.github/renovate.json

@@ -37,6 +37,14 @@
       "registryUrls": [
         "https://emberstack.github.io/helm-charts"
       ]
+    },
+    {
+      "matchPackageNames": [
+        "app-template"
+      ],
+      "registryUrls": [
+        "https://bjw-s.github.io/helm-charts"
+      ]
     }
   ],
   "kubernetes": {

README.md

@@ -9,19 +9,76 @@
 
 # iac (wip)
 
-Currently migrating [Auto-Homelab](https://git.mafyuh.dev/mafyuh/Auto-Homelab), [Iac-Homelab](https://git.mafyuh.dev/mafyuh/IaC-Homelab), [ansible-playbooks](https://git.mafyuh.dev/mafyuh/ansible-playbooks) and [kub](https://git.mafyuh.dev/mafyuh/kub) repos into this one.
+This is my homelab infrastructure, defined in code.
 
-This is my homelab, defined in code.
 </div>
 
+---
+
 <div align="center">
 
-| Hypervisor | OS | Tools | VPS (arm) | Firewall | Misc. Automations |
-|---|---|---|---|---|---|
-| [![Proxmox](https://img.shields.io/badge/-Proxmox-%23c9d1d9?logo=Proxmox)](https://www.proxmox.com) | [![Ubuntu](https://img.shields.io/badge/Ubuntu_22.04-%23c9d1d9?&logo=ubuntu&logoColor=red)](https://releases.ubuntu.com/jammy/) [![Ubuntu](https://img.shields.io/badge/Ubuntu_24-%23c9d1d9?&logo=ubuntu&logoColor=red)](https://releases.ubuntu.com/noble/) | [![Forgejo](https://img.shields.io/badge/-Forgejo-%23c9d1d9?logo=forgejo&logoColor=orange)](https://forgejo.org/) [![Docker](https://img.shields.io/badge/-Docker-%23c9d1d9?logo=docker)](https://www.docker.com/) [![Renovate](https://img.shields.io/badge/-Renovate-%23c9d1d9?logo=renovate&logoColor=blue)](https://github.com/renovatebot/renovate) [![OpenTofu](https://img.shields.io/badge/-OpenTofu-%23c9d1d9?logo=opentofu&logoColor=black)](https://opentofu.org/) [![Packer](https://img.shields.io/badge/-Packer-%23c9d1d9?logo=packer)](https://www.packer.io/) [![Ansible](https://img.shields.io/badge/-Ansible-%23c9d1d9?logo=ansible&logoColor=red)](https://www.ansible.com/) | [![Oracle](https://img.shields.io/badge/-Oracle_Cloud-%23c9d1d9?logo=oracle&logoColor=red)](https://www.oracle.com/cloud/) | [![pfSense](https://img.shields.io/badge/-pfSense-%23c9d1d9?logo=pfsense&logoColor=blue)](https://www.pfsense.org/) | [![n8n](https://img.shields.io/badge/-n8n-%23c9d1d9?logo=n8n)](https://n8n.io/)
+| Hypervisor | OS | Tools | Firewall | Misc. Automations |
+|---|---|---|---|---|
+| [![Proxmox](https://img.shields.io/badge/-Proxmox-%23c9d1d9?logo=Proxmox)](https://www.proxmox.com) | [![Debian](https://img.shields.io/badge/Debian-%23c9d1d9?&logo=debian&logoColor=black)](https://www.debian.org/) [![Ubuntu](https://img.shields.io/badge/Ubuntu-%23c9d1d9?&logo=ubuntu&logoColor=red)](https://releases.ubuntu.com/noble/) | [![Forgejo](https://img.shields.io/badge/-Forgejo-%23c9d1d9?logo=forgejo&logoColor=orange)](https://forgejo.org/) [![Docker](https://img.shields.io/badge/-Docker-%23c9d1d9?logo=docker)](https://www.docker.com/) [![Kubernetes](https://img.shields.io/badge/-Kubernetes-%23c9d1d9?logo=kubernetes)](https://k3s.io/) [![Renovate](https://img.shields.io/badge/-Renovate-%23c9d1d9?logo=renovate&logoColor=blue)](https://github.com/renovatebot/renovate) [![OpenTofu](https://img.shields.io/badge/-OpenTofu-%23c9d1d9?logo=opentofu)](https://opentofu.org/) [![Packer](https://img.shields.io/badge/-Packer-%23c9d1d9?logo=packer)](https://www.packer.io/) [![Ansible](https://img.shields.io/badge/-Ansible-%23c9d1d9?logo=ansible&logoColor=red)](https://www.ansible.com/) | [![pfSense](https://img.shields.io/badge/-pfSense-%23c9d1d9?logo=pfsense&logoColor=blue)](https://www.pfsense.org/) | [![n8n](https://img.shields.io/badge/-n8n-%23c9d1d9?logo=n8n)](https://n8n.io/) [![Actions](https://img.shields.io/badge/-Actions-%23c9d1d9?logo=forgejo&logoColor=orange)](https://forgejo.org/docs/latest/user/actions/)
 
 </div>
 
-## To-Do
+## 📖 **Overview**
+This repository contains the IaC ([Infrastructure as Code](https://en.wikipedia.org/wiki/Infrastructure_as_code)) configuration for my homelab.  
+
+Most of my homelab runs on **Proxmox**, with VMs managed and maintained using [OpenTofu](https://opentofu.org/). All VMs are cloned from templates I created with [Packer](https://www.packer.io/).  
+
+All services are **containerized**, either managed with **Docker Compose** or **orchestrated with Kubernetes ([K3s](https://k3s.io/))**. Over time, I’ve been migrating everything to Kubernetes using **[GitOps](https://en.wikipedia.org/wiki/DevOps) practices**, which is my long-term goal.  
+
+To automate infrastructure updates, I use **Forgejo Actions**, which trigger workflows upon changes to this repo. This ensures seamless deployment and maintenance across my homelab:  
+
+- **[Flux](https://fluxcd.io/)** manages Continuous Deployment (CD) for Kubernetes, bootstrapped via [OpenTofu](https://git.mafyuh.dev/mafyuh/iac/src/branch/main/terraform/flux/main.tf).
+- **[Docker CD Workflow](https://git.mafyuh.dev/mafyuh/iac/src/branch/main/.forgejo/workflows/CD.yml)** handles Continuous Deployment for Docker services.   
+- **[Renovate](https://github.com/renovatebot/renovate)** keeps services updated by opening PRs for new versions.  
+- **[Yamllint](https://github.com/adrienverge/yamllint)** ensures configuration files are properly structured.
+- **[Ansible](https://github.com/ansible/ansible)** is used to execute playbooks on all of my VMs, automating management and configurations
+
+### 🔒 **Security & Networking**
+For Secret management I use [Bitwarden Secrets](https://bitwarden.com/products/secrets-manager/) and their various [integrations](https://bitwarden.com/help/ansible-integration/) into the tools used.
+> Kubernetes is using SOPS with Age encryption until migration over to Bitwarden Secrets.
+
+I use **Oracle Cloud** for their [Always-Free](https://www.oracle.com/cloud/free/) VM's and deploy Docker services that require uptime here (Uptime Kuma, this website). [Twingate](https://www.twingate.com/) is used to connect my home network to the various VPS's securely using [Zero Trust architecture](https://en.wikipedia.org/wiki/Zero_trust_architecture).
+
+I use **Cloudflare** for my DNS provider with **Cloudflare Tunnels** to expose some of the services to the world. **Cloudflare Access** is used to restrict the access to some of the services, this is paired with **Fail2Ban** looking through all my reverse proxy logs for malicious actors who made it through **Access** and banning them via **Cloudflare WAF**.
+
+For my home network I use **PfSense** with VLAN segmentation and strict firewall rules to isolate public-facing machines, ensuring they can only communicate with the necessary services and nothing else.
+
+### **📊 Monitoring & Observability**  
+I use a combination of **Grafana, Loki, and Prometheus** with various exporters to collect and visualize system metrics, logs, and alerts. This helps maintain visibility into my infrastructure and detect issues proactively.  
+
+- **Prometheus** – Metrics collection and alerting  
+- **Loki** – Centralized logging for containers and VMs  
+- **Grafana** – Dashboarding and visualization  
+- **Exporters** – Node Exporter, cAdvisor, Blackbox Exporter, etc.  
+
+## 🧑‍💻 **Getting Started**
+This repo is not structured like a project you can easily replicate. Although if you are new to any of the tools used I encourage you to read through the directories that make up each tool to see how I am using them.
+
+Over time I will try to add more detailed instructions in each directories README.
+
+Some good references for how I learned this stuff (other than RTM)
+- [Kubernetes Cluster Setup](https://technotim.live/posts/k3s-etcd-ansible/)
+- [Kubernetes + Flux](https://technotim.live/posts/flux-devops-gitops/)
+- [Kubernetes Secrets with SOPS](https://technotim.live/posts/secret-encryption-sops/)
+- [Packer with Proxmox](https://www.youtube.com/watch?v=1nf3WOEFq1Y)
+- [Terraform with Proxmox](https://www.youtube.com/watch?v=dvyeoDBUtsU)
+- [Docker](https://www.youtube.com/watch?v=eGz9DS-aIeY)
+- [Ansible](https://www.youtube.com/watch?v=goclfp6a2IQ)
+
+## 🖥️ **Hardware**
+
+| Name        | Device         | CPU             | RAM          | Storage                                      | Purpose                          |
+|------------|--------------|----------------|-------------|--------------------------------|--------------------------------|
+| Arc-Ripper | Optiplex 3050 | Intel i5-6500  | 32 GB DDR4  | 1TB NVMe                      | Jellyfin Server, Blu-ray Ripper |
+| PVE Node 1 | Custom        | Intel i7-9700K | 64 GB DDR4  | NVMe for boot and VMs, 4x4TB HDD RaidZ10 | Main node with most VMs, NAS   |
+| PVE Node 2 | Custom        | Intel i7-8700K | 64 GB DDR4  | 1x2TB NVMe                    | More VMs                        |
+
+
+## 📌 **To-Do**
 See [Project Board](https://git.mafyuh.dev/mafyuh/iac/projects/2)
 

docker/AI/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   ollama:
-    image: ollama/ollama:0.5.10
+    image: ollama/ollama:0.5.11
     container_name: ollama
     restart: unless-stopped
     networks:
@@ -39,7 +39,7 @@ services:
       - host.docker.internal:host-gateway
 
   searxng:
-    image: searxng/searxng@sha256:e22d8617effc484649d01fa80614b4859e134c6b77a5d2a2cff9236789aa1749
+    image: searxng/searxng@sha256:0da476ff64bf801e3b36fd3c79c50f30f7041ab78b27cbc8c189c4c6f8c696d6
     container_name: searxng
     networks:
       - ai-stack

docker/arrs/docker-compose.yml

@@ -36,7 +36,7 @@ services:
       - apparmor:unconfined
 
   prowlarr:
-    image: ghcr.io/linuxserver/prowlarr@sha256:33a605960120eff07b4713f094a4588ce048e8e3aa7a1599f41224cb67122ba5
+    image: ghcr.io/linuxserver/prowlarr@sha256:761f73534a01aec4bf72a1396e9b9fda3f01632948b3fa31985982d26120a330
     container_name: prowlarr
     ports:
       - "9696:9696"

docker/jellyfin/docker-compose.yml

@@ -1,7 +1,7 @@
 ---
 services:
   jellyfin:
-    image: ghcr.io/linuxserver/jellyfin@sha256:7cdcd4b6b60765290af7a2740960ce30c1f5548313ae60f7e23f6995ed4d147e
+    image: ghcr.io/linuxserver/jellyfin@sha256:075bc77361e6466f5cd546c9d97646428cc1f26d4b355991e8f66d0ffbc7c15a
     container_name: jellyfin
     devices:
       - /dev/dri/renderD129:/dev/dri/renderD129

docker/kasm/docker-compose.yml

@@ -1,7 +1,7 @@
 ---
 services:
   kasm:
-    image: ghcr.io/linuxserver/kasm@sha256:5ff0ef8bd7f279cb6806aae9caabe5457eaadd89fb0f02e63ce26dcdac747d10
+    image: ghcr.io/linuxserver/kasm@sha256:64da6db15ab574d67f9fbdcc812796f00f259be543e6dc2e60ad4f5d6c05d005
     container_name: kasm
     privileged: true
     environment:

kubernetes/apps/production/arr/flaresolverr/deployment.yaml

@@ -30,4 +30,10 @@ spec:
               cpu: "100m"
             limits:
               memory: "300Mi"
-              cpu: "200m"
+              cpu: "200m"
+      dnsPolicy: None
+      dnsConfig:
+        nameservers:
+          - 10.43.0.10
+          - 1.1.1.1
+          - 8.8.8.8

kubernetes/apps/production/arr/jellyseerr/helmrelease.yaml

@@ -0,0 +1,111 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app jellyseerr
+  namespace: arr
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.7.1
+      interval: 30m
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+
+  values:
+    global:
+      fullnameOverride: *app
+      namespace: arr
+
+    controllers:
+      jellyseerr:
+        enabled: true
+        type: statefulset
+        annotations:
+          reloader.stakater.com/auto: "true"
+
+        replicas: 1
+
+        statefulset:
+          volumeClaimTemplates:
+            - name: jellyseerr-config
+              accessMode: ReadWriteOnce
+              size: 2Gi
+              storageClass: longhorn
+              globalMounts:
+                - path: /app/config
+
+        pod:
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: &group 1000
+            fsGroup: *group
+            fsGroupChangePolicy: "OnRootMismatch"
+          dnsPolicy: None
+          dnsConfig:
+            nameservers:
+              - 10.43.0.10
+              - 1.1.1.1
+              - 8.8.8.8
+
+        containers:
+          app:
+            image:
+              repository: fallenbagel/jellyseerr
+              tag: 2.3.0
+              pullPolicy: IfNotPresent
+            env:
+              TZ: "${TZ}"
+              LOG_LEVEL: info
+
+            probes:
+              liveness:
+                enabled: false
+
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop:
+                  - ALL
+
+            resources:
+              requests:
+                cpu: 20m
+                memory: 128Mi
+              limits:
+                memory: 256Mi
+
+    service:
+      app:
+        primary: true
+        controller: jellyseerr
+        ports:
+          http:
+            port: 5055
+
+    ingress:
+      internal:
+        enabled: true
+        className: nginx
+        hosts:
+          - host: "request.${PUBLIC_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+                service:
+                  identifier: app
+                  port: http
+        tls:
+          - hosts:
+              - "request.${PUBLIC_DOMAIN}"
+            secretName: mafyuh-dev-production-tls

kubernetes/apps/production/arr/jellyseerr/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helmrelease.yaml

kubernetes/apps/production/arr/kustomization.yaml

@@ -4,6 +4,7 @@ resources:
   - bazarr/
   - flaresolverr/
   - prowlarr/
+  - jellyseerr/
   - qbitty/
   - radarr/
   - recyclarr/

kubernetes/apps/production/arr/prowlarr/helmrelease.yaml

@@ -54,6 +54,7 @@ spec:
           dnsPolicy: None
           dnsConfig:
             nameservers:
+              - 10.43.0.10
               - 1.1.1.1
               - 8.8.8.8
 
@@ -66,7 +67,7 @@ spec:
             env:
               TZ: "${TZ}"
               PROWLARR__INSTANCE_NAME: *app
-              PROWLARR__PORT: &port 7878
+              PROWLARR__PORT: &port 9696
               PROWLARR__APPLICATION_URL: "https://prowlarr.${LOCAL_DOMAIN}"
               PROWLARR__THEME: dark
               PROWLARR__LOG_LEVEL: info

kubernetes/apps/production/arr/radarr/helmrelease.yaml

@@ -54,6 +54,7 @@ spec:
           dnsPolicy: None
           dnsConfig:
             nameservers:
+              - 10.43.0.10
               - 1.1.1.1
               - 8.8.8.8
 

kubernetes/apps/production/arr/sabnzbd/helmrelease.yaml

@@ -51,6 +51,12 @@ spec:
             runAsGroup: &group 1000
             fsGroup: *group
             fsGroupChangePolicy: "OnRootMismatch"
+          dnsPolicy: None
+          dnsConfig:
+            nameservers:
+              - 10.43.0.10
+              - 1.1.1.1
+              - 8.8.8.8
 
         containers:
           app:

kubernetes/apps/production/arr/sonarr/helmrelease.yaml

@@ -54,6 +54,7 @@ spec:
           dnsPolicy: None
           dnsConfig:
             nameservers:
+              - 10.43.0.10
               - 1.1.1.1
               - 8.8.8.8
 

kubernetes/apps/production/authentik/configmap.yaml

@@ -4,7 +4,7 @@ metadata:
     name: authentik-values
     namespace: authentik
 data:
-    values.yaml: ENC[AES256_GCM,data:vdNxG8ySftHb/nSx7OyGs87Nk3nmy7WYJ4xJt5AHce/x1T6zShgbTrqB7uU7I/lG3C83bjQXuNSANdRdEWyEoTDPunWZ9gBftaM+6N4z30ndo/095RGlguG+0Llhz9Y1fLEEIVCtom9Pv9IdadL7dDayb3lvyQHsYYcLE93/eJXcaZo0ENYNtNq0nliRTx6Vt0HfKhCu0MzPbkoOS3nx0wBzJ6IRNqBHZShcbsRHT7Ud7Ohb2jRw9jwplqktkTrd6t/Q/Nq66wwuvKSokxkwb/JYCmvsEHrfl72YCSeP9cbXyiuYLvr8l+ganyas/XpaTkrjS3TWqfzQJA4XWARkSFZE80rfrmPCrIDbSt1UkdHkaM+S1MV8nRTbx3q9vbErT/GiyGgOFMUNSAPdRTtEh2roSz8fgrlsd56ZyLCYcbv2olQTvo9Gggr25taCONX3b2AbVkYpAThVTQe5eCl+SlxeDPDhSjx9aFI8J2SZnZ2wsbGo95Pmf8mmulcant7NuK5JnQMh+z9dzTimhJXkpBusMPk59KU7pMNbhqzQfOJ3HRR+srnFOzRHrcUrAiojAMasDoU+lBJZznqe9dQv5+/Qexci/oWLd39bTvxVTY0btd0bKrLlQYNRULKZktvm4Qg6p8kktJNkEuTHUaNBotHKuIBfqmJdhUd2clso4PHz93jJXUTWWeGbtmTUkZuelzYTs/MRFIXeOvJUJAJa1QyTz6GK5So5VNsRxdUq+12oEmUd8RDtt7Ft0vzgEkDp4eND/AuX8Ex3llvz74K4cY59ldgWJSVpLrYJGzIQZKjdX6DHvavsqKCM7AvYrrybNF1ct43yC/janL/ELV1nOTQSAVLn9osQ8k5sbuZ1wOE76PjSZPsrubHbc85T5ejVORCtjRK/xmRVK3WjNZhD1Cnk1b6aTydEx60sHPEr7Mhx3Z5+t4Szf15x+QqhJnY4hshbj62kXsYcdRg35LhwEPNABXkfv+1ekjJ2tmzobi7foxfIB7oyI2GOtHYA37jGsR03zPdwjRIv5XNwao6RpOtGvcXHEUH9gBctGWYw6RNHQ7trKr2i4Du3gj8/qH9Eg/E3NBPU4NLjJNMq3Y1WFoPGxu9yzM8KZjlE4ZIPPSS8Bp93oN1YXgesrmXv1kFnvcD19sOh6cCsBmknP8RFTkWOKYiEea6DYwg8A+kc/YNSrikVzUqQTZEew89dziW7+9L7GlLsGuXycYxW4IZHxMaKlzfXc9AzAb4BuANsYHaML4Ymy/Vtha3qdB/Nss9VQjXe00YUvifMmIWMS9ea1kb6qTIzBzYoNTTt+9tXUNwAleAWN2rQJo9ifpzfQuptHZ2C9IKgNQQmRGF2zAkpoTDtqx/IUKvxuTHGh8W3g2ZNHc4j2mhGx7QG8bYtJ6FrzrVEslK6u1StuU1WzIhzir8A1CmkuLTRSihymKmM0fAF9VJ0bydxPbn0QTsMrgsGwz6JtPAeOW2Umh3IpcvkbeyRy0X3eZaj,iv:EWpc+nAIXNqVpPn2DC3EL/bfEzM6PTtRXdLtYF5OqgY=,tag:a50CftQxTxy6mOLAxi//Ow==,type:str]
+    values.yaml: ENC[AES256_GCM,data:n/ITNeK+JVQB5AI5MiDDcxu5RapIPTuDxqJLIHysopawa5gCHwgppnLKv9tW6Sg9B4Tqb3FT8e2zgoVVhQ3+lRvC6HRVhB9+Em+gB8zu7aeOnfd3l3Cj6oSQkjVLxjDCdHHGU/9KFm5YToJER0tzMBXS3M/apvN9+B/VKDI+D/1FDz2bG66QoK+oWd0pq/BShZ1nMhvZXxQ8TFkpQKORnF8qwYq+ArY2ucAsoWbbs4QzEYxqVVa6BmRrpoXlK9i8ak9zTTRn6iPgWf5dhBkvexCI///jZODTYWWiiDo7XQBjS8C4xA4rOK99cav1QhA5j6tPGEKhdNNk2z/ViolFfpzEj4KBdvRSmu/fFBCIka9aP6ZFWU7efIcP2qS3KrIibosQ1Wr4va+P9wzmDA+wSGxKsxeA1BkUhrs9t/+hc6fdsXT30+4sM70zZOJ0+nH9UwNDpJjBfOpc9soAItPzXzWTlX7JCei8CGnloAMrekc3ShQI2L2pHRNLsTDMXJq6Goc3Xk5OF4PC/jjVxSVisXki7qEVZoUKZeoM81i1MXfIOFcGUBfRnntVPK8dBw44KVlPaD4iamRwh3juhy4X/bKWpKs9o5mIB+eQIOiNH5Nxm9g0oI5Ck1A6h/KtJwiHYFc7SH+qhzSubym9x52l960ar18N5zt6oqWz6peFmYY7lGxqBh5muHobWTJ/4QF7Lr3KDZvK5C5ppnxb0/AENbH+t6bQ1ZavOhMs2ojELnL2sG/eXWDXQ8+5OlN0/uCOWHTZ7FtgBhfFXJ/SsU/nquk6aC4smv/boKP1JKJBihAs7yhJMbWBDTHUSNPUef39E7FzyMYqYYU5hxmEfytlt3ZD0Y62rF4zPJBmA2cZzqYAWK2qXhXvpdMcEvTbUEJ3ez6cgHQvEyXutZUiyoN+3YesK8VyXHzq5A6VX/AX7nl5G+P3Afwi/+a6SkkmJ6Q9dVAeEe7CsIrJheNNlweA5aT+GzUD2dNtsjb6/1yQGYejfu/3Ve/0qyHkykBJDwMTLbb3W13/BRzXPhrUIz+nglBlWB3zzVOIQ5Gdx2X9htcvIyiYTZ0epUFEGjZYUzd8/d4WazwjvUFACFpooDSQgMWd5ODTmSn/kvWd+IR6Zxr/cg0UiGnDDUmbhRy/uwSGvkmb/evodweBvij1bbilgGmuO0X9TWVtXQkw7Vii/SS69+Imy/iap07zJJBobfyTU7hZvgrc/BWHqW2oHPYu4tTuKgbOopjPX+vkylu+FYC4seqOXUNvCczF0l712+RWXQpFF/iKBDbviI0twTFF4Qmn,iv:Xsg10IX3Q+UjyoaMGrqbf1i9zsTOndZ3IvBatViwBV4=,tag:FPDrUpu5KM0S7TxLVNxIfA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -20,8 +20,8 @@ sops:
             RndrQ2JxZnMxZlBIM3RHS0E1WTlZQzQK7oTkv/PG3poAdYnqXnzX3j5ZUgMa3GFB
             aQtceF96jKRltwPrnUgZZ5EadTaLyGAD30fqvUJ9/oP6NLe7kmsTWg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-17T01:33:23Z"
-    mac: ENC[AES256_GCM,data:cz25q40TD7XWnJWIu9FgS55LsfORvfFRpNgp0Zju66i6IBF3NakUjfo48rD/Nu9ebEC8iIpo8P3Y2YT6w0wPDWGDLkww0iLzFIr8IMWzCS1wrIyaq/BZmzh26jd4r2qY1knqQAqlVdOJ9grPqjBxKxed/o3Lu++Irp7n7dOY0rA=,iv:HUCgrKlLC1u/3/oeQLM3alBRWc0hf3YhhsuMYowKYCU=,tag:pUWKkQ2sy0sPPWAcK0yqnQ==,type:str]
+    lastmodified: "2025-02-20T20:33:40Z"
+    mac: ENC[AES256_GCM,data:rL+ugPPHcRzpHA70mmn7BLdhO0PG63EMqaHq7eJfBguIcdREGrQCpGQbbw6YN2GGCuE8NWB6sLHaUVn09LMywNfcUT4Hw1kInXRxzZ+L4M4UdqjUCCQj69UGGPnXoyM5GopCIA60/JVTtsQ9EPmJHJJI8LYQrQEtT6O+5FnlaMo=,iv:Jnst3uaJArcxM29hqrVPHKSSAW7Ac84xG6LJP2lz0+g=,tag:J/OAZq4dHXOOiE243Xo0LA==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData|secret_key|password|hosts)$
     version: 3.9.4

kubernetes/apps/production/cert-manager/certificates/public.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: mafyuh-dev
+  namespace: cert-manager
+spec:
+  secretName: mafyuh-dev-production-tls
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "*.mafyuh.dev"
+  dnsNames:
+  - "*.mafyuh.dev"

kubernetes/apps/production/cert-manager/issuers/letsencrypt.yaml

@@ -18,3 +18,4 @@ spec:
               selector:
                 dnsZones:
                     - local.mafyuh.dev
+                    - mafyuh.dev

kubernetes/apps/production/cert-manager/kustomization.yaml

@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - certificates/local.yaml
+  - certificates/public.yaml
   - helmrelease.yaml
   - helmrepo.yaml
   - issuers/letsencrypt.yaml