update vaultwarden

This reverts commit ee5bfb66f6.

apps/gitea/mailer-config-secret.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-data:
-    mailer: ENC[AES256_GCM,data:baGCpPHJejjMFeiBcgSroJWqmUj/8PzvwAdzZ+nLacen2I91iaIRIgztvsk=,iv:6M2+sKRc1ZC5CqY4X43xgGO/CeWOfjMVzNgelYd0V6c=,tag:I15tnxf8CQaLu+/0GNdeOA==,type:str]
+stringData:
+    mailer: ENC[AES256_GCM,data:IrYl0ghmMpe7LCGuHFAv8OOnnYPnxed8M86qEnXct/d3Xlf+vQ==,iv:d/Egq7dRzNbx/5cEL5lKxD+ZsDhTLCB1EGnP6RXok00=,tag:aiQoSAMKQ1b0mXUT0lw8+w==,type:str]
 kind: Secret
 metadata:
     name: gitea-mailer-config-secret
@@ -16,7 +16,7 @@ sops:
             NkI0eUlmYjg3Zk9iVmNkZVpXWkh2TW8K/coOzGAPF42522cM6DZVAEEv3LmZaIhu
             BVyl8ijATNLMIfiFpP5bHpljPHrn3lGP70RzwoCV15t1fC6pjeParA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-17T20:36:08Z"
-    mac: ENC[AES256_GCM,data:QBxnUAGg6xchZ9iqKK8gAmdJhDfma5BZlJVRZcfzGM57diuO2OE4JDbjW5gqf21OACL4d2funVlXRVlioLoe0tfZJY3AAedOmyQVXdrr0PwarbPztbWAFVvIMeQWPZUyPd3GxgaAATeBVCanSEgVTIOVqCN/DXNSHY2XcQ9x9Y0=,iv:ugLYt5NxsTIy0wUul748IGIzayG+zPQ/z5kH3T9IfiE=,tag:3yTjZ+MMMVNmi/8p321fFg==,type:str]
+    lastmodified: "2026-05-12T01:59:49Z"
+    mac: ENC[AES256_GCM,data:TSNyIUQIRaX27K9ZbyiMCayFFIeUKmfD4Bz9Zu7Apa7NGqXmAWabzY3KHyjL14LDxmv4XJpA5W3DLI920DfOEUq2iW9EogMfSV7nEMMA6lzYMf+ca5W0BCwPE0MDBkTIL2nREoZh0FGDmq1M2syRIfaBrFKq97ZozQqz4AA8iZc=,iv:wCjERwABseOGN7LWiLzoT4VGHk9vnGdN0yl2eeQTAho=,tag:j/bDGqPoTm5FFGhERh1KJQ==,type:str]
     encrypted_regex: ^(data|stringData)$
-    version: 3.11.0
+    version: 3.12.2

apps/gitea/release.yaml

@@ -17,8 +17,6 @@ spec:
     global:
       storageClass: longhorn
 
-    replicaCount: 1
-
     service:
       ssh:
         type: LoadBalancer
@@ -47,9 +45,7 @@ spec:
           secretName: gitea-tls
 
     persistence:
-      claimName: gitea-shared-storage
       size: 10Gi
-      storageClass: longhorn
 
     gitea:
       config:
@@ -65,11 +61,11 @@ spec:
           ALLOWED_HOST_LIST: external,loopback,private
         mailer:
           ENABLED: true
-          FROM: gitea@michaelthomson.dev
+          FROM: server@michaelthomson.dev
           PROTOCOL: smtps
           SMTP_ADDR: mail.michaelthomson.dev
           SMTP_PORT: 465
-          USER: gitea@michaelthomson.dev
+          USER: server@michaelthomson.dev
       admin:
         existingSecret: admin-secret
         email: "gitea@michaelthomson.dev"
@@ -77,23 +73,17 @@ spec:
         - secret:
             secretName: gitea-mailer-config-secret
 
-    redis-cluster:
+    valkey-cluster:
       enabled: false
 
+    valkey:
+      enabled: true
+
     postgresql-ha:
       enabled: false
 
     postgresql:
       enabled: true
-      global:
-        postgresql:
-          auth:
-            password: gitea
-            database: gitea
-            username: gitea
-          service:
-            ports:
-              postgresql: 5432
       primary:
         persistence:
           size: 10Gi

apps/grimmory/mariadb-credentials.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+stringData:
+    mariadb-password: ENC[AES256_GCM,data:sRg+BqCvSWe/I9vLLRcgPyMs87BttZAejfKPI7kIej6L3sXasYE700jr9tw=,iv:VMnb9a72TYYBdC2RCD9wwpRdUZiiD+SFOZOl0ZIHjbU=,tag:eXRgY1VO0PDRJPUAr4RYXw==,type:str]
+    mariadb-root-password: ENC[AES256_GCM,data:86cu/5fSD2h7yQSt0b9cp15a56LYiyhdUfFVdhla7cs0GsIyDul2A4TuSQA=,iv:U+JPt6UUc70MzYAQBODEzl/wMQ+TEVBYZHxxMZf4xyw=,tag:CAdI37E9cj07yoltPxLjWg==,type:str]
+kind: Secret
+metadata:
+    name: mariadb-credentials
+    namespace: grimmory
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvOEhieFpaNU5CRElYRFRx
+            VjJqUm9Zbk44M3QvVlNqcUFGUnRjNlUvUERZCjA2VjJXdlJmSDdYeW5BbEF2RElV
+            QXZ6YVl3REVFRzY5RG81YzVyaWpBWTgKLS0tIEdITTBCUm1tZGhZVzFwbGszbDF6
+            ZzhZOEU2SUFUWllqOHZCS1c5YW5TQjQKbQqmVAWZq7aqBaFt+51oY7PZ2BcLc7Wa
+            neOgcwRTq2x27yoWNPlcWSsqFss5RLldriEer4QdwdIDlWEj8Js7uA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-05-24T18:40:49Z"
+    mac: ENC[AES256_GCM,data:URvFnjTBRU17FIJTLjggheWWI63UcktsyMgrKP5Ib7/F4HcSbZySGis6Ty/y2Cn5uessjpf12IQ1EZ0Vybnm7w58/nb3+ZiEow5XtJ91OAw2iCJv00YyKtWgFqkymCHJu2a/SuuG3ibH5+MbucQKHUSXuxsRvYaJaigw1Gzi80I=,iv:3H2NNqh8eBqNvKybtsKYujjDeDlvmlwXxdzRoazU46E=,tag:tgYlwl0K7GbSX1pBtlD/xg==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.12.2

apps/grimmory/release.yaml

@@ -0,0 +1,47 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: grimmory
+  namespace: grimmory
+spec:
+  chart:
+    spec:
+      chart: grimmory
+      version: 3.x
+      sourceRef:
+        kind: HelmRepository
+        name: grimmory
+  interval: 15m
+  releaseName: grimmory
+  values:
+    mariadb:
+      auth:
+        existingSecret: mariadb-credentials
+        secretKeys:
+          rootPasswordKey: mariadb-root-password
+          userPasswordKey: mariadb-password
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: "letsencrypt-prod"
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/router.tls: "true"
+      hosts:
+        - host: grimmory.michaelthomson.dev
+          paths:
+            - path: /
+              pathType: ImplementationSpecific
+      tls:
+        - hosts:
+            - grimmory.michaelthomson.dev
+          secretName: grimmory-tls
+    persistence:
+      dataVolume:
+        enabled: true
+        size: 100Mi
+        existingClaim: ""
+      booksVolume:
+        enabled: true
+        size: 10Gi
+        existingClaim: ""
+    

apps/grimmory/repository.yaml

@@ -0,0 +1,9 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: grimmory
+  namespace: grimmory
+spec:
+  type: "oci"
+  interval: 15m
+  url: oci://ghcr.io/grimmory-tools/helm-charts

apps/kube-prometheus-stack/release-alloy.yaml

@@ -1,145 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: alloy
-  namespace: kube-prometheus-stack
-spec:
-  chart:
-    spec:
-      chart: alloy
-      version: 1.x
-      sourceRef:
-        kind: HelmRepository
-        name: grafana
-  interval: 15m
-  releaseName: alloy
-  values:
-    alloy:
-      configMap:
-        content: |-
-          // Write your Alloy config here:
-          loki.write "default" {
-            endpoint {
-              url = "http://loki:3100/loki/api/v1/push"
-            }
-          }
-
-          // discovery.kubernetes allows you to find scrape targets from Kubernetes resources.
-          // It watches cluster state and ensures targets are continually synced with what is currently running in your cluster.
-          discovery.kubernetes "pod" {
-            role = "pod"
-            // Restrict to pods on the node to reduce cpu & memory usage
-            selectors {
-              role = "pod"
-              field = "spec.nodeName=" + coalesce(sys.env("HOSTNAME"), constants.hostname)
-            }
-          }
-
-          // discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules.
-          // If no rules are defined, then the input targets are exported as-is.
-          discovery.relabel "pod_logs" {
-            targets = discovery.kubernetes.pod.targets
-
-            // Label creation - "namespace" field from "__meta_kubernetes_namespace"
-            rule {
-              source_labels = ["__meta_kubernetes_namespace"]
-              action = "replace"
-              target_label = "namespace"
-            }
-
-            // Label creation - "pod" field from "__meta_kubernetes_pod_name"
-            rule {
-              source_labels = ["__meta_kubernetes_pod_name"]
-              action = "replace"
-              target_label = "pod"
-            }
-
-            // Label creation - "container" field from "__meta_kubernetes_pod_container_name"
-            rule {
-              source_labels = ["__meta_kubernetes_pod_container_name"]
-              action = "replace"
-              target_label = "container"
-            }
-
-            // Label creation -  "app" field from "__meta_kubernetes_pod_label_app_kubernetes_io_name"
-            rule {
-              source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_name"]
-              action = "replace"
-              target_label = "app"
-            }
-
-            // Label creation -  "job" field from "__meta_kubernetes_namespace" and "__meta_kubernetes_pod_container_name"
-            // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name
-            rule {
-              source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_container_name"]
-              action = "replace"
-              target_label = "job"
-              separator = "/"
-              replacement = "$1"
-            }
-
-            // Label creation - "__path__" field from "__meta_kubernetes_pod_uid" and "__meta_kubernetes_pod_container_name"
-            // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log
-            rule {
-              source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"]
-              action = "replace"
-              target_label = "__path__"
-              separator = "/"
-              replacement = "/var/log/pods/*$1/*.log"
-            }
-
-            // Label creation -  "container_runtime" field from "__meta_kubernetes_pod_container_id"
-            rule {
-              source_labels = ["__meta_kubernetes_pod_container_id"]
-              action = "replace"
-              target_label = "container_runtime"
-              regex = `^(\S+):\/\/.+$`
-              replacement = "$1"
-            }
-          }
-
-          // loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API.
-          loki.source.kubernetes "pod_logs" {
-            targets    = discovery.relabel.pod_logs.output
-            forward_to = [loki.process.pod_logs.receiver]
-          }
-
-          // loki.process receives log entries from other Loki components, applies one or more processing stages,
-          // and forwards the results to the list of receivers in the component's arguments.
-          loki.process "pod_logs" {
-            stage.static_labels {
-                values = {
-                  cluster = "server",
-                }
-            }
-
-            forward_to = [loki.write.default.receiver]
-          }
-
-          // loki.source.kubernetes_events tails events from the Kubernetes API and converts them
-          // into log lines to forward to other Loki components.
-          loki.source.kubernetes_events "cluster_events" {
-            job_name   = "integrations/kubernetes/eventhandler"
-            log_format = "logfmt"
-            forward_to = [
-              loki.process.cluster_events.receiver,
-            ]
-          }
-
-          // loki.process receives log entries from other loki components, applies one or more processing stages,
-          // and forwards the results to the list of receivers in the component's arguments.
-          loki.process "cluster_events" {
-            forward_to = [loki.write.default.receiver]
-
-            stage.static_labels {
-              values = {
-                cluster = "server",
-              }
-            }
-
-            stage.labels {
-              values = {
-                kubernetes_cluster_events = "job",
-              }
-            }
-          }

apps/kube-prometheus-stack/release-loki.yaml

@@ -1,71 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: loki
-  namespace: kube-prometheus-stack
-spec:
-  chart:
-    spec:
-      chart: loki
-      version: 6.x
-      sourceRef:
-        kind: HelmRepository
-        name: grafana-community
-  interval: 15m
-  releaseName: loki
-  values:
-    loki:
-      auth_enabled: false
-      commonConfig:
-        replication_factor: 3
-      schemaConfig:
-        configs:
-          - from: "2024-04-01"
-            store: tsdb
-            object_store: s3
-            schema: v13
-            index:
-              prefix: loki_index_
-              period: 24h
-      pattern_ingester:
-          enabled: true
-      limits_config:
-        allow_structured_metadata: true
-        volume_enabled: true
-      ruler:
-        enable_api: true
-
-    minio:
-      enabled: true
-          
-    deploymentMode: SingleBinary
-
-    singleBinary:
-      replicas: 3
-
-    # Zero out replica counts of other deployment modes
-    backend:
-      replicas: 0
-    read:
-      replicas: 0
-    write:
-      replicas: 0
-
-    ingester:
-      replicas: 0
-    querier:
-      replicas: 0
-    queryFrontend:
-      replicas: 0
-    queryScheduler:
-      replicas: 0
-    distributor:
-      replicas: 0
-    compactor:
-      replicas: 0
-    indexGateway:
-      replicas: 0
-    bloomCompactor:
-      replicas: 0
-    bloomGateway:
-      replicas: 0

apps/kube-prometheus-stack/repository-grafana-community.yaml

@@ -1,8 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: grafana-community
-  namespace: kube-prometheus-stack
-spec:
-  interval: 15m
-  url: https://grafana-community.github.io/helm-charts

apps/ollama/release.yaml

@@ -0,0 +1,43 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: ollama
+  namespace: ollama
+spec:
+  chart:
+    spec:
+      chart: ollama
+      version: 1.x
+      sourceRef:
+        kind: HelmRepository
+        name: ollama
+  interval: 15m
+  releaseName: ollama
+  values:
+    runtimeClassName: nvidia
+    ollama:
+      gpu:
+        enabled: true
+        type: nvidia
+        nvidiaResource: nvidia.com/gpu
+        number: 1
+      models:
+        pull:
+          - qwen3.5:9b
+        run:
+          - qwen3.5:9b
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: "letsencrypt-prod"
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+        traefik.ingress.kubernetes.io/router.tls: "true"
+      hosts:
+        - host: ollama.michaelthomson.dev
+          paths:
+            - path: /
+              pathType: Prefix
+      tls:
+        - hosts:
+            - ollama.michaelthomson.dev
+          secretName: ollama-tls

apps/ollama/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: ollama
+  namespace: ollama
+spec:
+  interval: 15m
+  url: https://helm.otwld.com/

apps/vaultwarden/release.yaml

@@ -7,7 +7,7 @@ spec:
   chart:
     spec:
       chart: vaultwarden
-      version: 0.30.x
+      version: 0.39.x
       sourceRef:
         kind: HelmRepository
         name: vaultwarden
@@ -33,8 +33,8 @@ spec:
       host: "mail.michaelthomson.dev"
       security: "force_tls"
       port: 465
-      from: "vaultwarden@michaelthomson.dev"
-      fromName: "Vaultwarden"
+      from: "server@michaelthomson.dev"
+      fromName: "Server"
       username:
         existingSecretKey: "SMTP_USERNAME"
       password:

apps/vaultwarden/smtpcreds-secret.yaml

@@ -1,15 +1,14 @@
 apiVersion: v1
-data:
-    SMTP_PASSWORD: ENC[AES256_GCM,data:SxuZaVeYXXhar0Qhi7clkXyO15rBG8xI9QTOzgwqGVCjHOW4,iv:zKgyHRU6GOnz6Vpt1Ko4/B9ySZpbMf2J/bN8WdUaitY=,tag:4+02vnssi0okvMZDel7/mw==,type:str]
-    SMTP_USERNAME: ENC[AES256_GCM,data:NREKMX/dvkejjoiLa764rT7CDl0nPoAaNWkXGnqrgdPhnsMVSUv1RA==,iv:VXe3z426+688ojm4JU3hyytFWCJ2oYgSFVnIOv2ry8Y=,tag:Tj5k8LApkxd+TBJFF/6/Zg==,type:str]
+stringData:
+    SMTP_PASSWORD: ENC[AES256_GCM,data:ckVcecLJPGsD4RYEva2TJluXy2TvhS3aYPzxAyEN,iv:AteDpQU+1p5+/nxtgSDhyH/O6dEPrLE6OrN8soMQNGk=,tag:DlaHPDzhBxRDbuuNdNSllw==,type:str]
+    SMTP_USERNAME: ENC[AES256_GCM,data:6oCLieSE7U0QIn6+q48oQSEiRKD8fYRe6A==,iv:Ub9f7Hni0N1pvQNfje+EUbXoQHb37v8Wja2u0bvp0/E=,tag:p4VfEXiQEqH3aQNt+9aMPQ==,type:str]
 kind: Secret
 metadata:
     name: smtpcreds-secret
     namespace: vaultwarden
 sops:
     age:
-        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
-          enc: |
+        - enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
             YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3ZWVxNElZM1pFNEx6eE9q
             U3ZHTzdhcXMzWmRBWGM0eDFTVCtFOGhGYzN3ClZ2U2NaSFVuaUN6RDhaYkVnb1du
@@ -17,7 +16,8 @@ sops:
             YjFheFgwRGVEVWJ3TW94UWlTREV6K2cKpnqUg4qLeOtIfecGjV2nUAYZGTkHCrT6
             OHfL5W55BqcQJYovv37JJHkNV+IHuVNo7aqO/gx5AE0HfMWPfy6QGg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-17T20:36:08Z"
-    mac: ENC[AES256_GCM,data:402GE3Cqd1N+cQBRnfNb5+/dudSy5pO1Hilc4DW0n+xm4x5sn8wr8C/mL6NDoBKh8fc7JAPPShCfx5B2RdxBL0hs7fkohSIKvtU4hq75enq/bPOtRoxuSxAMH89ayVSbP0V1llWsHFwGJROEMp/9vpqWUFqFvf3uCC8tLOGSy/8=,iv:lp0JMs56ltxFLJOiOWoTa2+D383SgD15v7XJpAwEDdw=,tag:/dezyOAu2W6nTGNQxKTlpA==,type:str]
+          recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
     encrypted_regex: ^(data|stringData)$
-    version: 3.11.0
+    lastmodified: "2026-06-14T03:38:49Z"
+    mac: ENC[AES256_GCM,data:obLNrjI7ccUOdHwgihPUQ8OpkcpsC0ZWJxi6ddoYcDuwGEtASZjJYAwVWjIb2rvuIrpVAiVQ/WCfz6gAdwIqG9wSJw2FHlMV4h/DiEccZh1r9dVFZ85MHNYMPx05s2xPW30gPuGfSYnrAVlFKhgiJNXOQqguGqRwLIa3/AsmsiI=,iv:98ySRbgzOqrEzlKsbn0Ug5OqPtvuIjZAdwsMhMyD1GE=,tag:0q6u/ubYWZ+coKQkJtT+ZQ==,type:str]
+    version: 3.13.1

bootstrap/apps/kustomization-grimmory.yaml

@@ -0,0 +1,19 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: grimmory
+  namespace: flux-system
+spec:
+  interval: 15m
+  path: ./apps/grimmory
+  prune: true # remove any elements later removed from the above path
+  wait: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  dependsOn:
+    - name: infra-configs

bootstrap/apps/kustomization-ollama.yaml

@@ -0,0 +1,19 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: ollama
+  namespace: flux-system
+spec:
+  interval: 15m
+  path: ./apps/ollama
+  prune: true
+  wait: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  dependsOn:
+    - name: infra-configs

infrastructure/controllers/generic-cdi-plugin/daemonset.yaml

@@ -1,47 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: generic-cdi-plugin-daemonset
-  namespace: generic-cdi-plugin
-spec:
-  selector:
-    matchLabels:
-      name: generic-cdi-plugin
-  template:
-    metadata:
-      labels:
-        name: generic-cdi-plugin
-        app.kubernetes.io/component: generic-cdi-plugin
-        app.kubernetes.io/name: generic-cdi-plugin
-    spec:
-      containers:
-      - image: ghcr.io/olfillasodikno/generic-cdi-plugin:main
-        name: generic-cdi-plugin
-        command:
-          - /generic-cdi-plugin
-          - /var/run/cdi/nvidia-container-toolkit.json
-        imagePullPolicy: Always
-        securityContext:
-          privileged: true
-        tty: true
-        volumeMounts:
-        - name: kubelet
-          mountPath: /var/lib/kubelet
-        - name: nvidia-container-toolkit
-          mountPath: /var/run/cdi/nvidia-container-toolkit.json
-      volumes:
-      - name: kubelet
-        hostPath:
-          path: /var/lib/kubelet
-      - name: nvidia-container-toolkit
-        hostPath:
-          path: /var/run/cdi/nvidia-container-toolkit.json
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-            - matchExpressions:
-              - key: "nixos-nvidia-cdi"
-                operator: In
-                values:
-                - "enabled"

infrastructure/controllers/nvidia-device-plugin/release.yaml

@@ -0,0 +1,27 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: nvidia-device-plugin
+  namespace: nvidia-device-plugin
+spec:
+  chart:
+    spec:
+      chart: nvidia-device-plugin
+      version: 0.17.x
+      sourceRef:
+        kind: HelmRepository
+        name: nvdp
+  interval: 15m
+  releaseName: nvidia-device-plugin
+  values:
+    runtimeClassName: nvidia
+    config:
+      default: time-slicing
+      map:
+        time-slicing: |
+          version: v1
+          sharing:
+            timeSlicing:
+              resources:
+              - name: nvidia.com/gpu
+                replicas: 5

infrastructure/controllers/nvidia-device-plugin/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: nvdp
+  namespace: nvidia-device-plugin
+spec:
+  interval: 15m
+  url: https://nvidia.github.io/k8s-device-plugin

infrastructure/controllers/nvidia-device-plugin/runtime-class.yaml

@@ -0,0 +1,5 @@
+apiVersion: node.k8s.io/v1
+kind: RuntimeClass
+metadata:
+  name: nvidia
+handler: nvidia

infrastructure/namespaces/namespace-grimmory.yaml

@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: generic-cdi-plugin
+  name: grimmory

infrastructure/namespaces/namespace-nvidia-device-plugin.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nvidia-device-plugin
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged

infrastructure/namespaces/namespace-ollama.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ollama
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged