harbor.yadunut.dev/yadunut/yadunut.dev:sha-e09fe73-1758515485 -> harbor.yadunut.dev/yadunut/yadunut.dev:sha-468e389-1759339786

This reverts commit 857fedec9c.

apps/base/gitea.yaml

@@ -12,6 +12,14 @@ metadata:
 spec:
   itemPath: "vaults/cluster/items/gitea-admin-password"
 ---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: gitea-actions-token
+  namespace: gitea
+spec:
+  itemPath: "vaults/cluster/items/gitea-actions-token"
+---
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
@@ -35,7 +43,7 @@ spec:
         kind: HelmRepository
         name: gitea-repo
         namespace: flux-system
-      version: v10.6.x
+      version: v12.3.x
   interval: 1m0s
   releaseName: gitea
   values:
@@ -66,36 +74,26 @@ spec:
         - secretName: wildcard-cert-i.yadunut.dev-prod
           hosts:
             - git.yadunut.dev
-    actions:
+    valkey-cluster:
-      enabled: true
-      provisioning:
-        enabled: true
-      statefulset:
-        actRunner:
-          config: |
-            log:
-              level: debug
-            cache:
-              enabled: true
-            runner:
-              labels:
-                - "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
-                - "ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04"
-                - "ubuntu-20.04:docker://catthehacker/ubuntu:act-20.04"
-            container:
-              options: |
-                --add-host=docker:host-gateway -v /certs:/certs -e "DOCKER_HOST=tcp://docker:2376/" -e "DOCKER_TLS_CERTDIR=/certs" -e "DOCKER_TLS_VERIFY=1" -e "DOCKER_CERT_PATH=/certs/server"
-              valid_volumes:
-                - /certs
-                - '**'
-
-
-    redis-cluster:
       enabled: false
-    redis:
+    valkey:
       enabled: true
+      image:
+        repository: bitnamilegacy/valkey
+      global:
+        security:
+          allowInsecureImages: true
+      # auth:
+      #   existingSecret: gitea-valkey
+      #   existingSecretPasswordKey: password
     postgresql:
       enabled: true
+      image:
+        repository: bitnamilegacy/postgresql
+        tag: 16.3.0-debian-12-r23
+      global:
+        security:
+          allowInsecureImages: true
     postgresql-ha:
       enabled: false
 
@@ -110,6 +108,7 @@ spec:
         server:
           SSH_PORT: 2222
           LANDING_PAGE: /yadunut
+          LFS_START_SERVER: true
         database:
           DB_TYPE: postgres
         indexer:
@@ -139,3 +138,52 @@ spec:
       services:
         - name: gitea-ssh
           port: 2222
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: gitea-actions
+  namespace: gitea
+spec:
+  chart:
+    spec:
+      chart: actions
+      sourceRef:
+        kind: HelmRepository
+        name: gitea-repo
+        namespace: flux-system
+      version: v0.0.x
+  interval: 1m
+  values:
+    enabled: true
+    giteaRootURL: https://git.yadunut.dev
+
+    # Provide the runner registration token from 1Password-backed Secret
+    existingSecret: gitea-actions-token
+    existingSecretKey: token
+
+    statefulset:
+      replicas: 1
+      # Your custom runner config replicated here (labels, dind, volumes)
+      actRunner:
+        config: |
+          log:
+            level: debug
+          cache:
+            enabled: true
+          runner:
+            labels:
+              - "ubuntu-latest:docker://harbor.yadunut.dev/gitea_cache/runner-images:ubuntu-latest"
+              - "ubuntu-22.04:docker://harbor.yadunut.dev/gitea_cache/runner-images:ubuntu-22.04"
+              - "ubuntu-20.04:docker://harbor.yadunut.dev/gitea_cache/runner-images:ubuntu-20.04"
+          container:
+            network: host
+            valid_volumes:
+              - '**'
+            options: |
+              -v /certs:/certs
+              --add-host=docker:host-gateway
+              -e DOCKER_HOST=tcp://docker:2376
+              -e DOCKER_TLS_VERIFY=1
+              -e DOCKER_CERT_PATH=/certs/client
+              -e DOCKER_TLS_CERTDIR=/certs

apps/base/open-webui.yaml

@@ -0,0 +1,95 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: open-webui
+---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: open-webui-oidc-client-secret
+  namespace: open-webui
+spec:
+  itemPath: "vaults/cluster/items/open-webui-oidc-client-secret"
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: open-webui-repo
+  namespace: flux-system
+spec:
+  interval: 15m0s
+  url: https://helm.openwebui.com
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: open-webui
+  namespace: open-webui
+spec:
+  chart:
+    spec:
+      chart: open-webui
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: open-webui-repo
+        namespace: flux-system
+      version: 8.6.x
+  interval: 1m0s
+  values:
+    ollama:
+      enabled: true
+      fullnameOverride: open-webui-ollama
+      ollama:
+        gpu:
+          enabled: true
+          type: nvidia
+          nvidiaResource: "nvidia.com/gpu-all"
+          number: 1
+      persistentVolume:
+        enabled: true
+        size: 100Gi
+      resources:
+        requests:
+          memory: 4Gi
+        limits:
+          memory: 55Gi
+    pipelines:
+      enabled: false
+
+    # Ingress via Traefik
+    ingress:
+      enabled: true
+      class: traefik
+      host: chat.yadunut.dev
+      tls: true
+      existingSecret: wildcard-cert-yadunut.dev-prod
+
+    # Use built-in sqlite persistence (PVC)
+    persistence:
+      enabled: true
+      size: 10Gi
+      accessModes: ["ReadWriteOnce"]
+
+    # commonEnvVars:
+    # - name: ENABLE_OAUTH_PERSISTENT_CONFIG
+    #   value: "false"
+    # - name: ENABLE_LOGIN_FORM
+    #   value: "true"
+    # - name: OPENID_REDIRECT_URI
+    #   value: "https://chat.yadunut.dev/oauth/oidc/callback"
+
+    # OIDC via Authentik
+    sso:
+      enabled: true
+      enableSignup: true
+      mergeAccountsByEmail: true
+      oidc:
+        enabled: true
+        providerName: "Authentik"
+        providerUrl: "https://authentik.yadunut.dev/application/o/open-webui/.well-known/openid-configuration"
+        clientId: "Z37HQwWBYxax4vwN047B8PWr3JxT6qMAOtCAyJ4Z"
+        clientExistingSecret: open-webui-oidc-client-secret
+        clientExistingSecretKey: password
+        scopes: "openid email profile"

apps/base/proxmox.yaml

@@ -0,0 +1,109 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: proxmox
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: proxmox-proxy-deployment
+  namespace: proxmox
+  labels:
+    app: proxmox-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: proxmox-proxy
+  template:
+    metadata:
+      labels:
+        app: proxmox-proxy
+    spec:
+      nodeSelector:
+        kubernetes.io/hostname: premhome-falcon-1
+      containers:
+        - name: tcp-proxy
+          image: harbor.yadunut.dev/yadunut/tcp_proxy:sha-85ed592-1748014668 # {"$imagepolicy": "flux-system:tcp-proxy"}
+          env:
+            - name: LISTEN_ADDR
+              value: "0.0.0.0:8443"
+            - name: UPSTREAM_ADDR
+              value: "10.0.0.5:8006"
+          ports:
+            - containerPort: 8443
+              name: https
+---
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: proxmox-insecure
+  namespace: proxmox
+spec:
+  insecureSkipVerify: true
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: proxmox-proxy
+  namespace: proxmox
+  annotations:
+    traefik.ingress.kubernetes.io/router.middlewares: authentik-system-authentik@kubernetescrd
+spec:
+  ingressClassName: traefik
+  rules:
+    - host: proxmox.i.yadunut.dev
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: proxmox-proxy
+                port:
+                  name: https
+  tls:
+    - hosts:
+        - proxmox.i.yadunut.dev
+      secretName: wildcard-cert-i.yadunut.dev-prod
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: proxmox-proxy
+  namespace: proxmox
+  annotations:
+    traefik.ingress.kubernetes.io/service.serversscheme: https
+    traefik.ingress.kubernetes.io/service.serverstransport: proxmox-proxmox-insecure@kubernetescrd
+spec:
+  selector:
+    app: proxmox-proxy
+  ports:
+    - name: https
+      port: 8443
+      targetPort: https
+  type: ClusterIP
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta2
+kind: ImageRepository
+metadata:
+  name: tcp-proxy
+  namespace: flux-system
+spec:
+  image: harbor.yadunut.dev/yadunut/tcp_proxy
+  interval: 1m0s
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta2
+kind: ImagePolicy
+metadata:
+  name: tcp-proxy
+  namespace: flux-system
+spec:
+  imageRepositoryRef:
+    name: tcp-proxy
+  filterTags:
+    pattern: "^sha-[a-fA-F0-9]+-(?P<ts>.*)"
+    extract: "$ts"
+  policy:
+    numerical:
+      order: asc

apps/base/yadunut-dev.yaml

@@ -22,9 +22,9 @@ spec:
     spec:
       containers:
         - name: yadunut-dev
-          image: harbor.yadunut.dev/yadunut/yadunut.dev:sha-08f0f02-1735288116 # {"$imagepolicy": "flux-system:yadunut-dev"}
+          image: harbor.yadunut.dev/yadunut/yadunut.dev:sha-468e389-1759339786 # {"$imagepolicy": "flux-system:yadunut-dev"}
           ports:
-            - containerPort: 3000
+            - containerPort: 80
               name: http
               protocol: TCP
 ---
@@ -50,16 +50,16 @@ metadata:
 spec:
   ingressClassName: traefik
   rules:
-  - host: yadunut.dev
+    - host: yadunut.dev
-    http:
+      http:
-      paths:
+        paths:
-      - path: /
+          - path: /
-        pathType: Prefix
+            pathType: Prefix
-        backend:
+            backend:
-          service:
+              service:
-            name: yadunut-dev
+                name: yadunut-dev
-            port:
+                port:
-              name: http
+                  name: http
 ---
 apiVersion: image.toolkit.fluxcd.io/v1beta2
 kind: ImageRepository
@@ -79,8 +79,8 @@ spec:
   imageRepositoryRef:
     name: yadunut-dev
   filterTags:
-    pattern: '^sha-[a-fA-F0-9]+-(?P<ts>.*)'
+    pattern: "^sha-[a-fA-F0-9]+-(?P<ts>.*)"
-    extract: '$ts'
+    extract: "$ts"
   policy:
     numerical:
       order: asc

apps/prod/kustomization.yaml

@@ -3,6 +3,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../base/podinfo.yaml
-  # - ../base/harbor.yaml
+  - ../base/harbor.yaml
   - ../base/gitea.yaml
-  # - ../base/yadunut-dev.yaml
+  - ../base/yadunut-dev.yaml
+  - ../base/proxmox.yaml
+  - ../base/open-webui.yaml

cluster/base/infra/generic-cdi-plugin.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-generic-cdi-plugin
+  namespace: flux-system
+spec:
+  interval: 1h0m0s
+  path: ./infra/controllers/generic-cdi-plugin
+  prune: true
+  retryInterval: 1m0s
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  timeout: 5m0s
+  wait: true

infra/controllers/generic-cdi-plugin/generic-cdi-plugin.yaml

@@ -0,0 +1,52 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: generic-cdi-plugin
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: generic-cdi-plugin-daemonset
+  namespace: generic-cdi-plugin
+spec:
+  selector:
+    matchLabels:
+      name: generic-cdi-plugin
+  template:
+    metadata:
+      labels:
+        name: generic-cdi-plugin
+        app.kubernetes.io/component: generic-cdi-plugin
+        app.kubernetes.io/name: generic-cdi-plugin
+    spec:
+      containers:
+        - image: ghcr.io/olfillasodikno/generic-cdi-plugin:main
+          name: generic-cdi-plugin
+          command:
+            - /generic-cdi-plugin
+            - /var/run/cdi/nvidia-container-toolkit.json
+          imagePullPolicy: Always
+          securityContext:
+            privileged: true
+          tty: true
+          volumeMounts:
+            - name: kubelet
+              mountPath: /var/lib/kubelet
+            - name: nvidia-container-toolkit
+              mountPath: /var/run/cdi/nvidia-container-toolkit.json
+      volumes:
+        - name: kubelet
+          hostPath:
+            path: /var/lib/kubelet
+        - name: nvidia-container-toolkit
+          hostPath:
+            path: /var/run/cdi/nvidia-container-toolkit.json
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: "nixos-nvidia-cdi"
+                    operator: In
+                    values:
+                      - "enabled"

infra/controllers/generic-cdi-plugin/node-penguin.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Node
+metadata:
+  name: penguin
+  labels:
+    nixos-nvidia-cdi: enabled

nixos/common/k3s.nix

@@ -1,4 +1,5 @@
 {
+  pkgs,
   config,
   meta,
   ...
@@ -14,4 +15,14 @@
       else "https://${meta.server-addr}:6443";
     extraFlags = ["--disable=servicelb" "--disable=traefik" "--node-ip ${meta.zt-ip}" "--flannel-iface ztxh6lvd6t" "--flannel-backend=host-gw" "--tls-san ${meta.zt-ip}"];
   };
+
+  # For longhorn
+  environment.systemPackages = [ pkgs.nfs-utils ];
+  services.openiscsi = {
+    enable = true;
+    name = "iqn.2016-04.com.open-iscsi:${config.networking.hostName}";
+  };
+  systemd.tmpfiles.rules = [
+    "L+ /usr/local/bin - - - - /run/current-system/sw/bin/"
+  ];
 }

nixos/common/zerotier.nix

@@ -1,7 +1,7 @@
 {...}: {
   services.zerotierone = {
     enable = true;
-    joinNetworks = ["<network-id>"];
+    joinNetworks = ["23992b9a659115b6"];
   };
 
   networking = {

nixos/flake.lock

@@ -10,11 +10,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1745630506,
+        "lastModified": 1747575206,
-        "narHash": "sha256-bHCFgGeu8XjWlVuaWzi3QONjDW3coZDqSHvnd4l7xus=",
+        "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "96e078c646b711aee04b82ba01aefbff87004ded",
+        "rev": "4835b1dc898959d8547a871ef484930675cb47f1",
         "type": "github"
       },
       "original": {
@@ -52,11 +52,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747226316,
+        "lastModified": 1747742835,
-        "narHash": "sha256-INBPqK9ogSvw5Q9HJ5H7KI83v6Jc3goAnXN3b2F+eMU=",
+        "narHash": "sha256-kYL4GCwwznsypvsnA20oyvW8zB/Dvn6K5G/tgMjVMT4=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "490c0d6bd151e33caa5b2cf0ae37758234e947f6",
+        "rev": "df522e787fdffc4f32ed3e1fca9ed0968a384d62",
         "type": "github"
       },
       "original": {
@@ -127,11 +127,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1742568034,
+        "lastModified": 1747663185,
-        "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
+        "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
+        "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
         "type": "github"
       },
       "original": {
@@ -142,16 +142,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1747235650,
+        "lastModified": 1747728033,
-        "narHash": "sha256-qiS7n66dq1BXRdv5EdchZwFaNd1Q+M1lq/ibg4Z/s58=",
+        "narHash": "sha256-NnXFQu7g4LnvPIPfJmBuZF7LFy/fey2g2+LCzjQhTUk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "49e6e192a7c6eb961dd485410fa8983e0df21b50",
+        "rev": "2f9173bde1d3fbf1ad26ff6d52f952f9e9da52ea",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-24.11",
+        "ref": "nixpkgs-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }

nixos/flake.nix

@@ -1,6 +1,6 @@
 {
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/release-24.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
     disko = {
       url = "github:nix-community/disko";
       inputs.nixpkgs.follows = "nixpkgs";

nixos/server/premhome-gc1/configuration.nix

@@ -2,10 +2,18 @@
   config,
   pkgs,
   ...
-}: {
+}:
-  imports = [../../common/users.nix ../../common/zerotier.nix ../../common/k3s.nix];
+{
+  imports = [
+    ../../common/users.nix
+    ../../common/zerotier.nix
+    ../../common/k3s.nix
+  ];
   nix = {
-    settings.experimental-features = ["nix-command" "flakes"];
+    settings.experimental-features = [
+      "nix-command"
+      "flakes"
+    ];
   };
 
   nixpkgs.config.allowUnfree = true;
@@ -35,14 +43,20 @@
     jq
     ripgrep
     fd
-    nfs-utils
   ];
 
   networking = {
-    nameservers = [ "1.1.1.1" "8.8.8.8" ];
+    nameservers = [
+      "1.1.1.1"
+      "8.8.8.8"
+    ];
     firewall = {
       enable = true;
-      allowedTCPPorts = [22 80 443];
+      allowedTCPPorts = [
+        22
+        80
+        443
+      ];
     };
     interfaces.ens3 = {
       ipv4 = {
@@ -65,14 +79,5 @@
     };
   };
 
-  # For longhorn
-  services.openiscsi = {
-    enable = true;
-    name = "iqn.2016-04.com.open-iscsi:${config.networking.hostName}";
-  };
-  systemd.tmpfiles.rules = [
-    "L+ /usr/local/bin - - - - /run/current-system/sw/bin/"
-  ];
-
   system.stateVersion = "24.11";
 }

nixos/server/proxmox/configuration.nix

@@ -21,15 +21,6 @@
   services.openssh.enable = true;
   services.qemuGuest.enable = true;
 
-  # For longhorn
-  services.openiscsi = {
-    enable = true;
-    name = "iqn.2016-04.com.open-iscsi:${meta.hostname}";
-  };
-  systemd.tmpfiles.rules = [
-    "L+ /usr/local/bin - - - - /run/current-system/sw/bin/"
-  ];
-
   environment.systemPackages = with pkgs; [
     git
     neovim
@@ -37,7 +28,6 @@
     jq
     ripgrep
     fd
-    nfs-utils
   ];
 
   networking = {