Add renovate.json

apps/authentik/authentik-postgres-credentials.yaml

@@ -1,23 +0,0 @@
-apiVersion: v1
-data:
-    password: ENC[AES256_GCM,data:a7nwc49lItIjjg6f7Vaz6Kyyb4CgwMmudHpsQAY39539fvCWtYjsoQzEqEXZdcwPyqB2qlOHewXcStBgG1B1iKKZhqE=,iv:yK9EZWhBNLm9lNs7V7Fm2MQWv3Lfb1o34P25+p00FgQ=,tag:ie24X9bcK1NdxZWhEKITHw==,type:str]
-    username: ENC[AES256_GCM,data:VmGN5YxRGZcS/EWy,iv:QKGSkxBSfMusEkl3sS1m3KQREvwUCP0aag8u7VPzWxo=,tag:zXthxvtKBex3XpRqO6Qcyg==,type:str]
-kind: Secret
-metadata:
-    name: authentik-postgres-credentials
-    namespace: authentik
-sops:
-    age:
-        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZFlqTWZzTVNOV294bXF5
-            MEFFWGNXZkN6YjgrdGx2NkZyMHVWN25KSm5rCmxBQzNsSk53bDZiK3RQUCtYbjRu
-            NVUwZHJPSUhZTnEvdmNYNENSR1NSTTgKLS0tIFlmMTRSOWlKU1dYT0ZQQW1yTGx5
-            dWt0TXRDZ2VVVjREYjIvdTFUcVNxYjAKVYa8GZoKORII5nN0590OWzdbyoXe6Eyi
-            mRKUxtVsbhCPtfabQGn/tu40g7A9CFcWh51geIGewkTVmVlx0ulv/Q==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-17T20:32:24Z"
-    mac: ENC[AES256_GCM,data:N81ubg0zmCZpZKa+Z/IJZunsUUT8dZrWfp48cBNLg5GPr1O2SrvFUPo+ZWSDLRWWgea5E00kU1luDHcnTuHtjSF457anCc1LpezJnIIfPHQBE7wIrWkZMW1QYsScZhtNvkDf1LhXuo2JZnRkAZ249JzzPEYxy+GjLXU3hNaaeyw=,iv:V6Op3ZA9Rw2g20gzZapZt7GfnW7TW988psIIDlwxzaE=,tag:anOAkNKfUFhmntDH/i/v2w==,type:str]
-    encrypted_regex: ^(data|stringData)$
-    version: 3.11.0

apps/authentik/authentik-secret-key.yaml

@@ -1,22 +0,0 @@
-apiVersion: v1
-data:
-    key: ENC[AES256_GCM,data:0YHxGccmrLh2LFfAeySEqdfuE35FfzsAVI/XNcKKWKUS4HZ5sKUVy8PLSrl99nZRtC66Vj2Vsj/Zj+Ir/3/n8Vzhy04=,iv:whuMt5eTvp962tNisNDc5ygBaCzRs1MwBtOxWP+atv8=,tag:mcerAaPbzujtI25tPLETnQ==,type:str]
-kind: Secret
-metadata:
-    name: authentik-secret-key
-    namespace: authentik
-sops:
-    age:
-        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhRlB4Vjg5cU1QWWovRTFW
-            M1Q0cmpaWkNUek54T1VheGxMbVlIeUlybjMwCnVTY2VLTXVSbEpUc0lTRUtETUV3
-            TGRmVDB5cnhpU2k2YkNuL3d6OTVETW8KLS0tIDZoNjlTVERvR1FSczB5d09IVnpl
-            QnloYTFKNGdyR3FuS3N2WjVVVGFKRWsKd8MPL8raiwfz/fLsjL76tdeCBDu/cirV
-            DKFx+Tu8KTugK6gGteXA2/PHZPEB/U9Zh1OD3t6AdPZMQJaiNKq/4Q==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-17T20:36:08Z"
-    mac: ENC[AES256_GCM,data:RlZUTVt/3acp5BX92MI3USohXoAlZy8QAgr0HwLu0IMc+gUcykCXV/voYSJgIQlHhKDo/Jwa0+KhU3DLT/9GS4UF/E2GCJhj9t9DlagnchLxxJXYyP/7FPUkoOfDKmG1Sc2Gq3i/gTVklzQ0DpwQflF0F50BLDv1FqxUD84jVoI=,iv:T/Hd0kenM4LikCB9mkSrFMVD1UeA+Dvwi+3TLziwsdI=,tag:rfosFTQZo695lnznWC8JcQ==,type:str]
-    encrypted_regex: ^(data|stringData)$
-    version: 3.11.0

apps/authentik/cluster.yaml

@@ -1,57 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: postgres-cluster
-  namespace: authentik
-  annotations:
-    # needed to allow for recovery from same name cluster backup
-    cnpg.io/skipEmptyWalArchiveCheck: enabled
-spec:
-  instances: 2
-
-  managed:
-    roles:
-      - name: authentik
-        superuser: true
-        login: true
-
-  bootstrap:
-    # initdb:
-    #   database: authentik
-    #   owner: authentik
-    #   secret:
-    #     name: authentik-postgres-credentials
-    # NOTE: uncomment this and commend the above initdb when recovering
-    recovery:
-      source: postgres-cluster
-
-  storage:
-    size: 8Gi
-    storageClass: longhorn-pg
-
-  externalClusters:
-    - name: postgres-cluster
-      barmanObjectStore:
-        destinationPath: "s3://mthomson-cnpg-backup/authentik/"
-        endpointURL: "https://s3.ca-central-1.wasabisys.com"
-        s3Credentials:
-          accessKeyId:
-            name: wasabi-secret
-            key: ACCESS_KEY_ID
-          secretAccessKey:
-            name: wasabi-secret
-            key: ACCESS_SECRET_KEY
-
-  backup:
-    barmanObjectStore:
-      destinationPath: "s3://mthomson-cnpg-backup/authentik/"
-      endpointURL: "https://s3.ca-central-1.wasabisys.com"
-      s3Credentials:
-        accessKeyId:
-          name: wasabi-secret
-          key: ACCESS_KEY_ID
-        secretAccessKey:
-          name: wasabi-secret
-          key: ACCESS_SECRET_KEY
-    retentionPolicy: "10d"
-

apps/authentik/release.yaml

@@ -1,69 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: authentik
-  namespace: authentik
-spec:
-  chart:
-    spec:
-      chart: authentik
-      version: 2025.8.4
-      sourceRef:
-        kind: HelmRepository
-        name: authentik
-  interval: 15m
-  releaseName: authentik
-  values:
-    authentik:
-      secret_key: file:///secret-key/key
-      postgresql:
-        host: postgres-cluster-rw
-        user: file:///postgres-creds/username
-        password: file:///postgres-creds/password
-    server:
-      ingress:
-        enabled: true
-        ingressClassName: traefik
-        annotations:
-          cert-manager.io/cluster-issuer: "letsencrypt-prod"
-          external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
-          external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
-          traefik.ingress.kubernetes.io/router.tls: "true"
-          traefik.ingress.kubernetes.io/router.entrypoints: websecure
-        hosts:
-          - authentik.michaelthomson.dev
-        tls:
-          - secretName: authentik-tls
-            hosts:
-              - authentik.michaelthomson.dev
-      volumes:
-        - name: postgres-creds
-          secret:
-            secretName: authentik-postgres-credentials
-        - name: secret-key
-          secret:
-            secretName: authentik-secret-key
-      volumeMounts:
-        - name: postgres-creds
-          mountPath: /postgres-creds
-          readOnly: true
-        - name: secret-key
-          mountPath: /secret-key
-          readOnly: true
-    worker:
-      env:
-        - name: AUTHENTIK_SECRET_KEY
-          valueFrom:
-            secretKeyRef:
-              name: authentik-secret-key
-              key: key
-      volumes:
-        - name: postgres-creds
-          secret:
-            secretName: authentik-postgres-credentials
-      volumeMounts:
-        - name: postgres-creds
-          mountPath: /postgres-creds
-          readOnly: true
-    redis:
-      enabled: true

apps/authentik/scheduled-backup.yaml

@@ -1,11 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: ScheduledBackup
-metadata:
-  name: scheduled-backup
-  namespace: authentik
-spec:
-  schedule: "0 0 0 * * *"
-  backupOwnerReference: self
-  #immediate: true
-  cluster:
-    name: postgres-cluster

apps/authentik/wasabi-secret.yaml

@@ -1,23 +0,0 @@
-apiVersion: v1
-data:
-    ACCESS_KEY_ID: ENC[AES256_GCM,data:cJS1WkKlhgbWGqgOhFs9xjqriMIyGwaSq2W1tQ==,iv:5qj9+BjOPGvVFg9gIH9128nlOaQ27KMgjlIPIMF51IE=,tag:m80qHYyAbXGt1AGe+cXUuQ==,type:str]
-    ACCESS_SECRET_KEY: ENC[AES256_GCM,data:E1/lSR0Crdjt/N0BV0d7PgKSn00sKkNd9s4qsknK3MO4W3JSkwE2g4HyJvbjwDEmWZck7dB//WE=,iv:VoLSzFxrdGKKOVVNE8iiQtGS67yJYjknlxz4fs/DDJI=,tag:aPJEsutmqMobr+vXSCJ62g==,type:str]
-kind: Secret
-metadata:
-    name: wasabi-secret
-    namespace: authentik
-sops:
-    age:
-        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEQzVzc1EzaWsvWWlXa2tu
-            U1NXVFh4TDhuUXZZcXNHVVBBeUR5Y2RvT2pRCnZPL0t5RVMyVzRVeTluYVhZNkJT
-            ZjF0S2lsUWFvdTdFaXVGZ2NlOHVGUm8KLS0tIGZVR3lUT2ltR0pLUU4yT1BTWTZW
-            UkZiNmNPbUMvRUs3dDVDNjBnb0htM2cKvsfEiaSE2A5R+pvb0UoaPmvSFMQR2GDi
-            DBJ+OyMFhz0HxQO31/yrlZGcVxBKq/Q4DXD1zDtWapQ3ds/OBjxHlg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-17T20:36:08Z"
-    mac: ENC[AES256_GCM,data:s9DcnPm61QEc8v+VxeCMYlpbEY5XkgciP1f1Mrprix23FoBJOnLn3sJlCc1Ew6tZE4ilyhr6rK6CJA0Aqsvfro5dS0wQUI1CuDjS4+yx1ANfZzxICYNSIHXVhQiSIQ5g0ANaUVvzaj7pBKA/FvV+BTav2UbdDRUGNVsmZY5NZ5g=,iv:oJ8THhyCaB7+sBwqh9fpLIulKMWTDHdLKSZjMAZFDxo=,tag:IhpmqbLYUE9QCS1B28pdZQ==,type:str]
-    encrypted_regex: ^(data|stringData)$
-    version: 3.11.0

apps/booklore/basic-auth.yaml

@@ -1,23 +0,0 @@
-apiVersion: v1
-data:
-    password: ENC[AES256_GCM,data:WJbyXSCQ2qUtXBtv,iv:h3L3BeSaGQqU+nzlunl3BUOk2dei3Ra60IgNP2sCDQg=,tag:BoooixO1SpnvK7Jvxw56cg==,type:str]
-    user: ENC[AES256_GCM,data:6D78pKeGDJI=,iv:fl2MNa+EZXKwAOjRGglwPGFGMSc+uSfUJ6vn8U5aPvE=,tag:PU179YKHwlEfJ7OLI68nIQ==,type:str]
-kind: Secret
-metadata:
-    name: basic-auth
-    namespace: booklore
-sops:
-    age:
-        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpbmVWT3pRaTFrYXNyLys1
-            OEZxUTltSUpYaGgySCtzalA3SG9mVktlSzNrClNJNTBibUx4WWFZdDh1UUFXd2pu
-            ck9kVm1VckgxOVZUYjdTUHB4Uy9meGsKLS0tIHpJbk1yZU1jMzFPM2VZWkFWc21o
-            N2xLS0svZkd5MS9HRVUvN2MrWUhPK0kKC6SFkfSBu3CQKdt3+g+5JOjRLtwbxZS/
-            LQzDjeTqTKZHmrgxKwKsU15QtI0B1ie7f544KCuIAjvEeeBZb8AoRg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-17T17:34:49Z"
-    mac: ENC[AES256_GCM,data:ZJrymPllZvecBBeMTR1T1FZpHztqpsZ8SVqStshQMSd9Brf0F0KHNr9xd+dTrSuaeqR8rchLZ89hN+7an/JhkFm+4ffXWtdg5m6ES+Lbu6qGf3QczcQ4bssUhL4kuvTdM+7zVwD6XnyGF2G2hvSvJ2L8V364CX0ZOUCX+Cyk7Ss=,iv:GrVHO0vUz0pgloai/4KlCM/eCQSI1eEF59kuPVjG4y0=,tag:AXcIcDSD8DZOxbcrvvHMyQ==,type:str]
-    encrypted_regex: ^(data|stringData)$
-    version: 3.11.0

apps/booklore/release.yaml

@@ -1,50 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: booklore
-  namespace: booklore
-spec:
-  chart:
-    spec:
-      chart: ./example-chart
-      sourceRef:
-        kind: GitRepository
-        name: booklore
-  interval: 15m
-  releaseName: booklore
-  values:
-    mariadb:
-      enabled: true
-      image:
-        tag: latest
-      auth:
-        database: booklore
-        username: booklore-user
-
-    ingress:
-      enabled: true
-      annotations:
-        cert-manager.io/cluster-issuer: "letsencrypt-prod"
-        external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
-        external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
-        traefik.ingress.kubernetes.io/router.entrypoints: websecure
-        traefik.ingress.kubernetes.io/router.tls: "true"
-      hosts:
-        - host: booklore.michaelthomson.dev
-          paths:
-            - path: "/"
-              pathType: ImplementationSpecific
-      tls:
-        - hosts:
-            - booklore.michaelthomson.dev
-          secretName: booklore-tls
-
-    # If you want to bring your own persistence (such as a hostPath),
-    # disable these and do so in extraVolumes/extraVolumeMounts
-    persistence:
-      dataVolume:
-        enabled: true
-        size: 1Gi
-      booksVolume:
-        enabled: true
-        size: 10Gi

apps/booklore/repository.yaml

@@ -1,10 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: GitRepository
-metadata:
-  name: booklore
-  namespace: booklore
-spec:
-  interval: 15m
-  url: https://github.com/booklore-app/booklore.git
-  ref:
-    branch: develop

apps/media/bazarr/ingress.yaml

@@ -7,7 +7,6 @@ metadata:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    # traefik.ingress.kubernetes.io/router.middlewares: authentik-bazarr@kubernetescrd
 spec:
   rules:
   - host: bazarr.michaelthomson.dev

apps/media/jellyseerr/config.yaml

@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: jellyseerr-config
-  namespace: media
-data:
-  PUID: "1000"
-  PGID: "1000"
-  LOG_LEVEL: "debug"

apps/media/jellyseerr/deployment.yaml

@@ -1,33 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: jellyseerr
-  namespace: media
-spec:
-  selector:
-    matchLabels:
-      app: jellyseerr
-  template:
-    metadata:
-      labels:
-        app: jellyseerr
-    spec:
-      containers:
-      - name: jellyseerr
-        image: fallenbagel/jellyseerr:latest
-        imagePullPolicy: Always
-        envFrom:
-        - configMapRef:
-            name: jellyseerr-config
-            optional: false
-        ports:
-        - containerPort: 5055
-          name: http
-          protocol: TCP
-        volumeMounts:
-        - name: config
-          mountPath: /app/config
-      volumes:
-      - name: config
-        persistentVolumeClaim: 
-          claimName: jellyseerr-config

apps/media/jellyseerr/ingress.yaml

@@ -1,27 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: jellyseerr
-  namespace: media
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
-    external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
-spec:
-  rules:
-  - host: jellyseerr.michaelthomson.dev
-    http:
-      paths:
-      - pathType: ImplementationSpecific
-        path: /
-        backend:
-          service:
-            name: jellyseerr
-            port: 
-              name: http
-  tls:
-    - hosts:
-        - jellyseerr.michaelthomson.dev
-      secretName: jellyseerr-tls

apps/media/jellyseerr/release.yaml

@@ -0,0 +1,36 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: seerr
+  namespace: media
+spec:
+  chart:
+    spec:
+      chart: seerr-chart
+      version: 3.x
+      sourceRef:
+        kind: HelmRepository
+        name: seerr
+  interval: 15m
+  releaseName: seerr
+  values:
+    config:
+      persistence:
+        existingClaim: 'jellyseerr-config'
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: "letsencrypt-prod"
+        external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
+        external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/router.tls: "true"
+      hosts:
+        - host: jellyseerr.michaelthomson.dev
+          paths:
+            - path: /
+              pathType: ImplementationSpecific
+      tls:
+        - hosts:
+            - jellyseerr.michaelthomson.dev
+          secretName: jellyseerr-tls

apps/media/jellyseerr/repository.yaml

@@ -1,8 +1,9 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
-  name: authentik
-  namespace: authentik
+  name: seerr
+  namespace: media
 spec:
+  type: "oci"
   interval: 15m
-  url: https://charts.goauthentik.io/
+  url: oci://ghcr.io/seerr-team/seerr

apps/media/jellyseerr/service.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: jellyseerr
-  namespace: media
-spec:
-  selector:
-    app: jellyseerr
-  ports:
-  - port: 80
-    targetPort: http
-    name: http

apps/media/prowlarr/ingress.yaml

@@ -7,7 +7,6 @@ metadata:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    # traefik.ingress.kubernetes.io/router.middlewares: authentik-prowlarr@kubernetescrd
 spec:
   rules:
   - host: prowlarr.michaelthomson.dev

apps/media/radarr/ingress.yaml

@@ -7,7 +7,6 @@ metadata:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    # traefik.ingress.kubernetes.io/router.middlewares: authentik-radarr@kubernetescrd
 spec:
   rules:
   - host: radarr.michaelthomson.dev

apps/media/sonarr/ingress.yaml

@@ -7,7 +7,6 @@ metadata:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    # traefik.ingress.kubernetes.io/router.middlewares: authentik-sonarr@kubernetescrd
 spec:
   rules:
   - host: sonarr.michaelthomson.dev

bootstrap/apps/kustomization-authentik.yaml

@@ -1,19 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: authentik
-  namespace: flux-system
-spec:
-  interval: 15m
-  path: ./apps/authentik
-  prune: true # remove any elements later removed from the above path
-  wait: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-age
-  dependsOn:
-    - name: infra-configs

bootstrap/apps/kustomization-booklore.yaml

@@ -1,19 +0,0 @@
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: booklore
-  namespace: flux-system
-spec:
-  interval: 15m
-  path: ./apps/booklore
-  prune: true # remove any elements later removed from the above path
-  wait: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  decryption:
-    provider: sops
-    secretRef:
-      name: sops-age
-  dependsOn:
-    - name: infra-configs

infrastructure/namespaces/namespace-authentik.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: authentik

infrastructure/namespaces/namespace-booklore.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: booklore

renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}