Migrate flux to v2.7 APIs

Architecture.md

@@ -55,7 +55,12 @@ Yay! you now have an interface, and an IP address to broadcast on :D
 ```sh
 op connect server create cluster --vaults cluster
 op connect token create cluster --server <Server ID> --vault cluster
+# Copy this and paste this to `cluster/1password-token/password`
 
-kubectl create secret generic -n 1password-system 1password-credentials  --from-literal=password="$(op read 'op://cluster/1password-credentials/1password-credentials.json')"
+cat 1password-credentials.json | base64 |  tr '/+' '_-' | tr -d '=' | tr -d '\n' > password
-kubectl create secret generic -n 1password-system 1password-token  --from-literal password="$(op read 'op://cluster/1password-token/password')"
+# Upload this file to `cluster/1password-credentials/password`
+mv token password
+# Upload this file to `cluster/1password-token/password`
+kubectl create secret generic -n 1password-system 1password-credentials  --from-literal=password="$(op read -n 'op://cluster/1password-credentials/1password-credentials.json')"
+kubectl create secret generic -n 1password-system 1password-token  --from-literal password="$(op read -n 'op://cluster/1password-token/password')"
 ```

apps/base/gitea.yaml

@@ -43,7 +43,7 @@ spec:
         kind: HelmRepository
         name: gitea-repo
         namespace: flux-system
-      version: v12.3.x
+      version: v12.4.x
   interval: 1m0s
   releaseName: gitea
   values:
@@ -78,8 +78,8 @@ spec:
       enabled: false
     valkey:
       enabled: true
-      image:
+      # image:
-        repository: bitnamilegacy/valkey
+      #   repository: bitnamilegacy/valkey
       global:
         security:
           allowInsecureImages: true
@@ -88,9 +88,6 @@ spec:
       #   existingSecretPasswordKey: password
     postgresql:
       enabled: true
-      image:
-        repository: bitnamilegacy/postgresql
-        tag: 16.3.0-debian-12-r23
       global:
         security:
           allowInsecureImages: true
@@ -104,6 +101,15 @@ spec:
     gitea:
       admin:
         existingSecret: gitea-admin-password
+      livenessProbe:
+        httpGet:
+          path: /api/healthz
+          port: http
+        initialDelaySeconds: 200
+        timeoutSeconds: 5
+        periodSeconds: 10
+        successThreshold: 1
+        failureThreshold: 10
       config:
         server:
           SSH_PORT: 2222

apps/base/proxmox.yaml

@@ -84,7 +84,7 @@ spec:
       targetPort: https
   type: ClusterIP
 ---
-apiVersion: image.toolkit.fluxcd.io/v1beta2
+apiVersion: image.toolkit.fluxcd.io/v1
 kind: ImageRepository
 metadata:
   name: tcp-proxy
@@ -93,7 +93,7 @@ spec:
   image: harbor.yadunut.dev/yadunut/tcp_proxy
   interval: 1m0s
 ---
-apiVersion: image.toolkit.fluxcd.io/v1beta2
+apiVersion: image.toolkit.fluxcd.io/v1
 kind: ImagePolicy
 metadata:
   name: tcp-proxy

apps/base/yadunut-dev.yaml

@@ -22,7 +22,7 @@ spec:
     spec:
       containers:
         - name: yadunut-dev
-          image: harbor.yadunut.dev/yadunut/yadunut.dev:sha-468e389-1759339786 # {"$imagepolicy": "flux-system:yadunut-dev"}
+          image: harbor.yadunut.dev/yadunut/yadunut.dev:sha-736d6e9-1759901009 # {"$imagepolicy": "flux-system:yadunut-dev"}
           ports:
             - containerPort: 80
               name: http
@@ -61,7 +61,7 @@ spec:
                 port:
                   name: http
 ---
-apiVersion: image.toolkit.fluxcd.io/v1beta2
+apiVersion: image.toolkit.fluxcd.io/v1
 kind: ImageRepository
 metadata:
   name: yadunut-dev
@@ -70,7 +70,7 @@ spec:
   image: harbor.yadunut.dev/yadunut/yadunut.dev
   interval: 1m0s
 ---
-apiVersion: image.toolkit.fluxcd.io/v1beta2
+apiVersion: image.toolkit.fluxcd.io/v1
 kind: ImagePolicy
 metadata:
   name: yadunut-dev

cluster/base/apps.yaml

@@ -16,7 +16,7 @@ spec:
   timeout: 5m0s
   wait: true
 ---
-apiVersion: image.toolkit.fluxcd.io/v1beta2
+apiVersion: image.toolkit.fluxcd.io/v1
 kind: ImageUpdateAutomation
 metadata:
   name: flux-system

flake.lock

@@ -10,11 +10,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1745630506,
+        "lastModified": 1754433428,
-        "narHash": "sha256-bHCFgGeu8XjWlVuaWzi3QONjDW3coZDqSHvnd4l7xus=",
+        "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "96e078c646b711aee04b82ba01aefbff87004ded",
+        "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
         "type": "github"
       },
       "original": {
@@ -52,11 +52,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746729224,
+        "lastModified": 1758287904,
-        "narHash": "sha256-9R4sOLAK1w3Bq54H3XOJogdc7a6C2bLLmatOQ+5pf5w=",
+        "narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "85555d27ded84604ad6657ecca255a03fd878607",
+        "rev": "67ff9807dd148e704baadbd4fd783b54282ca627",
         "type": "github"
       },
       "original": {
@@ -127,11 +127,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1742568034,
+        "lastModified": 1751903740,
-        "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
+        "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
+        "rev": "032decf9db65efed428afd2fa39d80f7089085eb",
         "type": "github"
       },
       "original": {
@@ -142,11 +142,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1746576598,
+        "lastModified": 1759826507,
-        "narHash": "sha256-FshoQvr6Aor5SnORVvh/ZdJ1Sa2U4ZrIMwKBX5k2wu0=",
+        "narHash": "sha256-vwXL9H5zDHEQA0oFpww2one0/hkwnPAjc47LRph6d0I=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b3582c75c7f21ce0b429898980eddbbf05c68e55",
+        "rev": "bce5fe2bb998488d8e7e7856315f90496723793c",
         "type": "github"
       },
       "original": {

flake.nix

@@ -18,20 +18,33 @@
     };
   };
 
-  outputs = { flake-utils,nixpkgs, nixos-generators, agenix, ... }: {
+  outputs =
+    {
+      flake-utils,
+      nixpkgs,
+      nixos-generators,
+      agenix,
+      ...
+    }:
+    {
       packages.x86_64-linux = {
-      create-vm = let
+        create-vm =
+          let
             pkgs = import nixpkgs { system = "x86_64-linux"; };
             script-name = "create-vm";
             src = builtins.readFile ./nixos/proxmox/create-vm.sh;
-        script = (pkgs.writeScriptBin script-name src).overrideAttrs(old: {
+            script = (pkgs.writeScriptBin script-name src).overrideAttrs (old: {
               buildCommand = "${old.buildCommand}\n patchShebangs $out";
             });
-        buildInputs = with pkgs; [ gum jq ];
+            buildInputs = with pkgs; [
-      in pkgs.symlinkJoin {
+              gum
+              jq
+            ];
+          in
+          pkgs.symlinkJoin {
             name = script-name;
             paths = [ script ] ++ buildInputs;
-          nativeBuildInputs = with pkgs; [makeWrapper];
+            nativeBuildInputs = with pkgs; [ makeWrapper ];
             postBuild = "wrapProgram $out/bin/${script-name} --prefix PATH : $out/bin";
           };
         generate-iso = nixos-generators.nixosGenerate {
@@ -43,10 +56,63 @@
         };
       };
 
-  } // flake-utils.lib.eachDefaultSystem (system:
+    }
-      let pkgs = import nixpkgs {
+    // flake-utils.lib.eachDefaultSystem (
+      system:
+      let
+        fluxOverlay = (
+          final: prev:
+          let
+            version = "2.7.1";
+            srcHash = "sha256-UJiH6dunTKrHtjc1FudyGugSAJYrBC7TMQp+3PdywPI=";
+            manifestsHash = "sha256-/57wRJ2Sj5vkPsuDQp4q+gbs6C4Qy1PfS3KNt2I5IlU=";
+            vendorHash = "sha256-C5s+/OwZ3cjJZmj39j69LJS3qwQXGJuxyRK1vHVgXGg=";
+
+            manifests = prev.fetchzip {
+              url = "https://github.com/fluxcd/flux2/releases/download/v${version}/manifests.tar.gz";
+              # First build with a dummy, then replace with the `got:` hash from the error
+              hash = manifestsHash;
+              stripRoot = false;
+            };
+          in
+          {
+            fluxcd = prev.fluxcd.overrideAttrs (old: {
+              inherit version vendorHash;
+              src = prev.fetchFromGitHub {
+                owner = "fluxcd";
+                repo = "flux2";
+                rev = "v${version}";
+                # First build with a dummy, then replace with the `got:` hash
+                hash = srcHash;
+              };
+              postUnpack = ''
+                cp -r ${manifests} source/cmd/flux/manifests
+                # disable tests that require network access
+                rm source/cmd/flux/create_secret_git_test.go
+              '';
+
+              ldflags = [
+                "-s"
+                "-w"
+                "-X main.VERSION=${version}"
+              ];
+
+              # keep install check aligned with the new version
+              installCheckPhase = ''
+                $out/bin/flux --version | grep ${version} > /dev/null
+              '';
+
+              meta = old.meta // {
+                changelog = "https://github.com/fluxcd/flux2/releases/tag/v${version}";
+              };
+            });
+          }
+        );
+        pkgs = import nixpkgs {
           inherit system;
-      }; in
+          overlays = [ fluxOverlay ];
+        };
+      in
       {
         devShells = {
           default = pkgs.mkShell {
@@ -63,5 +129,6 @@
             ];
           };
         };
-      });
+      }
+    );
 }