apply the manifests.
-  kubectl: {}

src/bootstrap/bootstrap.ts

@@ -1,42 +0,0 @@
-import { CloudflareTunnel } from '#resources/homelab/cloudflare-tunnel/cloudflare-tunnel.ts';
-import { ResourceService } from '#services/resources/resources.ts';
-import type { Services } from '../utils/service.ts';
-
-import { NamespaceService } from './namespaces/namespaces.ts';
-import { ReleaseService } from './releases/releases.ts';
-import { RepoService } from './repos/repos.ts';
-
-class BootstrapService {
-  #services: Services;
-
-  constructor(services: Services) {
-    this.#services = services;
-  }
-  public get namespaces() {
-    return this.#services.get(NamespaceService);
-  }
-
-  public get repos() {
-    return this.#services.get(RepoService);
-  }
-
-  public get releases() {
-    return this.#services.get(ReleaseService);
-  }
-
-  public get cloudflareTunnel() {
-    const resourceService = this.#services.get(ResourceService);
-    return resourceService.get(CloudflareTunnel, 'cloudflare-tunnel', this.namespaces.homelab.name);
-  }
-
-  public ensure = async () => {
-    await this.namespaces.ensure();
-    await this.repos.ensure();
-    await this.releases.ensure();
-    await this.cloudflareTunnel.ensure({
-      spec: {},
-    });
-  };
-}
-
-export { BootstrapService };

src/bootstrap/namespaces/namespaces.ts

@@ -1,45 +0,0 @@
-import type { Services } from '../../utils/service.ts';
-import { ResourceService } from '../../services/resources/resources.ts';
-
-import { Namespace } from '#resources/core/namespace/namespace.ts';
-
-class NamespaceService {
-  #homelab: Namespace;
-  #istioSystem: Namespace;
-  #certManager: Namespace;
-
-  constructor(services: Services) {
-    const resourceService = services.get(ResourceService);
-    this.#homelab = resourceService.get(Namespace, 'homelab');
-    this.#istioSystem = resourceService.get(Namespace, 'istio-system');
-    this.#certManager = resourceService.get(Namespace, 'cert-manager');
-
-    this.#homelab.on('changed', this.ensure);
-    this.#istioSystem.on('changed', this.ensure);
-    this.#certManager.on('changed', this.ensure);
-  }
-
-  public get homelab() {
-    return this.#homelab;
-  }
-  public get istioSystem() {
-    return this.#istioSystem;
-  }
-  public get certManager() {
-    return this.#certManager;
-  }
-
-  public ensure = async () => {
-    await this.#homelab.ensure({
-      metadata: {
-        labels: {
-          'istio-injection': 'enabled',
-        },
-      },
-    });
-    await this.#istioSystem.ensure({});
-    await this.#certManager.ensure({});
-  };
-}
-
-export { NamespaceService };

src/bootstrap/releases/releases.ts

@@ -1,141 +0,0 @@
-import { ResourceService } from '../../services/resources/resources.ts';
-import { NAMESPACE } from '../../utils/consts.ts';
-import { Services } from '../../utils/service.ts';
-import { NamespaceService } from '../namespaces/namespaces.ts';
-import { RepoService } from '../repos/repos.ts';
-
-import { HelmRelease } from '#resources/flux/helm-release/helm-release.ts';
-
-class ReleaseService {
-  #services: Services;
-  #certManager: HelmRelease;
-  #istioBase: HelmRelease;
-  #istiod: HelmRelease;
-  #istioGateway: HelmRelease;
-
-  constructor(services: Services) {
-    this.#services = services;
-    const resourceService = services.get(ResourceService);
-    this.#certManager = resourceService.get(HelmRelease, 'cert-manager', NAMESPACE);
-    this.#istioBase = resourceService.get(HelmRelease, 'istio-base', NAMESPACE);
-    this.#istiod = resourceService.get(HelmRelease, 'istiod', NAMESPACE);
-    this.#istioGateway = resourceService.get(HelmRelease, 'istio-gateway', NAMESPACE);
-
-    this.#certManager.on('changed', this.ensure);
-    this.#istioBase.on('changed', this.ensure);
-    this.#istiod.on('changed', this.ensure);
-    this.#istioGateway.on('changed', this.ensure);
-  }
-
-  public get certManager() {
-    return this.#certManager;
-  }
-  public get istioBase() {
-    return this.#istioBase;
-  }
-  public get istiod() {
-    return this.#istiod;
-  }
-
-  public ensure = async () => {
-    const namespaceService = this.#services.get(NamespaceService);
-    const repoService = this.#services.get(RepoService);
-    await this.#certManager.ensure({
-      spec: {
-        targetNamespace: namespaceService.certManager.name,
-        interval: '1h',
-        values: {
-          installCRDs: true,
-        },
-        chart: {
-          spec: {
-            chart: 'cert-manager',
-            version: 'v1.18.2',
-            sourceRef: {
-              apiVersion: 'source.toolkit.fluxcd.io/v1',
-              kind: 'HelmRepository',
-              name: repoService.jetstack.name,
-              namespace: repoService.jetstack.namespace,
-            },
-          },
-        },
-      },
-    });
-    await this.#istioBase.ensure({
-      spec: {
-        targetNamespace: namespaceService.istioSystem.name,
-        interval: '1h',
-        values: {
-          defaultRevision: 'default',
-          profile: 'ambient',
-        },
-        chart: {
-          spec: {
-            chart: 'base',
-            version: '1.24.3',
-            sourceRef: {
-              apiVersion: 'source.toolkit.fluxcd.io/v1',
-              kind: 'HelmRepository',
-              name: repoService.istio.name,
-              namespace: repoService.istio.namespace,
-            },
-          },
-        },
-      },
-    });
-    await this.#istiod.ensure({
-      spec: {
-        targetNamespace: namespaceService.istioSystem.name,
-        interval: '1h',
-        dependsOn: [
-          {
-            name: this.#istioBase.name,
-            namespace: this.#istioBase.namespace,
-          },
-        ],
-        chart: {
-          spec: {
-            chart: 'istiod',
-            version: '1.24.3',
-            sourceRef: {
-              apiVersion: 'source.toolkit.fluxcd.io/v1',
-              kind: 'HelmRepository',
-              name: repoService.istio.name,
-              namespace: repoService.istio.namespace,
-            },
-          },
-        },
-      },
-    });
-    await this.#istioGateway.ensure({
-      spec: {
-        targetNamespace: NAMESPACE,
-        interval: '1h',
-        dependsOn: [
-          {
-            name: this.#istioBase.name,
-            namespace: this.#istioBase.namespace,
-          },
-          {
-            name: this.#istiod.name,
-            namespace: this.#istiod.namespace,
-          },
-        ],
-        chart: {
-          spec: {
-            chart: 'gateway',
-            version: '1.24.3',
-            sourceRef: {
-              apiVersion: 'source.toolkit.fluxcd.io/v1',
-              kind: 'HelmRepository',
-              name: repoService.istio.name,
-              namespace: repoService.istio.namespace,
-            },
-          },
-        },
-      },
-    });
-  };
-}
-
-export { ReleaseService };

src/bootstrap/repos/repos.ts

@@ -1,72 +0,0 @@
-import type { Services } from '../../utils/service.ts';
-import { ResourceService } from '../../services/resources/resources.ts';
-import { NAMESPACE } from '../../utils/consts.ts';
-
-import { HelmRepo } from '#resources/flux/helm-repo/helm-repo.ts';
-
-class RepoService {
-  #jetstack: HelmRepo;
-  #istio: HelmRepo;
-  #authentik: HelmRepo;
-  #cloudflare: HelmRepo;
-  #argo: HelmRepo;
-
-  constructor(services: Services) {
-    const resourceService = services.get(ResourceService);
-    this.#jetstack = resourceService.get(HelmRepo, 'jetstack', NAMESPACE);
-    this.#istio = resourceService.get(HelmRepo, 'istio', NAMESPACE);
-    this.#authentik = resourceService.get(HelmRepo, 'authentik', NAMESPACE);
-    this.#cloudflare = resourceService.get(HelmRepo, 'cloudflare', NAMESPACE);
-    this.#argo = resourceService.get(HelmRepo, 'argo', NAMESPACE);
-
-    this.#jetstack.on('changed', this.ensure);
-    this.#istio.on('changed', this.ensure);
-    this.#authentik.on('changed', this.ensure);
-    this.#cloudflare.on('changed', this.ensure);
-    this.#argo.on('changed', this.ensure);
-  }
-
-  public get jetstack() {
-    return this.#jetstack;
-  }
-
-  public get istio() {
-    return this.#istio;
-  }
-
-  public get authentik() {
-    return this.#authentik;
-  }
-
-  public get cloudflare() {
-    return this.#cloudflare;
-  }
-
-  public get argo() {
-    return this.#argo;
-  }
-
-  public ensure = async () => {
-    await this.#jetstack.set({
-      url: 'https://charts.jetstack.io',
-    });
-
-    await this.#istio.set({
-      url: 'https://istio-release.storage.googleapis.com/charts',
-    });
-
-    await this.#authentik.set({
-      url: 'https://charts.goauthentik.io',
-    });
-
-    await this.#cloudflare.set({
-      url: 'https://cloudflare.github.io/helm-charts',
-    });
-
-    await this.#argo.set({
-      url: 'https://argoproj.github.io/argo-helm',
-    });
-  };
-}
-
-export { RepoService };

src/custom-resouces/authentik-client/authentik-client.resource.ts

@@ -0,0 +1,178 @@
+import type { V1Secret } from '@kubernetes/client-node';
+import type { z } from 'zod';
+
+import {
+  CustomResource,
+  type CustomResourceOptions,
+  type SubresourceResult,
+} from '../../services/custom-resources/custom-resources.custom-resource.ts';
+import { ResourceReference } from '../../services/resources/resources.ref.ts';
+import { ResourceService, type Resource } from '../../services/resources/resources.ts';
+import { getWithNamespace } from '../../utils/naming.ts';
+import { decodeSecret, encodeSecret } from '../../utils/secrets.ts';
+import { CONTROLLED_LABEL } from '../../utils/consts.ts';
+import { isDeepSubset } from '../../utils/objects.ts';
+import { AuthentikService } from '../../services/authentik/authentik.service.ts';
+
+import {
+  authentikClientSecretSchema,
+  authentikClientServerSecretSchema,
+  type authentikClientSpecSchema,
+} from './authentik-client.schemas.ts';
+
+class AuthentikClientResource extends CustomResource<typeof authentikClientSpecSchema> {
+  #serverSecret: ResourceReference<V1Secret>;
+  #clientSecretResource: Resource<V1Secret>;
+
+  constructor(options: CustomResourceOptions<typeof authentikClientSpecSchema>) {
+    super(options);
+    const resourceService = this.services.get(ResourceService);
+
+    this.#serverSecret = new ResourceReference();
+    this.#clientSecretResource = resourceService.get({
+      apiVersion: 'v1',
+      kind: 'Secret',
+      name: `authentik-client-${this.name}`,
+      namespace: this.namespace,
+    });
+
+    this.#updateResouces();
+
+    this.#serverSecret.on('changed', this.queueReconcile);
+    this.#clientSecretResource.on('changed', this.queueReconcile);
+  }
+
+  #updateResouces = () => {
+    const serverSecretNames = getWithNamespace(this.spec.secretRef, this.namespace);
+    const resourceService = this.services.get(ResourceService);
+    this.#serverSecret.current = resourceService.get({
+      apiVersion: 'v1',
+      kind: 'Secret',
+      name: serverSecretNames.name,
+      namespace: serverSecretNames.namespace,
+    });
+  };
+
+  #reconcileClientSecret = async (): Promise<SubresourceResult> => {
+    const serverSecret = this.#serverSecret.current;
+    if (!serverSecret?.exists || !serverSecret.data) {
+      return {
+        ready: false,
+        failed: true,
+        message: 'Server or server secret not found',
+      };
+    }
+    const serverSecretData = authentikClientServerSecretSchema.safeParse(decodeSecret(serverSecret.data));
+    if (!serverSecretData.success || !serverSecretData.data) {
+      return {
+        ready: false,
+        failed: true,
+        message: 'Server secret not found',
+      };
+    }
+    const url = serverSecretData.data.external_url;
+    const appName = this.name;
+    const clientSecretData = authentikClientSecretSchema.safeParse(decodeSecret(this.#clientSecretResource.data));
+
+    const expectedValues: z.infer<typeof authentikClientSecretSchema> = {
+      clientId: this.name,
+      clientSecret: clientSecretData.data?.clientSecret || crypto.randomUUID(),
+      configuration: new URL(`/application/o/${appName}/.well-known/openid-configuration`, url).toString(),
+      configurationIssuer: new URL(`/application/o/${appName}/`, url).toString(),
+      authorization: new URL(`/application/o/${appName}/authorize/`, url).toString(),
+      token: new URL(`/application/o/${appName}/token/`, url).toString(),
+      userinfo: new URL(`/application/o/${appName}/userinfo/`, url).toString(),
+      endSession: new URL(`/application/o/${appName}/end-session/`, url).toString(),
+      jwks: new URL(`/application/o/${appName}/jwks/`, url).toString(),
+    };
+    if (!isDeepSubset(clientSecretData.data, expectedValues)) {
+      await this.#clientSecretResource.patch({
+        metadata: {
+          ownerReferences: [this.ref],
+          labels: {
+            ...CONTROLLED_LABEL,
+          },
+        },
+        data: encodeSecret(expectedValues),
+      });
+      return {
+        ready: false,
+        syncing: true,
+        message: 'UpdatingManifest',
+      };
+    }
+    return {
+      ready: true,
+    };
+  };
+
+  #reconcileServer = async (): Promise<SubresourceResult> => {
+    const serverSecret = this.#serverSecret.current;
+    const clientSecret = this.#clientSecretResource;
+
+    if (!serverSecret?.exists || !serverSecret.data) {
+      return {
+        ready: false,
+        failed: true,
+        message: 'Server secret not found',
+      };
+    }
+
+    const serverSecretData = authentikClientServerSecretSchema.safeParse(decodeSecret(serverSecret.data));
+    if (!serverSecretData.success || !serverSecretData.data) {
+      return {
+        ready: false,
+        failed: true,
+        message: 'Server secret not found',
+      };
+    }
+
+    const clientSecretData = authentikClientSecretSchema.safeParse(decodeSecret(clientSecret.data));
+    if (!clientSecretData.success || !clientSecretData.data) {
+      return {
+        ready: false,
+        failed: true,
+        message: 'Client secret not found',
+      };
+    }
+
+    const authentikService = this.services.get(AuthentikService);
+    const authentikServer = authentikService.get({
+      url: {
+        internal: serverSecretData.data.internal_url,
+        external: serverSecretData.data.external_url,
+      },
+      token: serverSecretData.data.token,
+    });
+
+    (await authentikServer).upsertClient({
+      ...this.spec,
+      name: this.name,
+      secret: clientSecretData.data.clientSecret,
+    });
+
+    return {
+      ready: true,
+    };
+  };
+
+  public reconcile = async () => {
+    if (!this.exists || this.metadata?.deletionTimestamp) {
+      return;
+    }
+    this.#updateResouces();
+    await Promise.all([
+      this.reconcileSubresource('Secret', this.#reconcileClientSecret),
+      this.reconcileSubresource('Server', this.#reconcileServer),
+    ]);
+
+    const secretReady = this.conditions.get('Secret')?.status === 'True';
+    const serverReady = this.conditions.get('Server')?.status === 'True';
+
+    await this.conditions.set('Ready', {
+      status: secretReady && serverReady ? 'True' : 'False',
+    });
+  };
+}
+
+export { AuthentikClientResource };

src/custom-resouces/authentik-client/authentik-client.schemas.ts

@@ -0,0 +1,34 @@
+import { ClientTypeEnum, SubModeEnum } from '@goauthentik/api';
+import { z } from 'zod';
+
+const authentikClientSpecSchema = z.object({
+  secretRef: z.string(),
+  subMode: z.enum(SubModeEnum).optional(),
+  clientType: z.enum(ClientTypeEnum).optional(),
+  redirectUris: z.array(
+    z.object({
+      url: z.string(),
+      matchingMode: z.enum(['strict', 'regex']),
+    }),
+  ),
+});
+
+const authentikClientServerSecretSchema = z.object({
+  internal_url: z.string(),
+  external_url: z.string(),
+  token: z.string(),
+});
+
+const authentikClientSecretSchema = z.object({
+  clientId: z.string(),
+  clientSecret: z.string().optional(),
+  configuration: z.string(),
+  configurationIssuer: z.string(),
+  authorization: z.string(),
+  token: z.string(),
+  userinfo: z.string(),
+  endSession: z.string(),
+  jwks: z.string(),
+});
+
+export { authentikClientSpecSchema, authentikClientSecretSchema, authentikClientServerSecretSchema };

src/custom-resouces/authentik-client/authentik-client.ts

@@ -0,0 +1,19 @@
+import { createCustomResourceDefinition } from '../../services/custom-resources/custom-resources.ts';
+import { GROUP } from '../../utils/consts.ts';
+
+import { AuthentikClientResource } from './authentik-client.resource.ts';
+import { authentikClientSpecSchema } from './authentik-client.schemas.ts';
+
+const authentikClientDefinition = createCustomResourceDefinition({
+  group: GROUP,
+  version: 'v1',
+  kind: 'AuthentikClient',
+  names: {
+    plural: 'authentikclients',
+    singular: 'authentikclient',
+  },
+  create: (options) => new AuthentikClientResource(options),
+  spec: authentikClientSpecSchema,
+});
+
+export { authentikClientDefinition };

src/custom-resouces/custom-resources.ts

@@ -0,0 +1,7 @@
+import { authentikClientDefinition } from './authentik-client/authentik-client.ts';
+import { generateSecretDefinition } from './generate-secret/generate-secret.ts';
+import { postgresDatabaseDefinition } from './postgres-database/postgres-database.ts';
+
+const customResources = [postgresDatabaseDefinition, authentikClientDefinition, generateSecretDefinition];
+
+export { customResources };

src/custom-resouces/generate-secret/generate-secret.resource.ts

@@ -0,0 +1,61 @@
+import type { V1Secret } from '@kubernetes/client-node';
+
+import {
+  CustomResource,
+  type CustomResourceOptions,
+} from '../../services/custom-resources/custom-resources.custom-resource.ts';
+import { Resource, ResourceService } from '../../services/resources/resources.ts';
+import { decodeSecret, encodeSecret } from '../../utils/secrets.ts';
+import { isDeepSubset } from '../../utils/objects.ts';
+
+import { generateSecrets } from './generate-secret.utils.ts';
+import { generateSecretSpecSchema } from './generate-secret.schemas.ts';
+
+class GenerateSecretResource extends CustomResource<typeof generateSecretSpecSchema> {
+  #secretResource: Resource<V1Secret>;
+
+  constructor(options: CustomResourceOptions<typeof generateSecretSpecSchema>) {
+    super(options);
+    const resourceService = this.services.get(ResourceService);
+
+    this.#secretResource = resourceService.get({
+      apiVersion: 'v1',
+      kind: 'Secret',
+      name: this.name,
+      namespace: this.namespace,
+    });
+
+    this.#secretResource.on('changed', this.queueReconcile);
+  }
+
+  public reconcile = async () => {
+    if (!this.exists || this.metadata?.deletionTimestamp) {
+      return;
+    }
+
+    const secrets = generateSecrets(this.spec);
+    const current = decodeSecret(this.#secretResource.data) || {};
+
+    const expected = {
+      ...current,
+      ...secrets,
+    };
+
+    if (!isDeepSubset(current, expected)) {
+      this.#secretResource.patch({
+        data: encodeSecret(expected),
+      });
+      this.conditions.set('SecretUpdated', {
+        status: 'False',
+        reason: 'SecretUpdated',
+      });
+    }
+
+    this.conditions.set('Ready', {
+      status: 'True',
+      reason: 'Ready',
+    });
+  };
+}
+
+export { GenerateSecretResource };

src/custom-resouces/generate-secret/generate-secret.schemas.ts

@@ -0,0 +1,17 @@
+import { z } from 'zod';
+
+const generateSecretFieldSchema = z.object({
+  name: z.string(),
+  value: z.string().optional(),
+  encoding: z.enum(['base64', 'base64url', 'hex', 'utf8', 'numeric']).optional(),
+  length: z.number().optional(),
+});
+
+const generateSecretSpecSchema = z.object({
+  fields: z.array(generateSecretFieldSchema),
+});
+
+type GenerateSecretField = z.infer<typeof generateSecretFieldSchema>;
+type GenerateSecretSpec = z.infer<typeof generateSecretSpecSchema>;
+
+export { generateSecretSpecSchema, type GenerateSecretField, type GenerateSecretSpec };

src/custom-resouces/generate-secret/generate-secret.ts

@@ -0,0 +1,19 @@
+import { createCustomResourceDefinition } from '../../services/custom-resources/custom-resources.ts';
+import { GROUP } from '../../utils/consts.ts';
+
+import { GenerateSecretResource } from './generate-secret.resource.ts';
+import { generateSecretSpecSchema } from './generate-secret.schemas.ts';
+
+const generateSecretDefinition = createCustomResourceDefinition({
+  group: GROUP,
+  version: 'v1',
+  kind: 'GenerateSecret',
+  names: {
+    plural: 'generate-secrets',
+    singular: 'generate-secret',
+  },
+  spec: generateSecretSpecSchema,
+  create: (options) => new GenerateSecretResource(options),
+});
+
+export { generateSecretDefinition };

src/custom-resouces/postgres-database/portgres-database.schemas.ts

@@ -0,0 +1,22 @@
+import { z } from 'zod';
+
+const postgresDatabaseSpecSchema = z.object({
+  secretRef: z.string(),
+});
+
+const postgresDatabaseSecretSchema = z.object({
+  host: z.string(),
+  port: z.string(),
+  user: z.string(),
+  password: z.string(),
+});
+
+const postgresDatabaseConnectionSecretSchema = z.object({
+  host: z.string(),
+  port: z.string(),
+  user: z.string(),
+  password: z.string(),
+  database: z.string(),
+});
+
+export { postgresDatabaseSpecSchema, postgresDatabaseSecretSchema, postgresDatabaseConnectionSecretSchema };

src/custom-resouces/postgres-database/postgres-database.resource.ts

@@ -0,0 +1,181 @@
+import { z } from 'zod';
+import type { V1Secret } from '@kubernetes/client-node';
+
+import {
+  CustomResource,
+  type CustomResourceOptions,
+  type SubresourceResult,
+} from '../../services/custom-resources/custom-resources.custom-resource.ts';
+import { PostgresService } from '../../services/postgres/postgres.service.ts';
+import { ResourceReference } from '../../services/resources/resources.ref.ts';
+import { Resource, ResourceService } from '../../services/resources/resources.ts';
+import { getWithNamespace } from '../../utils/naming.ts';
+import { decodeSecret, encodeSecret } from '../../utils/secrets.ts';
+import { isDeepSubset } from '../../utils/objects.ts';
+
+import {
+  postgresDatabaseConnectionSecretSchema,
+  postgresDatabaseSecretSchema,
+  type postgresDatabaseSpecSchema,
+} from './portgres-database.schemas.ts';
+
+const SECRET_READY_CONDITION = 'Secret';
+const DATABASE_READY_CONDITION = 'Database';
+
+const secretDataSchema = z.object({
+  host: z.string(),
+  port: z.string().optional(),
+  database: z.string(),
+  user: z.string(),
+  password: z.string(),
+});
+
+class PostgresDatabaseResource extends CustomResource<typeof postgresDatabaseSpecSchema> {
+  #serverSecret: ResourceReference<V1Secret>;
+  #databaseSecret: Resource<V1Secret>;
+
+  constructor(options: CustomResourceOptions<typeof postgresDatabaseSpecSchema>) {
+    super(options);
+    this.#serverSecret = new ResourceReference();
+
+    const resourceService = this.services.get(ResourceService);
+    this.#databaseSecret = resourceService.get({
+      apiVersion: 'v1',
+      kind: 'Secret',
+      name: `${this.name}-connection`,
+      namespace: this.namespace,
+    });
+
+    this.#updateSecret();
+    this.#serverSecret.on('changed', this.queueReconcile);
+  }
+
+  get #dbName() {
+    return `${this.namespace}_${this.name}`;
+  }
+
+  get #userName() {
+    return `${this.namespace}_${this.name}`;
+  }
+
+  #updateSecret = () => {
+    const resourceService = this.services.get(ResourceService);
+    const secretNames = getWithNamespace(this.spec.secretRef, this.namespace);
+    this.#serverSecret.current = resourceService.get({
+      apiVersion: 'v1',
+      kind: 'Secret',
+      name: secretNames.name,
+      namespace: secretNames.namespace,
+    });
+  };
+
+  #reconcileSecret = async (): Promise<SubresourceResult> => {
+    const serverSecret = this.#serverSecret.current;
+    const databaseSecret = this.#databaseSecret;
+
+    if (!serverSecret?.exists || !serverSecret.data) {
+      return {
+        ready: false,
+        failed: true,
+        reason: 'MissingConnectionSecret',
+      };
+    }
+    const serverSecretData = postgresDatabaseSecretSchema.safeParse(decodeSecret(serverSecret.data));
+    if (!serverSecretData.success || !serverSecretData.data) {
+      return {
+        ready: false,
+        syncing: true,
+        reason: 'SecretMissing',
+      };
+    }
+    const databaseSecretData = postgresDatabaseConnectionSecretSchema.safeParse(decodeSecret(databaseSecret.data));
+    const expectedSecret = {
+      password: crypto.randomUUID(),
+      host: serverSecretData.data.host,
+      port: serverSecretData.data.port,
+      user: this.#userName,
+      database: this.#dbName,
+    };
+
+    if (!isDeepSubset(databaseSecretData.data, expectedSecret)) {
+      databaseSecret.patch({
+        data: encodeSecret(expectedSecret),
+      });
+      return {
+        ready: false,
+        syncing: true,
+        reason: 'SecretNotReady',
+      };
+    }
+
+    return {
+      ready: true,
+    };
+  };
+
+  #reconcileDatabase = async (): Promise<SubresourceResult> => {
+    const connectionSecret = this.#serverSecret.current;
+    if (!connectionSecret?.exists || !connectionSecret.data) {
+      return {
+        ready: false,
+        failed: true,
+        reason: 'MissingConnectionSecret',
+      };
+    }
+
+    const connectionSecretData = postgresDatabaseSecretSchema.safeParse(decodeSecret(connectionSecret.data));
+    if (!connectionSecretData.success || !connectionSecretData.data) {
+      return {
+        ready: false,
+        syncing: true,
+        reason: 'SecretMissing',
+      };
+    }
+
+    const secretData = postgresDatabaseConnectionSecretSchema.safeParse(decodeSecret(this.#serverSecret.current?.data));
+    if (!secretData.success || !secretData.data) {
+      return {
+        ready: false,
+        syncing: true,
+        reason: 'ConnectionSecretMissing',
+      };
+    }
+
+    const postgresService = this.services.get(PostgresService);
+    const database = postgresService.get({
+      ...connectionSecretData.data,
+      port: connectionSecretData.data.port ? Number(connectionSecretData.data.port) : 5432,
+    });
+    await database.upsertRole({
+      name: secretData.data.user,
+      password: secretData.data.password,
+    });
+    await database.upsertDatabase({
+      name: secretData.data.database,
+      owner: secretData.data.user,
+    });
+
+    return {
+      ready: true,
+    };
+  };
+
+  public reconcile = async () => {
+    if (!this.exists || this.metadata?.deletionTimestamp) {
+      return;
+    }
+    this.#updateSecret();
+    await Promise.allSettled([
+      await this.reconcileSubresource(DATABASE_READY_CONDITION, this.#reconcileDatabase),
+      await this.reconcileSubresource(SECRET_READY_CONDITION, this.#reconcileSecret),
+    ]);
+
+    const secretReady = this.conditions.get(SECRET_READY_CONDITION)?.status === 'True';
+    const databaseReady = this.conditions.get(DATABASE_READY_CONDITION)?.status === 'True';
+    await this.conditions.set('Ready', {
+      status: secretReady && databaseReady ? 'True' : 'False',
+    });
+  };
+}
+
+export { PostgresDatabaseResource, secretDataSchema as postgresDatabaseSecretSchema };

src/custom-resouces/postgres-database/postgres-database.ts

@@ -0,0 +1,19 @@
+import { createCustomResourceDefinition } from '../../services/custom-resources/custom-resources.ts';
+import { GROUP } from '../../utils/consts.ts';
+
+import { postgresDatabaseSpecSchema } from './portgres-database.schemas.ts';
+import { PostgresDatabaseResource } from './postgres-database.resource.ts';
+
+const postgresDatabaseDefinition = createCustomResourceDefinition({
+  group: GROUP,
+  version: 'v1',
+  kind: 'PostgresDatabase',
+  names: {
+    plural: 'postgresdatabases',
+    singular: 'postgresdatabase',
+  },
+  spec: postgresDatabaseSpecSchema,
+  create: (options) => new PostgresDatabaseResource(options),
+});
+
+export { postgresDatabaseDefinition };

src/index.ts

@@ -1,17 +1,82 @@
-import { ResourceService } from './services/resources/resources.ts';
-import { Services } from './utils/service.ts';
-import { BootstrapService } from './bootstrap/bootstrap.ts';
+import 'dotenv/config';
+import { ApiException } from '@kubernetes/client-node';
 
-import { resources } from '#resources/resources.ts';
-import { homelab } from '#resources/homelab/homelab.ts';
+import { Services } from './utils/service.ts';
+import { CustomResourceService } from './services/custom-resources/custom-resources.ts';
+import { WatcherService } from './services/watchers/watchers.ts';
+import { customResources } from './custom-resouces/custom-resources.ts';
+import { StorageProvider } from './storage-provider/storage-provider.ts';
+
+process.on('uncaughtException', (error) => {
+  console.log('UNCAUGHT EXCEPTION');
+  if (error instanceof ApiException) {
+    return console.error(error.body);
+  }
+  console.error(error);
+  process.exit(1);
+});
+
+process.on('unhandledRejection', (error) => {
+  console.log('UNHANDLED REJECTION');
+  if (error instanceof Error) {
+    console.error(error.stack);
+  }
+  if (error instanceof ApiException) {
+    return console.error(error.body);
+  }
+  console.error(error);
+  process.exit(1);
+});
 
 const services = new Services();
-const resourceService = services.get(ResourceService);
+const watcherService = services.get(WatcherService);
+const storageProvider = services.get(StorageProvider);
+await storageProvider.start();
+await watcherService
+  .create({
+    path: '/apis/apiextensions.k8s.io/v1/customresourcedefinitions',
+    list: async (k8s) => {
+      return await k8s.extensionsApi.listCustomResourceDefinition();
+    },
+    verbs: ['add', 'update', 'delete'],
+    transform: (manifest) => ({
+      apiVersion: 'apiextensions.k8s.io/v1',
+      kind: 'CustomResourceDefinition',
+      ...manifest,
+    }),
+  })
+  .start();
+await watcherService
+  .create({
+    path: '/api/v1/secrets',
+    list: async (k8s) => {
+      return await k8s.api.listSecretForAllNamespaces();
+    },
+    verbs: ['add', 'update', 'delete'],
+    transform: (manifest) => ({
+      apiVersion: 'v1',
+      kind: 'Secret',
+      ...manifest,
+    }),
+  })
+  .start();
+await watcherService
+  .create({
+    path: '/apis/apps/v1/deployments',
+    list: async (k8s) => {
+      return await k8s.apps.listDeploymentForAllNamespaces({});
+    },
+    verbs: ['add', 'update', 'delete'],
+    transform: (manifest) => ({
+      apiVersion: 'apps/v1',
+      kind: 'Deployment',
+      ...manifest,
+    }),
+  })
+  .start();
 
-await resourceService.install(...Object.values(homelab));
-await resourceService.register(...Object.values(resources));
+const customResourceService = services.get(CustomResourceService);
+customResourceService.register(...customResources);
 
-const bootstrapService = services.get(BootstrapService);
-await bootstrapService.ensure();
-
-console.log('Started');
+await customResourceService.install(true);
+// await customResourceService.watch();

src/resources/cert-manager/cert-manager.ts

@@ -1,9 +0,0 @@
-import { Certificate } from './certificate/certificate.ts';
-
-import type { ResourceClass } from '#services/resources/resources.ts';
-
-const certManager = {
-  certificate: Certificate,
-} satisfies Record<string, ResourceClass<ExpectedAny>>;
-
-export { certManager };

src/resources/cert-manager/certificate/certificate.ts

@@ -1,37 +0,0 @@
-import type { KubernetesObject } from '@kubernetes/client-node';
-import type { K8SCertificateV1 } from 'src/__generated__/resources/K8SCertificateV1.ts';
-
-import { CRD } from '#resources/core/crd/crd.ts';
-import { Resource, ResourceService, type ResourceOptions } from '#services/resources/resources.ts';
-import { NotReadyError } from '#utils/errors.ts';
-
-class Certificate extends Resource<KubernetesObject & K8SCertificateV1> {
-  public static readonly apiVersion = 'cert-manager.io/v1';
-  public static readonly kind = 'Certificate';
-
-  #crd: CRD;
-
-  constructor(options: ResourceOptions<KubernetesObject & K8SCertificateV1>) {
-    super(options);
-    const resourceService = this.services.get(ResourceService);
-    this.#crd = resourceService.get(CRD, 'certificates.cert-manager.io');
-    this.#crd.on('changed', this.#handleCrdChanged);
-  }
-
-  #handleCrdChanged = () => {
-    this.emit('changed', this.manifest);
-  };
-
-  public get hasCRD() {
-    return this.#crd.exists;
-  }
-
-  public set = async (manifest: KubernetesObject & K8SCertificateV1) => {
-    if (!this.hasCRD) {
-      throw new NotReadyError('MissingCRD', 'certificates.cert-manager.io does not exist');
-    }
-    return this.ensure(manifest);
-  };
-}
-
-export { Certificate };

src/resources/core/core.ts

@@ -1,23 +0,0 @@
-import { CRD } from './crd/crd.ts';
-import { Deployment } from './deployment/deployment.ts';
-import { Namespace } from './namespace/namespace.ts';
-import { PersistentVolume } from './pv/pv.ts';
-import { PVC } from './pvc/pvc.ts';
-import { Secret } from './secret/secret.ts';
-import { Service } from './service/service.ts';
-import { StatefulSet } from './stateful-set/stateful-set.ts';
-import { StorageClass } from './storage-class/storage-class.ts';
-
-const core = {
-  namespace: Namespace,
-  storageClass: StorageClass,
-  pvc: PVC,
-  pv: PersistentVolume,
-  secret: Secret,
-  crd: CRD,
-  service: Service,
-  deployment: Deployment,
-  statefulSet: StatefulSet,
-};
-
-export { core };

src/resources/core/crd/crd.ts

@@ -1,10 +0,0 @@
-import type { V1CustomResourceDefinition } from '@kubernetes/client-node';
-
-import { Resource } from '#services/resources/resources.ts';
-
-class CRD extends Resource<V1CustomResourceDefinition> {
-  public static readonly apiVersion = 'apiextensions.k8s.io/v1';
-  public static readonly kind = 'CustomResourceDefinition';
-}
-
-export { CRD };

src/resources/core/deployment/deployment.ts

@@ -1,10 +0,0 @@
-import type { V1Deployment } from '@kubernetes/client-node';
-
-import { Resource } from '#services/resources/resources.ts';
-
-class Deployment extends Resource<V1Deployment> {
-  public static readonly apiVersion = 'apps/v1';
-  public static readonly kind = 'Deployment';
-}
-
-export { Deployment };

src/resources/core/namespace/namespace.ts

@@ -1,10 +0,0 @@
-import type { V1Namespace } from '@kubernetes/client-node';
-
-import { Resource } from '#services/resources/resources.ts';
-
-class Namespace extends Resource<V1Namespace> {
-  public static readonly apiVersion = 'v1';
-  public static readonly kind = 'Namespace';
-}
-
-export { Namespace };

src/resources/core/pv/pv.ts

@@ -1,10 +0,0 @@
-import type { V1PersistentVolume } from '@kubernetes/client-node';
-
-import { Resource } from '#services/resources/resources.ts';
-
-class PersistentVolume extends Resource<V1PersistentVolume> {
-  public static readonly apiVersion = 'v1';
-  public static readonly kind = 'PersistentVolume';
-}
-
-export { PersistentVolume };

src/resources/core/pvc/pvc.ts

@@ -1,80 +0,0 @@
-import type { V1PersistentVolumeClaim } from '@kubernetes/client-node';
-
-import { StorageClass } from '../storage-class/storage-class.ts';
-import { PersistentVolume } from '../pv/pv.ts';
-
-import { Resource, ResourceService, type ResourceOptions } from '#services/resources/resources.ts';
-
-const PROVISIONER = 'homelab-operator';
-
-class PVC extends Resource<V1PersistentVolumeClaim> {
-  public static readonly apiVersion = 'v1';
-  public static readonly kind = 'PersistentVolumeClaim';
-
-  constructor(options: ResourceOptions<V1PersistentVolumeClaim>) {
-    super(options);
-    this.on('changed', this.reconcile);
-  }
-
-  public reconcile = async () => {
-    const storageClassName = this.spec?.storageClassName;
-    console.log('PVC', this.name, storageClassName);
-    if (!storageClassName) {
-      return;
-    }
-    const resourceService = this.services.get(ResourceService);
-    const storageClass = resourceService.get(StorageClass, storageClassName);
-
-    if (!storageClass.exists || storageClass.manifest?.provisioner !== PROVISIONER) {
-      return;
-    }
-    if (this.status?.phase === 'Pending' && !this.spec?.volumeName) {
-      await this.#provisionVolume(storageClass);
-    }
-  };
-
-  #provisionVolume = async (storageClass: StorageClass) => {
-    const pvName = `pv-${this.namespace}-${this.name}`;
-    const storageLocation = storageClass.manifest?.parameters?.storageLocation || '/data/volumes';
-    const target = `${storageLocation}/${this.namespace}/${this.name}`;
-
-    const resourceService = this.services.get(ResourceService);
-    const pv = resourceService.get(PersistentVolume, pvName);
-
-    await pv.ensure({
-      metadata: {
-        name: pvName,
-        labels: {
-          provisioner: PROVISIONER,
-          'pvc-namespace': this.namespace || 'default',
-          'pvc-name': this.name || 'unknown',
-        },
-        annotations: {
-          'pv.kubernetes.io/provisioned-by': PROVISIONER,
-        },
-      },
-      spec: {
-        hostPath: {
-          path: target,
-          type: 'DirectoryOrCreate',
-        },
-        capacity: {
-          storage: this.spec?.resources?.requests?.storage ?? '1Gi',
-        },
-        persistentVolumeReclaimPolicy: 'Retain',
-        accessModes: this.spec?.accessModes ?? ['ReadWriteOnce'],
-        storageClassName: this.spec?.storageClassName,
-        claimRef: {
-          uid: this.metadata?.uid,
-          resourceVersion: this.metadata?.resourceVersion,
-          apiVersion: this.apiVersion,
-          kind: 'PersistentVolumeClaim',
-          name: this.name,
-          namespace: this.namespace,
-        },
-      },
-    });
-  };
-}
-
-export { PVC, PROVISIONER };

src/resources/core/secret/secret.ts

@@ -1,25 +0,0 @@
-import type { KubernetesObject, V1Secret } from '@kubernetes/client-node';
-
-import { Resource } from '#services/resources/resources.ts';
-import { decodeSecret, encodeSecret } from '#utils/secrets.ts';
-
-type SetOptions<T extends Record<string, string | undefined>> = T | ((current: T | undefined) => T | Promise<T>);
-
-class Secret<T extends Record<string, string> = Record<string, string>> extends Resource<V1Secret> {
-  public static readonly apiVersion = 'v1';
-  public static readonly kind = 'Secret';
-
-  public get value() {
-    return decodeSecret(this.data) as T | undefined;
-  }
-
-  public set = async (options: SetOptions<T>, data?: KubernetesObject) => {
-    const value = typeof options === 'function' ? await Promise.resolve(options(this.value)) : options;
-    await this.ensure({
-      ...data,
-      data: encodeSecret(value),
-    });
-  };
-}
-
-export { Secret };

src/resources/core/service/service.ts

@@ -1,14 +0,0 @@
-import type { V1Service } from '@kubernetes/client-node';
-
-import { Resource } from '#services/resources/resources.ts';
-
-class Service extends Resource<V1Service> {
-  public static readonly apiVersion = 'v1';
-  public static readonly kind = 'Service';
-
-  public get hostname() {
-    return `${this.name}.${this.namespace}.svc.cluster.local`;
-  }
-}
-
-export { Service };

src/resources/core/stateful-set/stateful-set.ts

@@ -1,10 +0,0 @@
-import type { V1StatefulSet } from '@kubernetes/client-node';
-
-import { Resource } from '#services/resources/resources.ts';
-
-class StatefulSet extends Resource<V1StatefulSet> {
-  public static readonly apiVersion = 'apps/v1';
-  public static readonly kind = 'StatefulSet';
-}
-
-export { StatefulSet };

src/resources/core/storage-class/storage-class.ts

@@ -1,11 +0,0 @@
-import type { V1StorageClass } from '@kubernetes/client-node';
-
-import { Resource } from '#services/resources/resources.ts';
-
-class StorageClass extends Resource<V1StorageClass> {
-  public static readonly apiVersion = 'storage.k8s.io/v1';
-  public static readonly kind = 'StorageClass';
-  public static readonly plural = 'storageclasses';
-}
-
-export { StorageClass };

src/resources/flux/flux.ts

@@ -1,11 +0,0 @@
-import { HelmRelease } from './helm-release/helm-release.ts';
-import { HelmRepo } from './helm-repo/helm-repo.ts';
-
-import type { ResourceClass } from '#services/resources/resources.ts';
-
-const flux = {
-  helmRelease: HelmRelease,
-  helmRepo: HelmRepo,
-} satisfies Record<string, ResourceClass<ExpectedAny>>;
-
-export { flux };

src/resources/flux/helm-release/helm-release.ts

@@ -1,42 +0,0 @@
-import type { KubernetesObject } from '@kubernetes/client-node';
-import type { K8SHelmReleaseV2 } from 'src/__generated__/resources/K8SHelmReleaseV2.ts';
-
-import { Resource } from '#services/resources/resources.ts';
-
-type SetOptions = {
-  namespace?: string;
-  values?: Record<string, unknown>;
-  chart: {
-    name: string;
-    namespace?: string;
-  };
-};
-
-class HelmRelease extends Resource<KubernetesObject & K8SHelmReleaseV2> {
-  public static readonly apiVersion = 'helm.toolkit.fluxcd.io/v2';
-  public static readonly kind = 'HelmRelease';
-
-  public set = async (options: SetOptions) => {
-    return await this.ensure({
-      spec: {
-        targetNamespace: options.namespace,
-        interval: '1h',
-        values: options.values,
-        chart: {
-          spec: {
-            chart: 'cert-manager',
-            version: 'v1.18.2',
-            sourceRef: {
-              apiVersion: 'source.toolkit.fluxcd.io/v1',
-              kind: 'HelmRepository',
-              name: options.chart.name,
-              namespace: options.chart.namespace,
-            },
-          },
-        },
-      },
-    });
-  };
-}
-
-export { HelmRelease };

src/resources/flux/helm-repo/helm-repo.ts

@@ -1,24 +0,0 @@
-import type { KubernetesObject } from '@kubernetes/client-node';
-import type { K8SHelmRepositoryV1 } from 'src/__generated__/resources/K8SHelmRepositoryV1.ts';
-
-import { Resource } from '#services/resources/resources.ts';
-
-type SetOptions = {
-  url: string;
-};
-class HelmRepo extends Resource<KubernetesObject & K8SHelmRepositoryV1> {
-  public static readonly apiVersion = 'source.toolkit.fluxcd.io/v1';
-  public static readonly kind = 'HelmRepository';
-  public static readonly plural = 'helmrepositories';
-
-  public set = async ({ url }: SetOptions) => {
-    await this.ensure({
-      spec: {
-        interval: '1h',
-        url,
-      },
-    });
-  };
-}
-
-export { HelmRepo };

src/resources/homelab/authentik-server/authentik-server.ts

@@ -1,274 +0,0 @@
-import { z } from 'zod';
-
-import { PostgresDatabase } from '../postgres-database/postgres-database.ts';
-import { Environment } from '../environment/environment.ts';
-
-import {
-  CustomResource,
-  ResourceReference,
-  ResourceService,
-  type CustomResourceOptions,
-} from '#services/resources/resources.ts';
-import { API_VERSION } from '#utils/consts.ts';
-import { Secret } from '#resources/core/secret/secret.ts';
-import { generateRandomHexPass } from '#utils/secrets.ts';
-import { Service } from '#resources/core/service/service.ts';
-import { HelmRelease } from '#resources/flux/helm-release/helm-release.ts';
-import { RepoService } from '#bootstrap/repos/repos.ts';
-import { DestinationRule } from '#resources/istio/destination-rule/destination-rule.ts';
-import { NotReadyError } from '#utils/errors.ts';
-import { ExternalHttpService } from '../external-http-service.ts/external-http-service.ts';
-
-const specSchema = z.object({
-  environment: z.string(),
-  subdomain: z.string().optional(),
-});
-
-type SecretData = { url: string; host: string; token: string };
-type InitSecretData = {
-  AUTHENTIK_BOOTSTRAP_TOKEN: string;
-  AUTHENTIK_BOOTSTRAP_PASSWORD: string;
-  AUTHENTIK_BOOTSTRAP_EMAIL: string;
-  AUTHENTIK_SECRET_KEY: string;
-};
-
-class AuthentikServer extends CustomResource<typeof specSchema> {
-  public static readonly apiVersion = API_VERSION;
-  public static readonly kind = 'AuthentikServer';
-  public static readonly spec = specSchema;
-  public static readonly scope = 'Namespaced';
-
-  #environment: ResourceReference<typeof Environment>;
-  #database: PostgresDatabase;
-  #secret: Secret<SecretData>;
-  #initSecret: Secret<InitSecretData>;
-  #service: Service;
-  #helmRelease: HelmRelease;
-  #externalHttpService: ExternalHttpService;
-  #destinationRule: DestinationRule;
-
-  constructor(options: CustomResourceOptions<typeof specSchema>) {
-    super(options);
-
-    const resourceService = this.services.get(ResourceService);
-    this.#environment = new ResourceReference();
-    this.#environment.on('changed', this.queueReconcile);
-
-    this.#database = resourceService.get(PostgresDatabase, this.name, this.namespace);
-    this.#database.on('changed', this.queueReconcile);
-
-    this.#secret = resourceService.get(Secret<SecretData>, this.name, this.namespace);
-    this.#secret.on('changed', this.queueReconcile);
-
-    this.#initSecret = resourceService.get(Secret<InitSecretData>, `${this.name}-init`, this.namespace);
-
-    this.#service = resourceService.get(Service, `${this.name}-server`, this.namespace);
-    // this.#service.on('changed', this.queueReconcile);
-
-    this.#helmRelease = resourceService.get(HelmRelease, this.name, this.namespace);
-    this.#helmRelease.on('changed', this.queueReconcile);
-
-    this.#destinationRule = resourceService.get(DestinationRule, this.name, this.namespace);
-    this.#destinationRule.on('changed', this.queueReconcile);
-
-    this.#externalHttpService = resourceService.get(ExternalHttpService, this.name, this.namespace);
-  }
-
-  public get service() {
-    return this.#service;
-  }
-
-  public get secret() {
-    return this.#secret;
-  }
-
-  public get subdomain() {
-    return this.spec?.subdomain || 'authentik';
-  }
-
-  public get domain() {
-    return `${this.subdomain}.${this.#environment.current?.spec?.domain}`;
-  }
-
-  public get url() {
-    return `https://${this.domain}`;
-  }
-
-  public reconcile = async () => {
-    if (!this.spec) {
-      throw new NotReadyError('MissingSpec');
-    }
-    const resourceService = this.services.get(ResourceService);
-
-    this.#environment.current = resourceService.get(Environment, this.spec.environment);
-    if (!this.#environment.current.spec) {
-      throw new NotReadyError('MissingEnvSpev');
-    }
-
-    await this.#database.ensure({
-      metadata: {
-        ownerReferences: [this.ref],
-      },
-      spec: {
-        environment: this.#environment.current.name,
-      },
-    });
-
-    const databaseSecret = this.#database.secret.value;
-    if (!databaseSecret) {
-      throw new NotReadyError('MissingDatabaseSecret');
-    }
-
-    await this.#initSecret.set(
-      (current) => ({
-        AUTHENTIK_BOOTSTRAP_EMAIL: 'admin@example.com',
-        AUTHENTIK_BOOTSTRAP_PASSWORD: generateRandomHexPass(24),
-        AUTHENTIK_BOOTSTRAP_TOKEN: generateRandomHexPass(32),
-        AUTHENTIK_SECRET_KEY: generateRandomHexPass(32),
-        ...current,
-      }),
-      {
-        metadata: {
-          ownerReferences: [this.ref],
-        },
-      },
-    );
-
-    const initSecret = this.#initSecret.value;
-    if (!initSecret) {
-      throw new NotReadyError('MissingInitSecret');
-    }
-
-    const domain = `${this.spec?.subdomain || 'authentik'}.${this.#environment.current.spec.domain}`;
-    await this.#secret.set(
-      {
-        url: `https://${domain}`,
-        host: this.#service.hostname,
-        token: initSecret.AUTHENTIK_BOOTSTRAP_TOKEN,
-      },
-      {
-        metadata: {
-          ownerReferences: [this.ref],
-        },
-      },
-    );
-    const secret = this.#secret.value;
-    if (!secret) {
-      throw new NotReadyError('MissingSecret');
-    }
-
-    const repoService = this.services.get(RepoService);
-
-    await this.#helmRelease.ensure({
-      metadata: {
-        ownerReferences: [this.ref],
-      },
-      spec: {
-        interval: '60m',
-        chart: {
-          spec: {
-            chart: 'authentik',
-            version: '2025.6.4',
-            sourceRef: {
-              apiVersion: 'source.toolkit.fluxcd.io/v1',
-              kind: 'HelmRepository',
-              name: repoService.authentik.name,
-              namespace: repoService.authentik.namespace,
-            },
-          },
-        },
-        values: {
-          global: {
-            envFrom: [
-              {
-                secretRef: {
-                  name: this.#initSecret.name,
-                },
-              },
-            ],
-          },
-          authentik: {
-            error_reporting: {
-              enabled: false,
-            },
-            postgresql: {
-              host: databaseSecret.host,
-              name: databaseSecret.database,
-              user: databaseSecret.user,
-              password: 'file:///postgres-creds/password',
-            },
-            redis: {
-              host: this.#environment.current.redisServer.service.hostname,
-            },
-          },
-          server: {
-            volumes: [
-              {
-                name: 'postgres-creds',
-                secret: {
-                  secretName: this.#database.secret.name,
-                },
-              },
-            ],
-            volumeMounts: [
-              {
-                name: 'postgres-creds',
-                mountPath: '/postgres-creds',
-                readOnly: true,
-              },
-            ],
-          },
-          worker: {
-            volumes: [
-              {
-                name: 'postgres-creds',
-                secret: {
-                  secretName: this.#database.secret.name,
-                },
-              },
-            ],
-            volumeMounts: [
-              {
-                name: 'postgres-creds',
-                mountPath: '/postgres-creds',
-                readOnly: true,
-              },
-            ],
-          },
-        },
-      },
-    });
-
-    await this.#destinationRule.ensure({
-      metadata: {
-        ownerReferences: [this.ref],
-      },
-      spec: {
-        host: this.#service.hostname,
-        trafficPolicy: {
-          tls: {
-            mode: 'DISABLE',
-          },
-        },
-      },
-    });
-
-    await this.#externalHttpService.ensure({
-      metadata: {
-        ownerReferences: [this.ref],
-      },
-      spec: {
-        environment: this.spec.environment,
-        subdomain: this.spec.subdomain || 'authentik',
-        destination: {
-          host: this.#service.hostname,
-          port: {
-            number: 80,
-          },
-        },
-      },
-    });
-  };
-}
-
-export { AuthentikServer };

src/resources/homelab/cloudflare-tunnel/cloudflare-tunnel.ts

@@ -1,111 +0,0 @@
-import {
-  CustomResource,
-  Resource,
-  ResourceService,
-  type CustomResourceOptions,
-} from '#services/resources/resources.ts';
-import z from 'zod';
-import { ExternalHttpService } from '../external-http-service.ts/external-http-service.ts';
-import { API_VERSION } from '#utils/consts.ts';
-import { HelmRelease } from '#resources/flux/helm-release/helm-release.ts';
-import { RepoService } from '#bootstrap/repos/repos.ts';
-import { Secret } from '#resources/core/secret/secret.ts';
-import { NotReadyError } from '#utils/errors.ts';
-import { NamespaceService } from '#bootstrap/namespaces/namespaces.ts';
-import { CloudflareService } from '#services/cloudflare/cloudflare.ts';
-
-const specSchema = z.object({});
-
-type SecretData = {
-  account: string;
-  tunnelName: string;
-  tunnelId: string;
-  secret: string;
-};
-class CloudflareTunnel extends CustomResource<typeof specSchema> {
-  public static readonly apiVersion = API_VERSION;
-  public static readonly kind = 'CloudflareTunnel';
-  public static readonly spec = specSchema;
-  public static readonly scope = 'Cluster';
-
-  #helmRelease: HelmRelease;
-  #secret: Secret<SecretData>;
-  #cloudflareService;
-
-  constructor(options: CustomResourceOptions<typeof specSchema>) {
-    super(options);
-    const resourceService = this.services.get(ResourceService);
-    const namespaceService = this.services.get(NamespaceService);
-    const namespace = namespaceService.homelab.name;
-    resourceService.on('changed', this.#handleResourceChanged);
-
-    this.#helmRelease = resourceService.get(HelmRelease, this.name, namespace);
-    this.#secret = resourceService.get(Secret<SecretData>, 'cloudflare', namespace);
-    this.#secret.on('changed', this.queueReconcile);
-
-    this.#cloudflareService = this.services.get(CloudflareService);
-    this.#cloudflareService.on('changed', this.queueReconcile);
-  }
-
-  #handleResourceChanged = (resource: Resource<ExpectedAny>) => {
-    if (resource instanceof CloudflareTunnel) {
-      this.queueReconcile();
-    }
-  };
-
-  public reconcile = async () => {
-    const secret = this.#secret.value;
-    if (!secret) {
-      throw new NotReadyError('MissingSecret', `Secret ${this.#secret.namespace}/${this.#secret.name} does not exist`);
-    }
-    const resourceService = this.services.get(ResourceService);
-    const repoService = this.services.get(RepoService);
-    const routes = resourceService.getAllOfKind(ExternalHttpService);
-    const ingress = routes.map(({ rule }) => ({
-      hostname: rule?.hostname,
-      service: `http://${rule?.destination.host}:${rule?.destination.port.number}`,
-    }));
-    if (this.#cloudflareService.ready) {
-      for (const route of ingress) {
-        if (!route.hostname) {
-          continue;
-        }
-        try {
-          await this.#cloudflareService.ensureTunnel(route.hostname);
-        } catch (err) {
-          console.error(err);
-        }
-      }
-    }
-    await this.#helmRelease.ensure({
-      metadata: {
-        ownerReferences: [this.ref],
-      },
-      spec: {
-        interval: '1h',
-        values: {
-          cloudflare: {
-            account: secret.account,
-            tunnelName: secret.tunnelName,
-            tunnelId: secret.tunnelId,
-            secret: secret.secret,
-            ingress,
-          },
-        },
-        chart: {
-          spec: {
-            chart: 'cloudflare-tunnel',
-            sourceRef: {
-              apiVersion: 'source.toolkit.fluxcd.io/v1',
-              kind: 'HelmRepository',
-              name: repoService.cloudflare.name,
-              namespace: repoService.cloudflare.namespace,
-            },
-          },
-        },
-      },
-    });
-  };
-}
-
-export { CloudflareTunnel };