ollama upgrade ctx size

apps/authentik/authentik-postgres-credentials.yaml

@@ -1,23 +0,0 @@
-apiVersion: v1
-data:
-    password: ENC[AES256_GCM,data:a7nwc49lItIjjg6f7Vaz6Kyyb4CgwMmudHpsQAY39539fvCWtYjsoQzEqEXZdcwPyqB2qlOHewXcStBgG1B1iKKZhqE=,iv:yK9EZWhBNLm9lNs7V7Fm2MQWv3Lfb1o34P25+p00FgQ=,tag:ie24X9bcK1NdxZWhEKITHw==,type:str]
-    username: ENC[AES256_GCM,data:VmGN5YxRGZcS/EWy,iv:QKGSkxBSfMusEkl3sS1m3KQREvwUCP0aag8u7VPzWxo=,tag:zXthxvtKBex3XpRqO6Qcyg==,type:str]
-kind: Secret
-metadata:
-    name: authentik-postgres-credentials
-    namespace: authentik
-sops:
-    age:
-        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZFlqTWZzTVNOV294bXF5
-            MEFFWGNXZkN6YjgrdGx2NkZyMHVWN25KSm5rCmxBQzNsSk53bDZiK3RQUCtYbjRu
-            NVUwZHJPSUhZTnEvdmNYNENSR1NSTTgKLS0tIFlmMTRSOWlKU1dYT0ZQQW1yTGx5
-            dWt0TXRDZ2VVVjREYjIvdTFUcVNxYjAKVYa8GZoKORII5nN0590OWzdbyoXe6Eyi
-            mRKUxtVsbhCPtfabQGn/tu40g7A9CFcWh51geIGewkTVmVlx0ulv/Q==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-17T20:32:24Z"
-    mac: ENC[AES256_GCM,data:N81ubg0zmCZpZKa+Z/IJZunsUUT8dZrWfp48cBNLg5GPr1O2SrvFUPo+ZWSDLRWWgea5E00kU1luDHcnTuHtjSF457anCc1LpezJnIIfPHQBE7wIrWkZMW1QYsScZhtNvkDf1LhXuo2JZnRkAZ249JzzPEYxy+GjLXU3hNaaeyw=,iv:V6Op3ZA9Rw2g20gzZapZt7GfnW7TW988psIIDlwxzaE=,tag:anOAkNKfUFhmntDH/i/v2w==,type:str]
-    encrypted_regex: ^(data|stringData)$
-    version: 3.11.0

apps/authentik/authentik-secret-key.yaml

@@ -1,22 +0,0 @@
-apiVersion: v1
-data:
-    key: ENC[AES256_GCM,data:0YHxGccmrLh2LFfAeySEqdfuE35FfzsAVI/XNcKKWKUS4HZ5sKUVy8PLSrl99nZRtC66Vj2Vsj/Zj+Ir/3/n8Vzhy04=,iv:whuMt5eTvp962tNisNDc5ygBaCzRs1MwBtOxWP+atv8=,tag:mcerAaPbzujtI25tPLETnQ==,type:str]
-kind: Secret
-metadata:
-    name: authentik-secret-key
-    namespace: authentik
-sops:
-    age:
-        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhRlB4Vjg5cU1QWWovRTFW
-            M1Q0cmpaWkNUek54T1VheGxMbVlIeUlybjMwCnVTY2VLTXVSbEpUc0lTRUtETUV3
-            TGRmVDB5cnhpU2k2YkNuL3d6OTVETW8KLS0tIDZoNjlTVERvR1FSczB5d09IVnpl
-            QnloYTFKNGdyR3FuS3N2WjVVVGFKRWsKd8MPL8raiwfz/fLsjL76tdeCBDu/cirV
-            DKFx+Tu8KTugK6gGteXA2/PHZPEB/U9Zh1OD3t6AdPZMQJaiNKq/4Q==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-17T20:36:08Z"
-    mac: ENC[AES256_GCM,data:RlZUTVt/3acp5BX92MI3USohXoAlZy8QAgr0HwLu0IMc+gUcykCXV/voYSJgIQlHhKDo/Jwa0+KhU3DLT/9GS4UF/E2GCJhj9t9DlagnchLxxJXYyP/7FPUkoOfDKmG1Sc2Gq3i/gTVklzQ0DpwQflF0F50BLDv1FqxUD84jVoI=,iv:T/Hd0kenM4LikCB9mkSrFMVD1UeA+Dvwi+3TLziwsdI=,tag:rfosFTQZo695lnznWC8JcQ==,type:str]
-    encrypted_regex: ^(data|stringData)$
-    version: 3.11.0

apps/authentik/cluster.yaml

@@ -1,57 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: postgres-cluster
-  namespace: authentik
-  annotations:
-    # needed to allow for recovery from same name cluster backup
-    cnpg.io/skipEmptyWalArchiveCheck: enabled
-spec:
-  instances: 2
-
-  managed:
-    roles:
-      - name: authentik
-        superuser: true
-        login: true
-
-  bootstrap:
-    # initdb:
-    #   database: authentik
-    #   owner: authentik
-    #   secret:
-    #     name: authentik-postgres-credentials
-    # NOTE: uncomment this and commend the above initdb when recovering
-    recovery:
-      source: postgres-cluster
-
-  storage:
-    size: 8Gi
-    storageClass: longhorn-pg
-
-  externalClusters:
-    - name: postgres-cluster
-      barmanObjectStore:
-        destinationPath: "s3://mthomson-cnpg-backup/authentik/"
-        endpointURL: "https://s3.ca-central-1.wasabisys.com"
-        s3Credentials:
-          accessKeyId:
-            name: wasabi-secret
-            key: ACCESS_KEY_ID
-          secretAccessKey:
-            name: wasabi-secret
-            key: ACCESS_SECRET_KEY
-
-  backup:
-    barmanObjectStore:
-      destinationPath: "s3://mthomson-cnpg-backup/authentik/"
-      endpointURL: "https://s3.ca-central-1.wasabisys.com"
-      s3Credentials:
-        accessKeyId:
-          name: wasabi-secret
-          key: ACCESS_KEY_ID
-        secretAccessKey:
-          name: wasabi-secret
-          key: ACCESS_SECRET_KEY
-    retentionPolicy: "10d"
-

apps/authentik/release.yaml

@@ -1,69 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: authentik
-  namespace: authentik
-spec:
-  chart:
-    spec:
-      chart: authentik
-      version: 2025.8.4
-      sourceRef:
-        kind: HelmRepository
-        name: authentik
-  interval: 15m
-  releaseName: authentik
-  values:
-    authentik:
-      secret_key: file:///secret-key/key
-      postgresql:
-        host: postgres-cluster-rw
-        user: file:///postgres-creds/username
-        password: file:///postgres-creds/password
-    server:
-      ingress:
-        enabled: true
-        ingressClassName: traefik
-        annotations:
-          cert-manager.io/cluster-issuer: "letsencrypt-prod"
-          external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
-          external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
-          traefik.ingress.kubernetes.io/router.tls: "true"
-          traefik.ingress.kubernetes.io/router.entrypoints: websecure
-        hosts:
-          - authentik.michaelthomson.dev
-        tls:
-          - secretName: authentik-tls
-            hosts:
-              - authentik.michaelthomson.dev
-      volumes:
-        - name: postgres-creds
-          secret:
-            secretName: authentik-postgres-credentials
-        - name: secret-key
-          secret:
-            secretName: authentik-secret-key
-      volumeMounts:
-        - name: postgres-creds
-          mountPath: /postgres-creds
-          readOnly: true
-        - name: secret-key
-          mountPath: /secret-key
-          readOnly: true
-    worker:
-      env:
-        - name: AUTHENTIK_SECRET_KEY
-          valueFrom:
-            secretKeyRef:
-              name: authentik-secret-key
-              key: key
-      volumes:
-        - name: postgres-creds
-          secret:
-            secretName: authentik-postgres-credentials
-      volumeMounts:
-        - name: postgres-creds
-          mountPath: /postgres-creds
-          readOnly: true
-    redis:
-      enabled: true

apps/authentik/scheduled-backup.yaml

@@ -1,11 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: ScheduledBackup
-metadata:
-  name: scheduled-backup
-  namespace: authentik
-spec:
-  schedule: "0 0 0 * * *"
-  backupOwnerReference: self
-  #immediate: true
-  cluster:
-    name: postgres-cluster

apps/authentik/wasabi-secret.yaml

@@ -1,23 +0,0 @@
-apiVersion: v1
-data:
-    ACCESS_KEY_ID: ENC[AES256_GCM,data:cJS1WkKlhgbWGqgOhFs9xjqriMIyGwaSq2W1tQ==,iv:5qj9+BjOPGvVFg9gIH9128nlOaQ27KMgjlIPIMF51IE=,tag:m80qHYyAbXGt1AGe+cXUuQ==,type:str]
-    ACCESS_SECRET_KEY: ENC[AES256_GCM,data:E1/lSR0Crdjt/N0BV0d7PgKSn00sKkNd9s4qsknK3MO4W3JSkwE2g4HyJvbjwDEmWZck7dB//WE=,iv:VoLSzFxrdGKKOVVNE8iiQtGS67yJYjknlxz4fs/DDJI=,tag:aPJEsutmqMobr+vXSCJ62g==,type:str]
-kind: Secret
-metadata:
-    name: wasabi-secret
-    namespace: authentik
-sops:
-    age:
-        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEQzVzc1EzaWsvWWlXa2tu
-            U1NXVFh4TDhuUXZZcXNHVVBBeUR5Y2RvT2pRCnZPL0t5RVMyVzRVeTluYVhZNkJT
-            ZjF0S2lsUWFvdTdFaXVGZ2NlOHVGUm8KLS0tIGZVR3lUT2ltR0pLUU4yT1BTWTZW
-            UkZiNmNPbUMvRUs3dDVDNjBnb0htM2cKvsfEiaSE2A5R+pvb0UoaPmvSFMQR2GDi
-            DBJ+OyMFhz0HxQO31/yrlZGcVxBKq/Q4DXD1zDtWapQ3ds/OBjxHlg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-17T20:36:08Z"
-    mac: ENC[AES256_GCM,data:s9DcnPm61QEc8v+VxeCMYlpbEY5XkgciP1f1Mrprix23FoBJOnLn3sJlCc1Ew6tZE4ilyhr6rK6CJA0Aqsvfro5dS0wQUI1CuDjS4+yx1ANfZzxICYNSIHXVhQiSIQ5g0ANaUVvzaj7pBKA/FvV+BTav2UbdDRUGNVsmZY5NZ5g=,iv:oJ8THhyCaB7+sBwqh9fpLIulKMWTDHdLKSZjMAZFDxo=,tag:IhpmqbLYUE9QCS1B28pdZQ==,type:str]
-    encrypted_regex: ^(data|stringData)$
-    version: 3.11.0

apps/booklore/basic-auth.yaml

@@ -1,23 +0,0 @@
-apiVersion: v1
-data:
-    password: ENC[AES256_GCM,data:WJbyXSCQ2qUtXBtv,iv:h3L3BeSaGQqU+nzlunl3BUOk2dei3Ra60IgNP2sCDQg=,tag:BoooixO1SpnvK7Jvxw56cg==,type:str]
-    user: ENC[AES256_GCM,data:6D78pKeGDJI=,iv:fl2MNa+EZXKwAOjRGglwPGFGMSc+uSfUJ6vn8U5aPvE=,tag:PU179YKHwlEfJ7OLI68nIQ==,type:str]
-kind: Secret
-metadata:
-    name: basic-auth
-    namespace: booklore
-sops:
-    age:
-        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpbmVWT3pRaTFrYXNyLys1
-            OEZxUTltSUpYaGgySCtzalA3SG9mVktlSzNrClNJNTBibUx4WWFZdDh1UUFXd2pu
-            ck9kVm1VckgxOVZUYjdTUHB4Uy9meGsKLS0tIHpJbk1yZU1jMzFPM2VZWkFWc21o
-            N2xLS0svZkd5MS9HRVUvN2MrWUhPK0kKC6SFkfSBu3CQKdt3+g+5JOjRLtwbxZS/
-            LQzDjeTqTKZHmrgxKwKsU15QtI0B1ie7f544KCuIAjvEeeBZb8AoRg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-17T17:34:49Z"
-    mac: ENC[AES256_GCM,data:ZJrymPllZvecBBeMTR1T1FZpHztqpsZ8SVqStshQMSd9Brf0F0KHNr9xd+dTrSuaeqR8rchLZ89hN+7an/JhkFm+4ffXWtdg5m6ES+Lbu6qGf3QczcQ4bssUhL4kuvTdM+7zVwD6XnyGF2G2hvSvJ2L8V364CX0ZOUCX+Cyk7Ss=,iv:GrVHO0vUz0pgloai/4KlCM/eCQSI1eEF59kuPVjG4y0=,tag:AXcIcDSD8DZOxbcrvvHMyQ==,type:str]
-    encrypted_regex: ^(data|stringData)$
-    version: 3.11.0

apps/booklore/release.yaml

@@ -1,56 +0,0 @@
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: booklore
-  namespace: booklore
-spec:
-  chart:
-    spec:
-      chart: ./example-chart
-      sourceRef:
-        kind: GitRepository
-        name: booklore
-  interval: 15m
-  releaseName: booklore
-  values:
-    image:
-      repository: booklore/booklore
-      # This sets the pull policy for images.
-      pullPolicy: Always
-      # Overrides the image tag whose default is the chart appVersion.
-      tag: latest
-    mariadb:
-      enabled: true
-      image:
-        tag: latest
-      auth:
-        database: booklore
-        username: booklore-user
-
-    ingress:
-      enabled: true
-      annotations:
-        cert-manager.io/cluster-issuer: "letsencrypt-prod"
-        external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net
-        external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
-        traefik.ingress.kubernetes.io/router.entrypoints: websecure
-        traefik.ingress.kubernetes.io/router.tls: "true"
-      hosts:
-        - host: booklore.michaelthomson.dev
-          paths:
-            - path: "/"
-              pathType: ImplementationSpecific
-      tls:
-        - hosts:
-            - booklore.michaelthomson.dev
-          secretName: booklore-tls
-
-    # If you want to bring your own persistence (such as a hostPath),
-    # disable these and do so in extraVolumes/extraVolumeMounts
-    persistence:
-      dataVolume:
-        enabled: true
-        size: 1Gi
-      booksVolume:
-        enabled: true
-        size: 10Gi

apps/booklore/repository.yaml

@@ -1,10 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: GitRepository
-metadata:
-  name: booklore
-  namespace: booklore
-spec:
-  interval: 15m
-  url: https://github.com/booklore-app/booklore.git
-  ref:
-    branch: develop

apps/kube-prometheus-stack/release-alloy.yaml

@@ -0,0 +1,145 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: alloy
+  namespace: kube-prometheus-stack
+spec:
+  chart:
+    spec:
+      chart: alloy
+      version: 1.x
+      sourceRef:
+        kind: HelmRepository
+        name: grafana
+  interval: 15m
+  releaseName: alloy
+  values:
+    alloy:
+      configMap:
+        content: |-
+          // Write your Alloy config here:
+          loki.write "default" {
+            endpoint {
+              url = "http://loki:3100/loki/api/v1/push"
+            }
+          }
+
+          // discovery.kubernetes allows you to find scrape targets from Kubernetes resources.
+          // It watches cluster state and ensures targets are continually synced with what is currently running in your cluster.
+          discovery.kubernetes "pod" {
+            role = "pod"
+            // Restrict to pods on the node to reduce cpu & memory usage
+            selectors {
+              role = "pod"
+              field = "spec.nodeName=" + coalesce(sys.env("HOSTNAME"), constants.hostname)
+            }
+          }
+
+          // discovery.relabel rewrites the label set of the input targets by applying one or more relabeling rules.
+          // If no rules are defined, then the input targets are exported as-is.
+          discovery.relabel "pod_logs" {
+            targets = discovery.kubernetes.pod.targets
+
+            // Label creation - "namespace" field from "__meta_kubernetes_namespace"
+            rule {
+              source_labels = ["__meta_kubernetes_namespace"]
+              action = "replace"
+              target_label = "namespace"
+            }
+
+            // Label creation - "pod" field from "__meta_kubernetes_pod_name"
+            rule {
+              source_labels = ["__meta_kubernetes_pod_name"]
+              action = "replace"
+              target_label = "pod"
+            }
+
+            // Label creation - "container" field from "__meta_kubernetes_pod_container_name"
+            rule {
+              source_labels = ["__meta_kubernetes_pod_container_name"]
+              action = "replace"
+              target_label = "container"
+            }
+
+            // Label creation -  "app" field from "__meta_kubernetes_pod_label_app_kubernetes_io_name"
+            rule {
+              source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_name"]
+              action = "replace"
+              target_label = "app"
+            }
+
+            // Label creation -  "job" field from "__meta_kubernetes_namespace" and "__meta_kubernetes_pod_container_name"
+            // Concatenate values __meta_kubernetes_namespace/__meta_kubernetes_pod_container_name
+            rule {
+              source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_container_name"]
+              action = "replace"
+              target_label = "job"
+              separator = "/"
+              replacement = "$1"
+            }
+
+            // Label creation - "__path__" field from "__meta_kubernetes_pod_uid" and "__meta_kubernetes_pod_container_name"
+            // Concatenate values __meta_kubernetes_pod_uid/__meta_kubernetes_pod_container_name.log
+            rule {
+              source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"]
+              action = "replace"
+              target_label = "__path__"
+              separator = "/"
+              replacement = "/var/log/pods/*$1/*.log"
+            }
+
+            // Label creation -  "container_runtime" field from "__meta_kubernetes_pod_container_id"
+            rule {
+              source_labels = ["__meta_kubernetes_pod_container_id"]
+              action = "replace"
+              target_label = "container_runtime"
+              regex = `^(\S+):\/\/.+$`
+              replacement = "$1"
+            }
+          }
+
+          // loki.source.kubernetes tails logs from Kubernetes containers using the Kubernetes API.
+          loki.source.kubernetes "pod_logs" {
+            targets    = discovery.relabel.pod_logs.output
+            forward_to = [loki.process.pod_logs.receiver]
+          }
+
+          // loki.process receives log entries from other Loki components, applies one or more processing stages,
+          // and forwards the results to the list of receivers in the component's arguments.
+          loki.process "pod_logs" {
+            stage.static_labels {
+                values = {
+                  cluster = "server",
+                }
+            }
+
+            forward_to = [loki.write.default.receiver]
+          }
+
+          // loki.source.kubernetes_events tails events from the Kubernetes API and converts them
+          // into log lines to forward to other Loki components.
+          loki.source.kubernetes_events "cluster_events" {
+            job_name   = "integrations/kubernetes/eventhandler"
+            log_format = "logfmt"
+            forward_to = [
+              loki.process.cluster_events.receiver,
+            ]
+          }
+
+          // loki.process receives log entries from other loki components, applies one or more processing stages,
+          // and forwards the results to the list of receivers in the component's arguments.
+          loki.process "cluster_events" {
+            forward_to = [loki.write.default.receiver]
+
+            stage.static_labels {
+              values = {
+                cluster = "server",
+              }
+            }
+
+            stage.labels {
+              values = {
+                kubernetes_cluster_events = "job",
+              }
+            }
+          }

apps/kube-prometheus-stack/release-loki.yaml

@@ -0,0 +1,71 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: loki
+  namespace: kube-prometheus-stack
+spec:
+  chart:
+    spec:
+      chart: loki
+      version: 6.x
+      sourceRef:
+        kind: HelmRepository
+        name: grafana-community
+  interval: 15m
+  releaseName: loki
+  values:
+    loki:
+      auth_enabled: false
+      commonConfig:
+        replication_factor: 3
+      schemaConfig:
+        configs:
+          - from: "2024-04-01"
+            store: tsdb
+            object_store: s3
+            schema: v13
+            index:
+              prefix: loki_index_
+              period: 24h
+      pattern_ingester:
+          enabled: true
+      limits_config:
+        allow_structured_metadata: true
+        volume_enabled: true
+      ruler:
+        enable_api: true
+
+    minio:
+      enabled: true
+          
+    deploymentMode: SingleBinary
+
+    singleBinary:
+      replicas: 3
+
+    # Zero out replica counts of other deployment modes
+    backend:
+      replicas: 0
+    read:
+      replicas: 0
+    write:
+      replicas: 0
+
+    ingester:
+      replicas: 0
+    querier:
+      replicas: 0
+    queryFrontend:
+      replicas: 0
+    queryScheduler:
+      replicas: 0
+    distributor:
+      replicas: 0
+    compactor:
+      replicas: 0
+    indexGateway:
+      replicas: 0
+    bloomCompactor:
+      replicas: 0
+    bloomGateway:
+      replicas: 0

apps/kube-prometheus-stack/repository-grafana-community.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: grafana-community
+  namespace: kube-prometheus-stack
+spec:
+  interval: 15m
+  url: https://grafana-community.github.io/helm-charts

apps/kube-prometheus-stack/repository-grafana.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: grafana
+  namespace: kube-prometheus-stack
+spec:
+  interval: 15m
+  url: https://grafana.github.io/helm-charts

apps/media/bazarr/ingress.yaml

@@ -7,7 +7,6 @@ metadata:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    # traefik.ingress.kubernetes.io/router.middlewares: authentik-bazarr@kubernetescrd
 spec:
   rules:
   - host: bazarr.michaelthomson.dev

apps/media/prowlarr/ingress.yaml

@@ -7,7 +7,6 @@ metadata:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    # traefik.ingress.kubernetes.io/router.middlewares: authentik-prowlarr@kubernetescrd
 spec:
   rules:
   - host: prowlarr.michaelthomson.dev

apps/media/radarr/ingress.yaml

@@ -7,7 +7,6 @@ metadata:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    # traefik.ingress.kubernetes.io/router.middlewares: authentik-radarr@kubernetescrd
 spec:
   rules:
   - host: radarr.michaelthomson.dev

apps/media/sonarr/ingress.yaml

@@ -7,7 +7,6 @@ metadata:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    # traefik.ingress.kubernetes.io/router.middlewares: authentik-sonarr@kubernetescrd
 spec:
   rules:
   - host: sonarr.michaelthomson.dev

apps/ollama/release.yaml

@@ -0,0 +1,56 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: ollama
+  namespace: ollama
+spec:
+  chart:
+    spec:
+      chart: ollama
+      version: 1.x
+      sourceRef:
+        kind: HelmRepository
+        name: otwld
+  interval: 15m
+  releaseName: ollama
+  values:
+    runtimeClassName: nvidia
+    ollama:
+      gpu:
+        # -- Enable GPU integration
+        enabled: true
+        
+        # -- GPU type: 'nvidia' or 'amd'
+        type: 'nvidia'
+        
+        # -- Specify the number of GPU to 1
+        number: 1
+
+        nvidiaResource: "nvidia.com/gpu-all"
+       
+      # -- List of models to pull at container startup
+      models:
+        create:
+          - name: qwen3.5:9b-ctx32768
+            template: |
+              FROM qwen3.5:9b
+              PARAMETER num_ctx 32768
+        run:
+          - qwen3.5:9b-ctx32768
+
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: "letsencrypt-prod"
+        traefik.ingress.kubernetes.io/router.tls: "true"
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+      hosts:
+      - host: ollama.michaelthomson.dev
+        paths:
+          - path: /
+            pathType: Prefix
+      path: /
+      tls:
+        - secretName: ollama-tls
+          hosts:
+            - ollama.michaelthomson.dev

apps/ollama/repository.yaml

@@ -1,8 +1,8 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
-  name: authentik
+  name: otwld
-  namespace: authentik
+  namespace: ollama
 spec:
   interval: 15m
-  url: https://charts.goauthentik.io/
+  url: https://helm.otwld.com/

apps/open-webui/release.yaml

@@ -0,0 +1,27 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: open-webui
+  namespace: open-webui
+spec:
+  chart:
+    spec:
+      chart: open-webui
+      version: 12.x
+      sourceRef:
+        kind: HelmRepository
+        name: open-webui
+  interval: 15m
+  releaseName: open-webui
+  values:
+    ollama:
+      enabled: false
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: "letsencrypt-prod"
+        traefik.ingress.kubernetes.io/router.tls: "true"
+        traefik.ingress.kubernetes.io/router.entrypoints: websecure
+      host: "chat.michaelthomson.dev" # update to your real domain
+      tls: true
+      existingSecret: open-webui-tls

apps/open-webui/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: open-webui
+  namespace: open-webui
+spec:
+  interval: 15m
+  url: https://helm.openwebui.com/

bootstrap/apps/kustomization-ollama.yaml

@@ -1,11 +1,11 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: booklore
+  name: ollama
   namespace: flux-system
 spec:
-  interval: 15m
+  interval: 1m
-  path: ./apps/booklore
+  path: ./apps/ollama
   prune: true # remove any elements later removed from the above path
   wait: true
   sourceRef:

bootstrap/apps/kustomization-open-webui.yaml

@@ -1,11 +1,11 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: authentik
+  name: open-webui
   namespace: flux-system
 spec:
-  interval: 15m
+  interval: 1m
-  path: ./apps/authentik
+  path: ./apps/open-webui
   prune: true # remove any elements later removed from the above path
   wait: true
   sourceRef:

infrastructure/namespaces/namespace-ollama.yaml

@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: booklore
+  name: ollama

infrastructure/namespaces/namespace-open-webui.yaml

@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: authentik
+  name: open-webui