The great reset, we moved infra into two clusters (sekibanki et seija)

.gitignore

@@ -1,3 +1,3 @@
 secrets.yaml
-infra/tailscale.patch.yaml
+infra/*/tailscale.patch.yaml
 .DS_Store

.sops.yaml

@@ -0,0 +1,3 @@
+creation_rules:
+    - age: >-
+        age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw

apps/autoupdate-teable-figurines-currencies/secrets.sops.yaml

@@ -4,20 +4,20 @@ metadata:
     name: autoupdate-teable-figurines-currencies-secret
 type: Opaque
 data:
-    RATES_EXCHANGE_APIKEY: ENC[AES256_GCM,data:mQ7j0QNtmPRKEbs0/1Gyha1d4dQSVs2TwheGiQu0LPoAeYLe1gyzSGGS+/SF8lKl,iv:42LINaSLOptLq2/NrqR+c40t7wMWj90PaMVp74GbakY=,tag:7/WuSXVH9AZbveiaSjN1ig==,type:str]
+    RATES_EXCHANGE_APIKEY: ENC[AES256_GCM,data:mV++90/V9p43Q4+RAfCjPC4i4Lop1dJ6IAkAi9iggf9mHz+g5q8qL5zN4ypR8k4w,iv:D68wPyFZV8FbDrsnsY+KYm351hq6e+yCq6UNxaxEAk0=,tag:5/EPNLdyLI1cGaIVqNGsdQ==,type:str]
-    TEABLE_APIKEY: ENC[AES256_GCM,data:iuHX8DJIgb7k4+e3AHjDDnyx1PRMa1IAKBzBBIln8nT6CzWgZHXCheb3Bz6rJUTUutvOEXgSWBRffkJZ3kjayifAmEXHLxMQtrKqfa3dm0ghJQCqCZaewL9vN2VAe3D2,iv:WojW3eQYAaKK6h5m9+7kUgJRcotYEqaDbfDva/Cwc08=,tag:HkzwC3d5Ndv5FoXVJZMmYw==,type:str]
+    TEABLE_APIKEY: ENC[AES256_GCM,data:qubq7DX6l91oqgojqme3m0BIIEfzfdBIAY1uBS+K0slXqzNRLPvlLouZgH7VFc6+69aeoPhIlAyU+/kuSlYhUH5x529L+CzsSMpsk1OxQrAcxaZz4mCnSBIAKn1aTsmt,iv:EoS2nz7QufRtIot8OyjkLvXLaKvouh+xU9rEm5/MhMQ=,tag:BG7xwy5sV2Eaf84OKHwOkw==,type:str]
 sops:
     age:
         - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAramZZVEV3TEhyUmErZDNZ
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBbnJqTkRUSDFaQTBwZEdQ
-            RlR0Mm44WThoMEZqd2dYUWVXRS9qNjJKZ2swCjd0ZXhLUkVHUkNvcjlIU21Kd0h1
+            ZkE3WG5JeS85M2NlSFFidGhGTzlwcmdCU3pzCmhvVkh6UGlOZzNDSFFPNm1OVG44
-            SUNyeSt1bWtVTkwwT054aTVXUzhzZHcKLS0tIFY4dGdUZ1VRWkZZSUNJOU1RbGx4
+            Q1VUeG1ML3k5UWZ1eE1CbVBQNC81MnMKLS0tIENNTmxpZlFuNlhVdWw3Ui9RZm1E
-            d09XVFVKY1dNcVdldCtSUUxYZUtXd0kKynbS+MZUw0fWcQ5HbiiOnf0NajSD4mQ0
+            Mkl5OFdORE9Va0E1TXVrNE9HUDJ0NGcKYapn7Ts31w8hLoavGPWrMkcrCIYn0QD9
-            QhcFWaadsR5LZjdxTfS1XFcbVGa2H8E3FtQvksz7lGwLsU0xqMRGzw==
+            zuLnkKygt28TECslnafjRKA4UmcJbRlhspc+5BcynIeYgIKppAk7ow==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-29T22:38:31Z"
+    lastmodified: "2025-07-16T14:35:28Z"
-    mac: ENC[AES256_GCM,data:cVxy/FkFJnxjzygwf0KdBNvF13nKk8wOjiMSaAtkXcrYPQshu5dONx/2pkG0HjifVKIZvATu/3G7nhcb7pX5+t03QOPkqmoHSowxejMB7w5eX24MALhzAMze/5nlnRQMLA5ZQ+3lG1SNsUXAXlWrlNAS4FKYvIjsvFRA0OTH95s=,iv:NdE7v3ysPuyACIFgquSwZN4AXhFr9Pv9k0PkqAEsVxc=,tag:zM4ga1oK7OpW+ppiS0/HTg==,type:str]
+    mac: ENC[AES256_GCM,data:QWDNIc/xxmWoQin4FL2NdGcxvzEWCyVifHTVBfYXTKbokKOiLtcHt7DkPtXle3QyZsl9lsqmQbJ6XNpDHcvuP2SCZzvE3kHNMcl1UTlfMBaqzobRn6FymYQ/jO95WiHPDqL/SFIbWbJQKtKTr8zS497/1723yvU6NPRS9ibF9FQ=,iv:08BTWnmlCHpfFJg/7Yk4jSwfYS118rTqKicQ6t6dTG4=,tag:cBtCVKsUeCzdgqHQIVCo0Q==,type:str]
     encrypted_regex: ^(data|stringData)$
     version: 3.10.2

apps/individual/import.yaml

@@ -15,7 +15,12 @@ spec:
       volumeMounts:
         - name: data
           mountPath: "/data"
+        # - name: olddata
+        #   mountPath: "/olddata"
   volumes:
     - name: data
       persistentVolumeClaim:
-        claimName: technitium-data-pvc
+        claimName: znc-pvc
+    # - name: olddata
+    #   persistentVolumeClaim:
+    #     claimName: gitea-pvc

apps/kakigoori/local_settings.sops.py

@@ -1,15 +0,0 @@
-{
-	"data": "ENC[AES256_GCM,data:0bMlVfY4+bGNfAmEEO2rVJ0xwd+/HBQX5smKwJpmqGff3zColq3BPkoYbmjwHzSy665vzO5GYgfiGmNwNpZuFoslUElprR92kg8tDePDwDsKeN1547TsQky3box7YI/2keEP2q5D8h8ZUPVFmlVltWsTUlS6CMyVKg1Dx0qUorIZdnqrIkvY8OxC9tEH0Rc3Edpz2QEMNL70NogfZchY4K3xXMFVEgIaVBYJi0AsAkkMOkgfrGyZScIqg+ypNTmGvn3DvKagofsiMZAsdS6u05T9kwII9scimDiAHBpmEvYsBMng8cqLgRmrOyMvIM8w0U6cG0aH41AjxGGmXbpAsuNm/e62x6hU3JNUGGOoGRVuEYnHGAEoJ6PEzPoSHlLGsCk/CqNrrDxyvHIaji9OvYBgujfBMljcTnsuGjYCG0XkNmN4UlpeNYGCtWh8r8aZzlhZTbmWZaN7U3yc8zQBxbdw5vmTV4vuWQ61Dk4xbVoX+h/2O9RF1mzODCd2MghCyXWbtIuh9T7dcI8H1f0hR73+YKrmXRDm1z4iRC/FBUXoZzGiYpOml2L2iRtUyR7E0VunLVKGT5t1ONJzqesMt8NFlHMj0T8n1OdTXlofddsU0qzFaIpIV7E0QlQz393BIIKNecAuKa2jHaujUzqLSG8+Kg+yT4rqc50d9BuizMECEyjyhsY8G9sxPCwrybg+8Jqs4zYWPaWRmepbBbMm1yXcfAqUOVpcuxWww6otA+f/bMwmyfbGd9wVK5snPMmPg3JD05navmKNYGDilfNVPO87CjUHT96tTT+9hfsAYM9rIzkrCKnndbtPmuWFGWUZYxQ6nN9kbCHEe8CSDcN2Dp8qNK+hVUAwMknFwU+zQWJU6X39fT/WySsdOhql8ntrapYTxIDgxZz3oEvVnIxMZBuZgVex1pWgvFv0iA==,iv:C3NDjBZktYMnnXWC0BOBOF1RLPaR/++CanDSCKtZpdk=,tag:8Tnh2UNfE2UThNexHTzlRQ==,type:str]",
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWVZRUzBMTHpHUVlNcG1L\ndGhWUEtkc2o5Y1U5NTJEN0pHbWpZUDI3ZWt3Cld5SE14UjgwK0xoWVE3TFlkYXho\nT3pBYTZIRENoZzNwY0xxWXNOUkJrMlkKLS0tIEZTMXhaMjhyMkdHRmZZVjVrOVdu\nUTVNUzAvYUtjWHRSakcrclJTQkkvZ0EK4+jaOzoxwa+kVrRdkmizMBZmbSTktBU1\nj5YnJPDwtyBCtPTrF5d9hcD/NmEdhv2Dm6JilT5EPkZslvcdHQcjZg==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-05-31T11:22:24Z",
-		"mac": "ENC[AES256_GCM,data:l17vrFzlOog3YcwMA61iJGIa/zra9RERPXiT3TH1sLtv2pLNEcu/eFOK5IhqMSPDtkSN1LuCcKqSj3JKpVVRINsoybSSD2XuWEXwSKaaBvtY49HGxpCu+Id1GEt/81IwMvWOu1CFsOyuRkYtBwBc40ThqcqCU8ub2ob9vwjpxGY=,iv:AnGQtzGcboOPYyFGuzOI+N+atZr9ZnkH9nqj3bbd5iY=,tag:Yy7zzJ1V8+Zn15B8xBoy5w==,type:str]",
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.10.2"
-	}
-}

apps/kakigoori/secrets.sops.yaml

@@ -1,24 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: anubis-kakigoori-key
-type: Opaque
-data:
-    ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:+Qbmh7nMRRkgAttxWUllxvnHN+XpiBZCm3Kppxzb79KSMlili/FC9PFLZ0I6F45vF65TIhmlCfdkWd0ikgFTjpUnmat4rzfb21Nyhx4+6bZkR+7eQJmePw==,iv:xzqrI+Dp5Zx9FJxUvaNGhbbZ8bZY0JSxKTj0pf1T+08=,tag:J8CZYgiWFpJm3H3L0mrMIw==,type:str]
-    THOTH_URL: ENC[AES256_GCM,data:o0cQMFKRPaRLE2ZJ1CXxKWoMTO380w2qVNkbIO8ul9d/yNBexi9xh/3yHMLjr9Ti,iv:td6XXTJXHZcDLs14dsRijmMiy2HzoT0+Kmt3g+KShjk=,tag:cWr1XF47B1ayuYUUMKw3DA==,type:str]
-    THOTH_TOKEN: ENC[AES256_GCM,data:e+SbKz72mYSjh3MH0NfLhUo9/28ENB4k8kN4/z2ooI33QWQLT1rCS2uDZuw/KpQIF8PobpYmF8qJkNM1gpuMB4MTHog3jUxpB9Ff8GxnvIbal1yRsIj6/UEW8BEzuENACszjHWKah6Az53SRyFxFPDNopKRlCTvdm9/bTG2f2Ie2jFWriu2e/7jMgKQUbcvdfcJoOdPbaRLU5tlHfUOrzgSAjfj02ktCPac8ss2dNKKQib6iX4gQdMfjGgTSzXObopYvX9aXhUGTpJOebTNAfz5ECLejYG63ZKY4VTnHmnWkzvuWLYsgocAL/6pLiTrS/JWzAyZF+Gce7K2XaAOO0deBAjGWQl7GhB+WMF3aiePjtyib2jAhXpa5fVET1lPwmom6Xf8Hg9DwJQ+4WSReMK7sGzh+RSwmFegxX0mnhvDtw8CaT+fKkLs8APdEBCBnD8H/e1xJJsqPgVJVQnwt+TkKRldELAKzq9jbHRVuWCpoJBBnnYJNlvSAbbwIGH/mv998FFT8f2ARSDJYUl4fNyQorRWMV4Zhky+8QIX+jPQBqljY,iv:ZXCUFpqh85W8l1saUYWLNg37QTkxy24vlZyPS0I8mjQ=,tag:ExMldQHFqAPdOtLqmDLrKQ==,type:str]
-sops:
-    age:
-        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VkUzSWdtZlI0Wm1PMC9U
-            T2JIdWkvYjIxby9SMmlRVTlKaDZrUThvaFdNCnFCOVJhS2hIWWwzNWVKT0xKbUY5
-            TVVXa1d3MUpUcjlVRllTZk02bnBqdDAKLS0tIHFDYzB2TXJIS1FyQ0JYTE5YUTFS
-            WFN0Q1dqeUtYUitwVW9EalA1a295M00KItuiSlWjFU/EuP/gHfx5ZiOEC1mgUa2I
-            KQdJSOzHobfICZY2/wF8+KPpMBwcuB0IQL6SJF5I8CRS3H1dIPTaeg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-16T00:27:47Z"
-    mac: ENC[AES256_GCM,data:UiSbzEO8qKqVHPqoH6mHwokCfGt9kBJAi66ja3EOMTdrKXueLxEii2YrgaPnBTcx93Ha/VBhzwLbVxeF4C4PIxNdsauWrh25YmfZvkBe2F3viJQpJVgIGbLPf7Uv/fZ/xhwuk/A4+Ob7+XymFb0PFZ3Zo9pEXzjNwZ6QuFChiYs=,iv:1caTZ3pG2CgqtWwGJIa2nAV+2/yhDRv0zRFtv+T+GBk=,tag:phIjj4ZpMcr5CC5P9qVbpg==,type:str]
-    encrypted_regex: ^(data|stringData)$
-    version: 3.10.2

apps/kustomization.yaml

@@ -1,18 +0,0 @@
-resources:
-  - autoupdate-teable-figurines-currencies
-  - glance
-  - kakigoori
-  - opengist
-  - pocketid
-  - prettysunflower-website
-  - privatebin
-  - publicfiles
-  - rallly
-  - renovate
-  - static-websites
-  - teable
-  - technitium
-  - thelounge
-  - uptime-kuma
-  - znc
-  - vaultwarden

apps/opengist/secrets.sops.yaml

@@ -1,27 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: opengist-secret
-type: Opaque
-data:
-    OG_DB_URI: ENC[AES256_GCM,data:TZpj9cVMF6jHqhJf2EKMDe8bDp3ozn86b9IG1hIinX8V4sUkayB2UznScqhnsEAd+FKAimf7exu5+fQ+qDVLVk0izy7PNNKK6JpNWatkfwfk7bN0hMghiIRlNL/dB5vnH/m4FktUD04=,iv:NueU8M+PBvgCnUY2J/DyHLSyOHYkkPs0Nu3QnnlrOg4=,tag:bMDNa9AbzK0pWW2/V76VGA==,type:str]
-    OG_SECRET_KEY: ENC[AES256_GCM,data:FRMGtPW95ypXvPdcss61FYEZPwTU4IbULt//av3pncC6c4RraXzEr8zwGpxlxsLsorlhVN7xm2SybDxtHHVs6B7Emr8NwRq+5fLZfU6YHa8y/tqr68/vlQ==,iv:Sfkx30Cqw9Y1jKNTtXrQiwMwbsiT3E2mygRACf20JuY=,tag:3vmHOZWs/jsynIL1Na3LPQ==,type:str]
-    OG_OIDC_PROVIDER_NAME: ENC[AES256_GCM,data:ff/7A9194cworblcum6zbyLTKzI=,iv:CPECmbTOlDAGf0Pd8GGNodmGA8ARnfeaU2E/JpxezU8=,tag:mnVi10u7mZGgoMpeYu1Y7Q==,type:str]
-    OG_OIDC_CLIENT_KEY: ENC[AES256_GCM,data:OjZc3bFKk9q24RWm7ftP5j2TUfAVerOh+2CA4+4+0FMef8HP/g0p3nFVzIl5H/9R,iv:RUsTi63pi7RsdUnHct/Whmeg3xf5VKp26bli0GfsPcs=,tag:9E9pdIieAAqAg/TXrxqseQ==,type:str]
-    OG_OIDC_SECRET: ENC[AES256_GCM,data:zBWln9wZiG7PU4VkzAqA81enp7+bkWF+GNE8W46RhsgQOgG9AQmBEuEB++E=,iv:5MDI8JvcKhQ/sHX/3IL0wRNMRqs5tYgdsX/KcNqUYPM=,tag:aM/Dlbbw2tnXpSq4zJnSGQ==,type:str]
-    OG_OIDC_DISCOVERY_URL: ENC[AES256_GCM,data:2X2m6q6d0VMrAbYq2EVKc7ID3Y9kv5yKS9ncnqVQtShnx95g0boAKYhs2+vTw4ERQFKWAlgVoBrjfdEgkwuQrWoON3n7Y94n3Sgqsg==,iv:f7NhX74g09/ATfxvr3k22R0h9daRDA4ZzceRmkqbH+k=,tag:hgKMrwPyw4WEJtnALCQzzg==,type:str]
-sops:
-    age:
-        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxREt0L3FXRkc1aXdQeG5s
-            R2RoZGhyUnVYbnJ3all0eXBCaHp0Ly9JaFNvCmxrNGx4MDFEOFFtQ2I3ZldRcE5E
-            V0FtV3lMUk9SQllQV1A4OWRlNkdxb0UKLS0tIExYWXNxbjcvTmNLSFV0QVZtcWpv
-            NWtHbTd6bnRyN01aeEVUanVRMFpnR0kK/lnokfJiXcO9aFj+4iWqEnUMxdvz91GD
-            4LUJR0MDE4zblg3/8ZEUM83Bb0CwtnEiQ/8IXbHwLwMdu4AJ4Fj5dA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-10T00:20:57Z"
-    mac: ENC[AES256_GCM,data:O3x8Cp4SHVrZPoRVHbnMUnGjOuf4VXgnD2OX7PhuATHJGOvFrmKBQPs/cTdyLz785sRWDHqJume1SEKjezgOw2dw61tDm11CMRM9t1M5oG5rMOg7yhdCFFvw4MGW3TLn7VmJwoFpbSMbq8SH8xSQEBf8+B2XZvU0LudEhTVn0xA=,iv:D7mGMmT2K1PfL4dTRKztus1xbAfbTWJ6OgUOn/U24dY=,tag:N8dA7a82HvDnAZWVh80kvA==,type:str]
-    encrypted_regex: ^(data|stringData)$
-    version: 3.10.2

apps/prettysunflower-website/namespace.yaml

@@ -1,6 +0,0 @@
-kind: Namespace
-apiVersion: v1
-metadata:
-  name: prettysunflower-website
-  labels:
-    name: prettysunflower-website

apps/prettysunflower-website/secrets.sops.yaml

@@ -1,47 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: prettysunflower-website-secret
-    namespace: prettysunflower-website
-type: Opaque
-data:
-    GOOGLE_API_KEY: ENC[AES256_GCM,data:Kff/H1QrNmyUoNCgG/DJmYTSluBfQkzATpNYcW+mpXA5igR1TW/8rxBI3pEavbiXq8s5dg==,iv:2w6gt7+r/bQTlWmObBeqkY/8osdAmvKaWUjIm+DjNyc=,tag:rLFP3GiJ+QMGFH81noKutQ==,type:str]
-sops:
-    age:
-        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZXZUZklxb2UyRHA0OSt0
-            UXdad2FnQ2RVaVFKWkgvUFduUnVJVkpsZXhjCjF0dUlJTmVvUFVhZ2pueUdBS0t2
-            MHZKS29XRkUwTUUwSWNmb28relhxME0KLS0tIFZuT0JCZU9nMFltUk0yTU1zV2U0
-            YWdTRm5wdUdBN3BJelZhQUZhWllRTVUKxNufC3hgtybXvB+AL4rqeDCCGsbSTG3Z
-            f+04lkOLzcLr2sTBueGNG8UfnflSQI1JIrlHAzb7LlNi4vuH3KdFEg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-29T22:40:27Z"
-    mac: ENC[AES256_GCM,data:JtiGrHVD+JJQ5ZwHLCT4rTOu/UoYCscn1Wv0F3E8Q1y9olFXLhq4b9L/vOGe+Wf4/8cl56zf9YnifWR73c71/qnTjsByN/0zqWJjtsDomaxFkGtjLwKbnvvJs3+NyUw1OJGSnL0c79rhEZTkzfFrN/td1hbr/Qho227UvoVOLsc=,iv:YHBAJqUJBz/kzcdNOUPDxaWqEVVmHvkgcjbP2FYwwDA=,tag:OIM5/vlgMCxRYocvy6xjRw==,type:str]
-    encrypted_regex: ^(data|stringData)$
-    version: 3.10.2
----
-apiVersion: v1
-kind: Secret
-metadata:
-    name: anubis-key
-    namespace: prettysunflower-website
-type: Opaque
-data:
-    ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:uVHaqVVCLb9j8y/zXo2ZutfYgi8tu1sLJ003yw0l7C+jy/s2hHKkgVwqXMTZRA+Hq0RIRNEwHyswfM8tQ2olmQVlPASEXnT0yW0lAidoZ/xf8fs1Am14vg==,iv:w/ag0nJ3MnP3UUGq6iMNu/qHLr+kt8G/Ntzd6APQCuY=,tag:mAHZM2PGAqHjnp4QVIkqPg==,type:str]
-sops:
-    age:
-        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZXZUZklxb2UyRHA0OSt0
-            UXdad2FnQ2RVaVFKWkgvUFduUnVJVkpsZXhjCjF0dUlJTmVvUFVhZ2pueUdBS0t2
-            MHZKS29XRkUwTUUwSWNmb28relhxME0KLS0tIFZuT0JCZU9nMFltUk0yTU1zV2U0
-            YWdTRm5wdUdBN3BJelZhQUZhWllRTVUKxNufC3hgtybXvB+AL4rqeDCCGsbSTG3Z
-            f+04lkOLzcLr2sTBueGNG8UfnflSQI1JIrlHAzb7LlNi4vuH3KdFEg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-29T22:40:27Z"
-    mac: ENC[AES256_GCM,data:JtiGrHVD+JJQ5ZwHLCT4rTOu/UoYCscn1Wv0F3E8Q1y9olFXLhq4b9L/vOGe+Wf4/8cl56zf9YnifWR73c71/qnTjsByN/0zqWJjtsDomaxFkGtjLwKbnvvJs3+NyUw1OJGSnL0c79rhEZTkzfFrN/td1hbr/Qho227UvoVOLsc=,iv:YHBAJqUJBz/kzcdNOUPDxaWqEVVmHvkgcjbP2FYwwDA=,tag:OIM5/vlgMCxRYocvy6xjRw==,type:str]
-    encrypted_regex: ^(data|stringData)$
-    version: 3.10.2

apps/prettysunflower-website/services.yaml

@@ -1,29 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: website
-  namespace: prettysunflower-website
-spec:
-  type: ClusterIP
-  selector:
-    app.kubernetes.io/name: prettysunflower-website
-  ports:
-    - protocol: TCP
-      port: 80
-      targetPort: 8080
-      name: anubis
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: static
-  namespace: prettysunflower-website
-spec:
-  type: ClusterIP
-  selector:
-    app.kubernetes.io/name: prettysunflower-website
-  ports:
-    - protocol: TCP
-      port: 80
-      targetPort: 8001
-      name: anubis-static

apps/privatebin/secrets.sops.yaml

@@ -1,22 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-    name: anubis-key
-type: Opaque
-data:
-    ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:DBMXjeG7KguofrBF8wFRZoplFKhsxRGvWAXga5QJkhYn4HNF6WvFr8dkCww7Z6qpqdskKqBQqBiYq6OgTe5f55or9sWeO5XwKprjTUYYJ+/Yxvg1MBMlSg==,iv:MfK068uL94QNPlh62FNjBMK26M6Uig9yWvHRLpmEASE=,tag:0w4OMh/KcWsK5n4xnkLzaw==,type:str]
-sops:
-    age:
-        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2dGp5eTNoRWZRVENPaXVv
-            cUdJc2d4Sm82RklXb29vRHZQZmhRNHRxWGpRCllwNENBY015WUFqeWI2TGhhcXZ3
-            Z0w4dXJZeEtQZkJRQzAveTZtS1RZdDQKLS0tIHlYeEZzMzNXTzdJaEd3S2s0RWh0
-            L3lRQkxCNWRBbFdlMW1DS2RXUXJwTlkKW7jjQfIC2tZo9vj6QenOdOa54xCjMU5v
-            3Be8lPn1H6js15fKTpCw+6+VaEBaAxO9Q1BnSlKx76YQc4V/1pRGhQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-30T10:26:13Z"
-    mac: ENC[AES256_GCM,data:mC8nlQZA7o6h+FDK5eB4XOXrYnygml0rYDDlg4oq0i0rNXlK0gQcTQxYU3ZJLyEJirsjKhdoyF/thP9ro1Jdbt2bNn5k7crc4o5Ar4/Rlu05xxq7reZKtX2RiUaGonlWNrNLbXWnPFv9TZ2A+qkdIlXYLMg5vNFPJS0E56b/SH0=,iv:1ERSVhVwzEj3Y+vPdbBEeHsjLi5IZ0pgWwh423cGB2g=,tag:l/2a74j+gbyIQIn2DIN09w==,type:str]
-    encrypted_regex: ^(data|stringData)$
-    version: 3.10.2

apps/rallly/secrets.sops.yaml

@@ -4,29 +4,29 @@ metadata:
     name: rallly-config
 type: Opaque
 stringData:
-    DATABASE_URL: ENC[AES256_GCM,data:og/DjZzZQJZSeMsqf2t7rS2+b7g0ak6eIC1JGYCtGJq63x4nTmJyAD0oJEN8ME1kp/V+edX1T68SVVPdrsPVHlawwb5ZJOeSu2wB,iv:PV84Oi/kLGDDm45WWN6w+llLBzIcopP3kB0bLYCTM5o=,tag:fuqKM+VghdxjWoArEiEYMg==,type:str]
+    DATABASE_URL: ENC[AES256_GCM,data:lYuzcEIsbFibHLunbiySE5pBDak7ERmaTlStyCv1epmVFo3DXa+u/Z7cWzbGoJ9ZUcHgTRKGyI87jWcvf8q3rmryYDI01Bps4syx,iv:7L8D3ODEc1Wqi78Zo6WcIMZ9PoEnEUbaxtXROlW1uNI=,tag:vudFPhiMj5qRA2yXR78AbQ==,type:str]
-    SECRET_PASSWORD: ENC[AES256_GCM,data:324h5buHxd/xxr+V87aepxHfEDyjta2BL1pkwwCtPzPS9MC9xcJm4HX7c8qGxr1GsJkFS2/LIBPHRpl9sZ3aww==,iv:5W7NStdQcOSOBG3YfQsF+PqY4pBYNYPb+dZFOMnfVHY=,tag:3h0Ey6V9nmrAivgQwhbvWQ==,type:str]
+    SECRET_PASSWORD: ENC[AES256_GCM,data:oFqbJwS+Mbxp1weU3/78w/P5EbC2M6D+sQ8CmplQNNh8vlA4tv868hKMSJRaSErYQ1kN2qQ7ssgRBjFbKRM+Og==,iv:3ir7GG4CXN9OO3f2QJIN1LPMHOAkeNOQg/hOGpm5g0Q=,tag:R4WmPVoSSLOxl8sMIyoxUw==,type:str]
-    ALLOWED_EMAILS: ENC[AES256_GCM,data:R+LvSgga0H5eBls+gOPvYsYag0FF,iv:lOiJhKe1pPMG0R32DWiqG2lX1ziXauMVjrl2+veQFKE=,tag:CHKPCZRmxG6dmz5RywH8CQ==,type:str]
+    ALLOWED_EMAILS: ENC[AES256_GCM,data:c9ab4CvjqTv2GBByhqzw6I9wNG4F,iv:YRHEXHp02LQD1vJ2ihmOC5L1in6nEI0bNm8PE5kLn/g=,tag:DXr+woHpyq9oToVvE+q9bg==,type:str]
-    SUPPORT_EMAIL: ENC[AES256_GCM,data:yYWpEnghNcOe0cRuMg2ffOp10GsWMk8/,iv:ZmPrBS4egsFUrkOvZKBJMTvh/Lcf3nLwjaqz8aVYaGg=,tag:M3fkjRJjNRrysY7HagbfXQ==,type:str]
+    SUPPORT_EMAIL: ENC[AES256_GCM,data:HScMvYjK5t+qhBzo5J18XdpVEohyb9UB,iv:N9DE6NO+uAEezHOFjoZBGT63uaHcXjW+W4RBdpABaCY=,tag:OQEbgraRJkwfmbYL3gnRpA==,type:str]
-    SMTP_HOST: ENC[AES256_GCM,data:cOJLpNdBmLPBE53IUQ==,iv:Nv7S1ZKisrmkQIYwJf7Y/xqSQFHkvFrc4DzaMcXy4Ug=,tag:XEgyNik0EiGk4niqYujUHQ==,type:str]
+    SMTP_HOST: ENC[AES256_GCM,data:40XpC0/q0YlxtXsu3w==,iv:eKmnKvRHSUGMm88doxmz5vjNqS2mNK+idjGFw7GAV6E=,tag:g5SoJxpoAD7JB+fXygHTvQ==,type:str]
-    SMTP_PORT: ENC[AES256_GCM,data:sFaL,iv:UzQux93MPbrQIFpA+xD86z4E8YsMzbAmb5OKYKB3EKc=,tag:8x/f+OPkBUO2sD+ih+DEHQ==,type:str]
+    SMTP_PORT: ENC[AES256_GCM,data:KNFA,iv:ebpkTJ7aLV6YuK+tuEkgydzfcDost0BabwLy+THxAJ8=,tag:EDa/OonRseVxxdRWIyR0yQ==,type:str]
-    SMTP_SECURE: ENC[AES256_GCM,data:dDZwLPE=,iv:U30Wj2jbUvusUyk3e3wW9vYd0/vNEicle5Ab4RhXpY0=,tag:V5t8wNToYJuoYdjBIfGtvA==,type:str]
+    SMTP_SECURE: ENC[AES256_GCM,data:ljHsvHM=,iv:p+miRdGI5Du1Xe9UCisP94DVyHEQbwfIcMCOiFarHCM=,tag:79+8l4P2X9H/WjOp294VYw==,type:str]
-    SMTP_USER: ENC[AES256_GCM,data:eRFXbLAUgIv0iv1gveEsg75+QiJDiA==,iv:AbLvwCpVIRjNyq9IM25SevEQGihOIVFLTjeDGYvfDsQ=,tag:Xj1jHRKZ6D4Kwar6VW1B5Q==,type:str]
+    SMTP_USER: ENC[AES256_GCM,data:yleHjuxtepfrWGgVg/aUCTod2O7o+w==,iv:mvNqD8EB53xV13mxVcpknUj0VigTvpHAM7AR8udFoB0=,tag:kplCsvWYyjGT3qKUBx/tyw==,type:str]
-    SMTP_PWD: ENC[AES256_GCM,data:myJOrcEv0J/JeIVan/WRzA==,iv:cPmyFTu6ZGe57SRzDbN5bdmYaPz/yaUvuQsrP2V1iZA=,tag:3xbNjIaANxRBENxpzm3XdQ==,type:str]
+    SMTP_PWD: ENC[AES256_GCM,data:QRpk7RUq0BZU6KdSYSyZ2A==,iv:c9nMcctW++51kzvWeo+7Jd40SS8HxfLpuKbPIxIMOqQ=,tag:yxb9ZrCmjBFXZDi1uI8g9g==,type:str]
-    NEXT_PUBLIC_BASE_URL: ENC[AES256_GCM,data:85hc4Aca8yBCctXXpwdfeF5TUcbK1rX8qelB+kR6h7/nZG9sqvI=,iv:mz3+Yc3mTB6cNmZyYNOBf/rm11/1HoR0VTeJEbCzWyw=,tag:GxIY03wU3MGiIHmdZM+E+g==,type:str]
+    NEXT_PUBLIC_BASE_URL: ENC[AES256_GCM,data:s66MoHOPDosVFTvEd/YWcn4+erI7Y7qaoIU052vuiPdd3AkV6dI=,iv:SXLdwkz9NKq8mRtWSRSCnBrNExz1LaCXZyImXib2WTo=,tag:uhJxpnQWMzR+yRumkzBCVw==,type:str]
-    NOREPLY_EMAIL: ENC[AES256_GCM,data:hjMfBGrXThJi2AqaW1G+J8mVE7laZ5OjCAzE+uYn,iv:t8YQOZtlhTTEoqgtbxwzWzInltH5K5cGr09cRU740PA=,tag:kfQXf0yldyljOHNdl1gv1g==,type:str]
+    NOREPLY_EMAIL: ENC[AES256_GCM,data:yqt37KXHO3y3Y+eoV3IZ1KZsnFa+tMT6rdVlVSEQ,iv:+9ktTkcLzgybXcX7TXq4FrxqGaF7mTD1ZVnDASR4xOs=,tag:qt9DU2Iirte9vksn0V+uGQ==,type:str]
 sops:
     age:
         - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBacEJRM1VQRmlqaytuWDNC
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCMGFSRHpoRXBrbTM5Z0JH
-            QlpUMjhYQ3NQVjlVbEVwS2dHNTlQTHlYQ3dnCkFCUytDSmQ3TFB3RVNyNlBXVlNK
+            M2ZxQjltMVUxajl4TWs0Q0gxNVhqSDZURmtVCnZmRFpYVHFsWFR2bUtocEE2eFZl
-            bUtJNXZiT0sxRU9rSlZrTVRXdjlSVWsKLS0tIFlZelJZNTIxc0RHOTFDNWhOZ01m
+            eThlY0NneTEza1ozVUZGT01rTmZkYjQKLS0tIGwxYVlNd0gxUjU5TWlPMnh0MVkr
-            U25wSVJicDE1VVpXeUd5b3d1NUVUQzQKQV/DaIkKLsHiksmLhggIyjX1UIg16SIQ
+            OTFOQzdoOVpJSFdiTy9xSldHMVZsMzQKOR721Pl0ZC1ncgQesWI5PrD04cui+MvB
-            lGk22q4xM4v+82O4y0t4oxxVPiXxDPkj6NQiiZcsx0pmzFchfv6Lcw==
+            BgszEpbKFCiWPawaGTss58ADzhY178XSGWnsj8WypkFuyFY6U7uhUg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-06T09:18:00Z"
+    lastmodified: "2025-07-16T14:35:28Z"
-    mac: ENC[AES256_GCM,data:NbZlZN6vxP8moSxXUlk79pLsgvHMsUCKAOq3QImJ5GMiH2dkkzuHAtj0izyAtnYnFBfwreS/V5gXk9L/EENae3tBMB2Bld0/6j+Z5Te0jeKrIAoXXqAQiBrLogKYg2omm9fKRyCZ4CdfcjFBVlJ/vO5/TJDHe5Ne3nk62nVdMgo=,iv:euAkY1YTi+NXZLzHFrpfqWhPOWeYBmVOVp6g9Z5txQE=,tag:Wixp55DxJwzxhk82KDsrjA==,type:str]
+    mac: ENC[AES256_GCM,data:IbNJjPW0kIgh1ZCQo172v4HAVYiRxtDAUpytd9XfLRAoWie0wM4Qg1IX+RedWop7+mc8Yh8a1r5UmFEnAmB8vUjirg88dtHDSMi3Z7rjaYfF1Jz563fpSFDnbRIIoBAckZsoEmjCOatwzra3E+MUry4UrjPhBGtjEeV5KiZypvI=,iv:2L5TrFlYrHCvHKcd+8sQ3NjSydOpzCSgTGS0uAH7ngk=,tag:I+qk6UffT8exKyJaV6ChRQ==,type:str]
     encrypted_regex: ^(data|stringData)$
     version: 3.10.2

apps/seija/kakigoori/deployment.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     app.kubernetes.io/name: kakigoori
 spec:
-  replicas: 2
+  replicas: 3
   selector:
     matchLabels:
       app.kubernetes.io/name: kakigoori
@@ -14,19 +14,9 @@ spec:
       labels:
         app.kubernetes.io/name: kakigoori
     spec:
-      affinity:
-        nodeAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 1
-            preference:
-              matchExpressions:
-              - key: location
-                operator: In
-                values:
-                - fsn
       containers:
         - name: kakigoori
-          image: "git.remilia.ch/remilia/kakigoori:main"
+          image: "git.prettysunflower.moe/prettysunflower/kakigoori:main"
           imagePullPolicy: Always
           ports:
             - containerPort: 8001

apps/seija/kakigoori/local_settings.sops.py

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:xk32d+fT8YwTbJ9zSh+5ceMzF43NCRnQzPeoxcgRijQHKAbTiJyG6bz5bd98aNkc5dTKtDmFzJlPVszzud4g/zQAUxToJ/IMiWG+6YQxcUZA6b/DsTYu8hB/sw8YVS/fUhvtOMaI4p5Yt/cxFSkRBDLumTMIiCMr/hjJfL7KsnQnT+G1SOkdXKOW5ZCC1DwePH4uSAT+pIBDS4T/j6+bfnIk69BFo2O6J30abNJv8n7/jCLUDCuuZ+KQNfiAYHJIcsj1HI5hLUyTxSRXDxBYBDhar/sceJWZCzumEiqieSmWiUTBELQmado4+i5sqEVBNCqAcDmtRBJM67au0CKoOLM1Zce1O9JBOT/pPA1h5oIQ8j3S4JcEwivcZOvI1F47QkMcwqzvsVY1l43Jj2bAs8f9i/QfyoahBjIQdqTZ1GSMMDiZxv8Od1pMZ3RduptdzUZwXlghdtQRRaO9Wp/Qdm+EhcN89k9lmw9wcNl3sAywjmy+7ZeHMwTxZdWHW7ooYf3miaxahewqQXKkydLoaPF2LjI2b76mMiuw45HsKg8laURrdRp9KP8YEZUz43BEOUPBicL5SHvBJbvZOhtMKgGkX4vKvGztUdkDlk8Jn/KCoKL6eWyqJs90lTp7pY+pf8CTFeZk9cHamBF6qi3But95pPGFz65ZOJP5PUrVkM0HY1gsMlXJQyo6umMo6NYtwnlXakqcN5lr9noAZdZZljzfPlDEwLOQ/UkDuoMhFbIRtsE6bqibs4NRAPdboI9dh97HPns3jx4krXjm+IaLyG2Fjb+HsrpxOpOKhVYxE6ogB32gm0jmd0OsuIQHHhuI6XTCv7ojCTAfWHpDzfa/wpj5JTaDT2KhaKmwxDremT3QtdoEA4tC5TYmw9ACoYL2sLsw6bKikMi3eW+aqUCUnxGoB1s51bBeEjKCN6v/qYaPOh7+3MkqGsOJpyTrcYkk+QznYKRJBN9J0qK36PwCtS0IOeHErtNkzo8k8di4M5Gfmgtym406Bmv2v5fRiCfUHZ3TszOSILi8VmlzmkjRuD96zatnlS5LGbf5fSRfRjqBLpx6vHrzlmACzMqJtLGW3zHm/8b5tffLAy+uNMTFj25o+iFRMPCC0nBeCmBex2AAcbZEmEeiUgx1zfQEUVo3HotdXbXCCWBL0l6YCInZ9QikANqMo6urUAtG1nBxe6GxG+2t3KI=,iv:K8WPuND70blkG810M/ru82znvGVqJVWh7U3ZfhRTS5Q=,tag:e7TewsvDz2x0R+pohEGlDA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MEQxbnA4T0NQSER6NzhG\nN29rVVpmOEJWbEV0TmdVbVp0SGdoMXU4cmxnCkNpMS9Ua2dqQkNQU0RJSUNSTkZu\nUzc4RldaeERPYWxWaElwZlBzU3JjWHcKLS0tIGRoa3pSdDhQbG1kYm9Jb0F6eVZs\nODNRaHFtbnlGMC9rTDJFVWZOMkdZd00KBBUHdx/zbhwEqBaAoeaauiWgkrQ/06wO\nAcGtTapGrKKEj+hDJNVIuP4EcCXt6tlaYPm9IVxQh92VQ3YrAkHLrw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-07-16T14:35:28Z",
+		"mac": "ENC[AES256_GCM,data:+boBB9vcGpRgwaxDs4kFgQk6nVmE3jL1lCkNnmL0ya501M2YlKgZ/UP87qkh8eMQFizpWfs6NFamdF0Zfd7fM1hokOjXQ4pM3rfNa+3lxK2pkEV16OOA5V2F9vTAIkuaCHqKihUZL/PMIko/koKroGU8jfq3ZtgBXTlhIRKeGNI=,iv:zc7vR7gJrMbGIUr+C/R4EWH8LaYX2SxwNtX050nrfEI=,tag:EacHLbwFtujnJuQaKteXkw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

apps/seija/kakigoori/secrets.sops.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: anubis-kakigoori-key
+type: Opaque
+data:
+    ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:mLGdCjuZFgjQ/0WlGBRCf+T0TKHbc/1otllDvsqmAOi+1unw0ZEoCH6+fr1WEAagN0VKulwQmlf26ji7g/+9Q1fiwWMBzxAd1/ZbDZdRptLBvDRBjAP6zA==,iv:P2bwoNjfT8NkBtf8xcKk+VlAPUMzjiuD3z/DHIiDacg=,tag:3CE4qOo0K0BVGgFAUIGZ2Q==,type:str]
+stringData:
+    THOTH_URL: ENC[AES256_GCM,data:9jcvAvIylF4WkQKvAPwyOLpE8w9Es7XJCBHi2gU6A79dTnnl,iv:PcwIyDifQxOmJzrxNxPQqvhS5gT2r7G2+mBP7OYNvCs=,tag:a+sqdXJpd1WVWQlAC3lgdw==,type:str]
+    THOTH_TOKEN: ENC[AES256_GCM,data:ER/93+x9aFGjSPtv7ObT4zhTnCdlJGa+MMY1nqGNGH/GtDKoF+XtyRmclQj+oFZ6DxhV9gM6VeP20YLz7g5t5K23ZmIfFzwAtQAxwJSvDeJw85dkhQbKfTIvou/NM4bL9T1A7j9zGuKvpYAqlkwYnLlDfBy3aWUdD4qkRIjTvXwijG6BjL3dBNXqC1UAxn7j5Y9QojGt6j04/rllYfjuADsIsT4Kbb/EM4jgP13Mu+nJP/3GkfjBQfaC02RvAREjIPuKfVz28zcwLbBTT2kPPSYGuSxIpo1kWKnpttmHDkKgcHu9/q6EFaswgeX3aIbowXiPEY20yYZW4QBbvcBSQOX27Rhg9HR4pcYVM5VT7RTia+kDWIEmhV5JtFlYzx5wiXDM2vgEF+wX+t5mVC96I+En4PuTaBV2lbE=,iv:3dvQjX+takhickmJ3AHo29sEUEfXpSYgh78Rqkfmgkw=,tag:78wOIOovvjkfRxbpDpQoKg==,type:str]
+sops:
+    age:
+        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWK2RpVUIxZkZVMjdFV29L
+            VnpYUVJnY3hIYTVSb1htNm5xcTJGRlVWZ0IwCmdSWXFFanBMV1FKTnozUmorL0Qr
+            Z0F0cjc1T2VqRXRwK080VU5tUk1VbkUKLS0tIENiTm5CbkVmTnRRNzJaK3hjMjgr
+            TzhQMmFQOXhCWjRUbGNGOUZHazFNdU0KTLIACJrcciwiFdEhyQCY+ln/afHuwaUU
+            dQXcslNIFa5GeFCA7P7zDkhJWbM1nwOg2D/hh36vYKH6mwdhKVy3Bw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-16T14:35:28Z"
+    mac: ENC[AES256_GCM,data:uPR8lkkMZ1Uko36jISMNG6YMKRHh2jZ1P6aA8lY12Qlml21QsDz3z2c+3iOFaSE9CHZ2TPaMj4gkTkHojkkoKmOdGOZSulKKnnSZ42bDVZPPIjiTcMZxYGUiloBrFAzitRqub5UPtgnoKIxnlsZvMJvl8m9oZ27oi9R7K0MgyYI=,iv:AJBS0RDHXDkjF0DMctPCka2f7iaKFw6VQIHl9VWOCog=,tag:bL5DPT/uvQElYbUG9BjxJQ==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

apps/seija/mazanoke/deployment.yaml

@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mazanoke
+  labels:
+    app.kubernetes.io/name: mazanoke
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: mazanoke
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: mazanoke
+    spec:
+      containers:
+        - name: mazanoke
+          image: ghcr.io/civilblur/mazanoke:v1.1.5
+          ports:
+            - containerPort: 80
+              name: http

apps/seija/mazanoke/kustomization.yaml

@@ -0,0 +1,3 @@
+resources:
+  - deployment.yaml
+  - svc.yaml

apps/seija/mazanoke/svc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mazanoke
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: mazanoke
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: http

apps/seija/ourfigurecollection/deployment.yaml

@@ -0,0 +1,108 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ourfigurecollection
+  labels:
+    app.kubernetes.io/name: ourfigurecollection
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: ourfigurecollection
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: ourfigurecollection
+    spec:
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 1
+            preference:
+              matchExpressions:
+              - key: location
+                operator: In
+                values:
+                - fsn
+      containers:
+        - name: ourfigurecollection-django
+          image: "git.prettysunflower.moe/prettysunflower/ourfigurecollection:main"
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8001
+          volumeMounts:
+          - name: config
+            mountPath: /ourfigurecollection/ourfigurecollection/local_settings.py
+            subPath: local_settings.py
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+        - name: ourfigurecollection-static
+          image: "git.prettysunflower.moe/prettysunflower/ourfigurecollection-static:main"
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8002
+        - name: anubis
+          image: ghcr.io/techarohq/anubis:v1.20.0
+          env:
+            - name: "BIND"
+              value: ":8080"
+            - name: "DIFFICULTY"
+              value: "4"
+            - name: ED25519_PRIVATE_KEY_HEX
+              valueFrom:
+                secretKeyRef:
+                  name: anubis-ourfigurecollection-key
+                  key: ED25519_PRIVATE_KEY_HEX
+            - name: "THOTH_URL"
+              valueFrom:
+                secretKeyRef:
+                  name: anubis-ourfigurecollection-key
+                  key: THOTH_URL
+            - name: "THOTH_TOKEN"
+              valueFrom:
+                secretKeyRef:
+                  name: anubis-ourfigurecollection-key
+                  key: THOTH_TOKEN
+            - name: "METRICS_BIND"
+              value: ":9090"
+            - name: "SERVE_ROBOTS_TXT"
+              value: "true"
+            - name: "TARGET"
+              value: "http://localhost:8001"
+            - name: "OG_PASSTHROUGH"
+              value: "true"
+            - name: "OG_EXPIRY_TIME"
+              value: "24h"
+          resources:
+            limits:
+              cpu: 750m
+              memory: 256Mi
+            requests:
+              cpu: 250m
+              memory: 256Mi
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+      volumes:
+      - name: config
+        configMap:
+          name: ourfigurecollection-config
+      dnsPolicy: "None"
+      dnsConfig:
+        nameservers:
+          - 100.96.226.96

apps/seija/ourfigurecollection/kustomization.yaml

@@ -0,0 +1,8 @@
+resources:
+- deployment.yaml
+- svc.yaml
+- secrets.yaml
+configMapGenerator:
+- name: ourfigurecollection-config
+  files:
+  - local_settings.py

apps/seija/ourfigurecollection/local_settings.py

@@ -0,0 +1,35 @@
+DATABASES = {
+    "default": {
+        "ENGINE": "django.db.backends.postgresql",
+        "NAME": "ourfigurecollection",
+        "USER": "ourfigurecollection",
+        "PASSWORD": "xxHWl#d$FoYZ54",
+        "HOST": "100.85.208.69",
+        "PORT": "5432",
+    }
+}
+
+import sentry_sdk
+
+ALLOWED_HOSTS = ["ourfigurecollection.moe"]
+DEBUG = False
+KAKIGOORI_API_KEY = "63586938-dd4b-4e01-a48a-6344e0bc226b"
+OIDC_CLIENT_ID = "749bcfb1-ee32-4c79-85b5-92062d7192b3"
+OIDC_CLIENT_SECRET = "dEhOJ6pvfy3d95Cx7kMq0SHBEgb6romd"
+OIDC_DISCOVERY_URL = "https://auth.remilia.ch/.well-known/openid-configuration"
+
+sentry_sdk.init(
+    dsn="https://62638433153873bc2395021d22e96972@o134957.ingest.us.sentry.io/4508270934360064",
+    # Add data like request headers and IP for users;
+    # see https://docs.sentry.io/platforms/python/data-management/data-collected/ for more info
+    send_default_pii=True,
+    # Set traces_sample_rate to 1.0 to capture 100%
+    # of transactions for tracing.
+    traces_sample_rate=1.0,
+    # To collect profiles for all profile sessions,
+    # set `profile_session_sample_rate` to 1.0.
+    profile_session_sample_rate=1.0,
+    # Profiles will be automatically collected while
+    # there is an active span.
+    profile_lifecycle="trace",
+)

apps/seija/ourfigurecollection/local_settings.sops.py

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:4MYUeRSLBpr51Gae4rNAhutaDiOT1Bjz0lpDiXGAcv9sAXDQTfJA6nHSAhJxcE0ZopIt4te2F6B105/7fCDa4qBma6lQf3c0wQjd+Q+YhzaUSAhf3MFXANIcmpLVYV5szcgJ/Snc8z4lgzZtt2bONEL/wJQU8dEFBpHKdoqQtWoKJB/XbjvgBMpnTq/FjTiOk6KauD224jf4F2fFGRijkJLJAFp9DAtmZ0zZs/IkVTgsTsXkxyQnMsSN9eOGzT7UIJ6sZIuRpvl1nsTV0sLH545PHSufykJCnrdFl05jjNCUxz10mfDg4dXieuAWHWD7vd3eB71uJS8+iEhMc1+PJLOPiItdtcXqT8Z24Grz6A9ANLHkocqRxZ/x7+2KTy5pKVpLRtdGaSF1oiBiBfHAcZX3CCsEci3k0aohrIVywher8rTf5SLfyb0jjoihTjeKvKzDpgADvJSnEnJMMszuA5K3Vu+wszVP+tlA1pLJ4+nITKhT65PRUw0+A9TA5iA2ETsrfyE8dI4q5TCyfXmh6LP7vB2bZsk5zaKDpfU22gBF/foLV6tlFvvv+zT5UnKRAjTbIzAtIe2VFWG/4aAR++PLqM9W5vUYjwoPxP7GqVa5BQStVgdVu8rGaQfx2Z+aG8VMlODJZrA4U7+XCmlDFZMUJiBOBieVo0gsYkhQO2GNnd8/WpEmlsE+8i6LOJUPopmfpH51wriXBol9SJwxDwslxmCQ6in+kX43Jf57m/1GxLnUeIvEZHlyzesC0WIkmUU20e+1MqRmFI7jAwLBE50tsDB4fRjUF0+TtwFGv9eP0qlS6SNTa/5JrXYP956u35XDqYfy5BTiZyEu9RwwirvaeoamelVgIzhyxbokwK50adYcGoETlg/JEwEffmvb0KxcMJIXC8N6iI79/MpW3vc/u+qPeiY605zaLqKBf5zwlwqAXnMdkN9JEmeuCcOq4OVanrexX1LHTWANJe7cKtLHKAvct/FeDACRCfMBaa47ZGtgRo1fXExQOfA66xAlFGUZRH3l1ucQFHRRDqg8mNB5depedXwwtoC2iX35vKkYXhbMTK5lIgpOvbwDvFYmfD+iD0I4L03aSnDGFxJFAVKVwtPbUUTHT5TQdA4ZaUG/pJlSAaxR9iSd9rbtSPjIoDstdpscovzis9gA0zVhwSKK/24JO55dxFb8wCYlc6RxDW1YgSmNdKDy5AsjSDJF//1nzrU/+raDAB3xr1IUoFDDJy377N7467LKjy6GbDm5PpEhBETnMqV7rHmmy6x7KoieNfwQrY48YF2FbcngwCaQ2dH+irFfYeJ9NdAl1M7DeDLOI6I3E7EL57UbIZSTRXk/RutShRwPr+Mw8iZjB81Ii3vsq7j5LNtRA3flLZdoRtTlw0RS2Rr/yCKmsVqOiTbonbG/WeUFUaPISzm4FsGPoSIXp3yt3FRj1zhPSuKvSw2KolMR4uLz8wEKBplB3/t05bnQn3HvfIOqtXhaNTIKPCr6NUgLrc1H8N+FL/RziwA+46uW4YwpfD435tmN4j3c0tcZLHXc2zfh/molQwOYF9me+KU8OJc/636kThz0tUAp6/DEfV8tkjwjFjfB91/L7ChTyh8NuRidK9KsPSV88yQ9kNWxLnetsKsQMOETBBNx3SCly2x2Qh18a9rjgbPgVg==,iv:7IlGRvqypBq82d5wtssqADkCBOvDnRAlJIewsccOcSw=,tag:H5yQtygO/RNhL+1bdEy4bA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQlE4dEI4WHp1dWs0MU1J\nWmI1aExtdTNRSWVMK0hCZ3JhbzUyUnpBc3pVCmZRWSs2eWwxaTIydTU1TVdhb3RS\nVU00VWNMb1JKUFpwcElHbk14cStveVUKLS0tIDVrcFlmV0dCNXZVaDV5OTZQOTJ2\ndGtzTzQyL1k5QUlyTVcvdk9wWVBBOUUKnGPFDBicVruq445e5JnPutHoXVFnR7h7\nDNBBiZTNDzV73F/DEmwUtUu5r/0WDWfVBTY7EhXyry//JmViF1HGRw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-07-16T14:35:28Z",
+		"mac": "ENC[AES256_GCM,data:tJ3DK0YoCy3YpdIq0jzPB8kFDyFx064i7DjouO7GVGWgrbm5i11OO/dvG/LkP5xMVHp83TkUAjbeW9SHM8h2+OiHZwCOfnYEcGQqcK+JMa9o8jDGfsARph6GKTM/JnlkLYyYuIgGqK2XJEmOazQ3Yt2BhGAFb5GrHp9/fVxCG+k=,iv:zlGkcrccPBh7Vbxc7rQjLjrXtmv+278BgV+cfcSt+o4=,tag:dRwIf51HJrqCTAIOVz206Q==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

apps/seija/ourfigurecollection/secrets.sops.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: anubis-ourfigurecollection-key
+type: Opaque
+stringData:
+    ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:cXINZRGu3j/lch50MqcOl7TkuVwFmBN16Dt2G9yvGkiGhAukrRBSXLTM5q7zbu1J+bBJi9a2PLvGS8i/Q2Opbg==,iv:hL1XQ+odWJTp6cMBcMbmg+GxURbx6CvIKB8uwk5U15Q=,tag:7RquLIFtPNGeYNXDQKpQeQ==,type:str]
+    THOTH_URL: ENC[AES256_GCM,data:PqDBOXxE2os0HkTpzhWWDPTxkiQc4N1O8+QCu10DT8QhZneO,iv:jWBYmCIJZJI7atECZSEZ1+SmcWT9F5TR6Az00fohVXA=,tag:NsMNIqQW8OHkn0Ga70hB+A==,type:str]
+    THOTH_TOKEN: ENC[AES256_GCM,data:brbDUCMIm+AuEfDdsrZT5xpas79Z5WUSGvpL98mcIYpswbqrqluhOUkG6kQrbfnxUm9Z0gW9IPgi+4x8K0hz6YMYPaZVJwau+Ggm8raWY2rKSVI/57S+xqWeRMqD/JegvlFjePZZGqtPEjPXurZC9Hh/mSKPNtk0j/41aLrt9cDZVBlHqYjqPFBAQ0G3opWjOvS552sv+hXHzVy5VmbX/DdYeW9+0Nw8yGk1qJKhNj/uOv0/JufSqIvRPgv4jvAKJ/pFiZ5HHZvn1JC4IVdXfey2oNiRKhD89/CcbJCmk8b9dk4MGQoo6O+ppRUNhQozB2cn5RNgF9LJeFD4Cg8ssPavtWtK8deQc4GruHI9sVu7DG90O6fwH3/Ns+LY9D0f11TI9cux5GzAC0RmnBqU8LyVuQKDqsd6htU=,iv:O05keiJh5iPUhVnrPkW4YMNoAha4ghNBIL0bhu5a56Q=,tag:Wt1I+4ccLuAnQR8obRQafw==,type:str]
+sops:
+    age:
+        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlYU0zZG5LSDNvVEFjeXNE
+            bWI4RzhxVUp4M3RYN1V3eE96Y2ZXdUxlTWtrCkRvSTVTcU5TeUJSZXBpWFpVQkF4
+            czUydFVDdFk3djF3eURLd2tyTVEzRzQKLS0tIFR4NzNTQ3lFUnMyU2R5bW5yaDNa
+            MGdKQ0tZRGxFRWlER2d6UExkcnFLUHcKI0785hD9BzhDtZk4lIDq/XFGNkaMiVop
+            PGK6RSbouD5oG0gga07YyAKMsOvz1CCCGEwFhTgsWb2p+1bN2QqXkw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-16T14:35:28Z"
+    mac: ENC[AES256_GCM,data:4GDYYdLIjt+SfUfJvLOLZLrmDBiXhyoh03g5fwk4Uj944I+51paT1oMxJl9Dd0XRWbFK2JMUIc7sSe4HUpsEaSOkfYtM/t4sX0iNTWfPKzxwqOSAE72eDI31ocPUzwlN94/6VYkqPcG1vKADFVqsY4zqp2f2bPOnMbaLLQQGoQU=,iv:91aG7OGowAUkOcp6fLHT8khbSXv2tq8gYFmM4qqcPX0=,tag:zqjA+KVxielyksOtVD8i2w==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

apps/seija/ourfigurecollection/svc.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ourfigurecollection
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: ourfigurecollection
+  ports:
+    - protocol: TCP
+      port: 8001
+      targetPort: 8001
+      name: ourfigurecollection
+    - protocol: TCP
+      port: 8002
+      targetPort: 8002
+      name: ourfigurecollection-static
+    - protocol: TCP
+      port: 80
+      targetPort: 8080
+      name: anubis

apps/seija/pocketid/pvc.yaml

@@ -7,5 +7,5 @@ spec:
     - ReadWriteOnce
   resources:
     requests:
-      storage: 2Gi
+      storage: 1Gi
-  storageClassName: seaweedfs-storage
+  storageClassName: hcloud-volumes

apps/seija/prettysunflower-website/deployment.yaml

@@ -2,11 +2,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: prettysunflower-website
-  namespace: prettysunflower-website
   labels:
     app.kubernetes.io/name: prettysunflower-website
 spec:
-  replicas: 3
+  replicas: 2
   selector:
     matchLabels:
       app.kubernetes.io/name: prettysunflower-website
@@ -40,18 +39,28 @@ spec:
             - name: ED25519_PRIVATE_KEY_HEX
               valueFrom:
                 secretKeyRef:
-                  name: anubis-key
+                  name: anubis-prettysunflower-website-key
                   key: ED25519_PRIVATE_KEY_HEX
             - name: "METRICS_BIND"
               value: ":9090"
             - name: "SERVE_ROBOTS_TXT"
-              value: "true"
+              value: "false"
             - name: "TARGET"
               value: "http://localhost:3334"
             - name: "OG_PASSTHROUGH"
               value: "true"
             - name: "OG_EXPIRY_TIME"
               value: "24h"
+            - name: "THOTH_URL"
+              valueFrom:
+                secretKeyRef:
+                  name: anubis-prettysunflower-website-key
+                  key: THOTH_URL
+            - name: "THOTH_TOKEN"
+              valueFrom:
+                secretKeyRef:
+                  name: anubis-prettysunflower-website-key
+                  key: THOTH_TOKEN
           resources:
             limits:
               cpu: 750m
@@ -68,4 +77,8 @@ spec:
               drop:
                 - ALL
             seccompProfile:
-              type: RuntimeDefault
+              type: RuntimeDefault
+      dnsPolicy: "ClusterFirst"
+      dnsConfig:
+        nameservers:
+          - 100.96.226.96

apps/seija/prettysunflower-website/kustomization.yaml

@@ -1,5 +1,4 @@
 resources:
 - deployment.yaml
 - services.yaml
-- secrets.yaml
+- secrets.yaml
-- namespace.yaml

apps/seija/prettysunflower-website/secrets.sops.yaml

@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: prettysunflower-website-secret
+type: Opaque
+data:
+    GOOGLE_API_KEY: ENC[AES256_GCM,data:irEM9uQpUiQiQ1ORclh6DbAPdahzXGCC/32KhgVmgxd1ApEd9yxcaH/DaCssldoMyu0EDQ==,iv:rQtEs+4zhA6MVXGJbCFeG+I7X/kGMNW1fcH6jR5hS8w=,tag:dfRid1Arrui6EcFEKh1b4Q==,type:str]
+sops:
+    age:
+        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2d0dIQnlnRjk1UFJTdFlx
+            bkVjdytJUjF6SnRVMW1tckdGVUN3OTRCRkIwClBhNi9NR1VIQ2dQR2ZjbWd5dnNT
+            MzlsV2xjaW93NUljeGlnelgxT1pSZlUKLS0tIEJEMS9VNDdQN0ppOEFnZ2lqeFJp
+            V2cyekl2WmN1cjBWNzVQUStQVmNBQ3MKaAzPeJuPHKUsF8WFMKBLfijcc9xGoiIy
+            7ZUqenMvu/hO62LgT+4NlQ66XN/OfLSiwSl3YYuGuELR1jGdK9LXVA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-16T14:35:28Z"
+    mac: ENC[AES256_GCM,data:vaiTEgR5/qYJf9tOwnn4ZB3ZgD62taLHHBEw252d1eaW9TSOCv4UGplPao8CVpp4dtEPY+EJlBV5h3pBB42KFDKZHDSrGqIz3wE/H3xJMovazmz4ZtHKVFbzp852CApL2F7GNWZgyZI/IRyYVk74v7XYqrks+BgF9WnPLdka1WY=,iv:zKYlyFmLeVaMfLiX3ZB3evlbekzrnQKripy6shpWTCs=,tag:dGjhYoaGCxvnJ8JQ6h5qfA==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2
+---
+apiVersion: v1
+kind: Secret
+metadata:
+    name: anubis-prettysunflower-website-key
+type: Opaque
+data:
+    ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:rsuPNEvHbI3CRnCDydyYrtkT2VIz9Ps4hos35joR2sVuaNtaLC9NGYeueRRMxusHZIgFED+KqP8YbIYotpOXqJuS8NTjFI8dgQj5dkXF6ZjNk5L3nJz9BA==,iv:mTmq2vSmJVJBQTVPINC4lcK6yxdxOpkHLk3mF8UJ84k=,tag:WbvdAu69Rhdr36aQq1zeYg==,type:str]
+stringData:
+    THOTH_URL: ENC[AES256_GCM,data:o1Gk3f6ADbEyQ1dKXlcMyZqIj9Fb0IXFBkm+PrlBcMb/lPi9,iv:vBS7y4Hj4v8ySNL2zgIIK97wxIwgYs9vuM6lwVZeywc=,tag:SiFy3WIHTz585Zi/BR8X+g==,type:str]
+    THOTH_TOKEN: ENC[AES256_GCM,data:S9ZIlYOTEF31n/AdnPKd/JByg/B+tQpSRLXl8bLjbpA5dMEVBJfjYT68WBh/cJLRIUwkJMJhgIEVN3yJBePRpu+kRRzcg+XE2f4yuYdbgplGYfm7RG50CjE8GRNdLnE5bK05Z7LIuEGeYG6DEDiH0iNHWeZdGpmzeynSxTdVFlcRMSBzi8LRXQdw3ZySOabn+Z2F45Fv6DMKbyANLtR9YPViLvo0B8VLhVtoYJ5spu0Rr31p9ZLv4+w/AfeCt1NrN379UXmEoZ8YgvScpi42q9/qC/zjtKPx0AfC7vuTGSodQPcmmlDkvrxsZC3/mhy9QFsE3vHt64Yk9PcJXiv8R8ZgGN04yiWrI48vkeXjtEe/UIOnCyExwfXVQk6xRATY+xO946NgPUBz6ACX8CcEiiK9UNkZbEULho4=,iv:4+0uA3BWZgctn6W1xZYHjXHksdx364Y+PG6CqCiHKCw=,tag:2lJyO+KISqLFZfaJeaHGbQ==,type:str]
+sops:
+    age:
+        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2d0dIQnlnRjk1UFJTdFlx
+            bkVjdytJUjF6SnRVMW1tckdGVUN3OTRCRkIwClBhNi9NR1VIQ2dQR2ZjbWd5dnNT
+            MzlsV2xjaW93NUljeGlnelgxT1pSZlUKLS0tIEJEMS9VNDdQN0ppOEFnZ2lqeFJp
+            V2cyekl2WmN1cjBWNzVQUStQVmNBQ3MKaAzPeJuPHKUsF8WFMKBLfijcc9xGoiIy
+            7ZUqenMvu/hO62LgT+4NlQ66XN/OfLSiwSl3YYuGuELR1jGdK9LXVA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-16T14:35:28Z"
+    mac: ENC[AES256_GCM,data:vaiTEgR5/qYJf9tOwnn4ZB3ZgD62taLHHBEw252d1eaW9TSOCv4UGplPao8CVpp4dtEPY+EJlBV5h3pBB42KFDKZHDSrGqIz3wE/H3xJMovazmz4ZtHKVFbzp852CApL2F7GNWZgyZI/IRyYVk74v7XYqrks+BgF9WnPLdka1WY=,iv:zKYlyFmLeVaMfLiX3ZB3evlbekzrnQKripy6shpWTCs=,tag:dGjhYoaGCxvnJ8JQ6h5qfA==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

apps/seija/prettysunflower-website/services.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: prettysunflower-website
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: prettysunflower-website
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8080
+      name: anubis
+    - protocol: TCP
+      port: 8001
+      targetPort: 8001
+      name: website-static

apps/seija/privatebin/deployment.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     app.kubernetes.io/name: privatebin
 spec:
-  replicas: 2
+  replicas: 1
   selector:
     matchLabels:
       app.kubernetes.io/name: privatebin

apps/seija/privatebin/pvc.yaml

@@ -9,4 +9,4 @@ spec:
   resources:
     requests:
       storage: 5Gi
-  storageClassName: seaweedfs-storage
+  storageClassName: hcloud-volumes

apps/seija/privatebin/secrets.sops.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: anubis-key
+type: Opaque
+data:
+    ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:iatFUERK2zHMMq+2uzsTdr15pnyEY9bXYlXFt3sZR+C36cneumogFu3AhV4j0EadseLDPKxkSml3bazpejSyNvWinjpIOwORSi6EHlw71ByDy4Li4/hppg==,iv:5/wZHTzGHN8okMzzm19gt3T5d2rCjvb4RtoaWCwUwgY=,tag:9ZC63C2okeTRt/wGlvb6Lg==,type:str]
+sops:
+    age:
+        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1aFZqQ3g1VDFLY0RuaVZ0
+            bzhpVHd0UERaSnlidVBidzVnR256T0xWS3lnCnBlbDdlSm9CNWlmVmFzdTZPSmFX
+            bTJUU3hJZy9jKzVWOTJFNVVMbWMzUnMKLS0tIFdDUnpLMGRQTlNjT3pqV2s2OVZH
+            V0lpRFdvMXVaYWZ6NmVxNTlsM2IvZHMK10ArWUv7S8w0WwDJCmOwWp56Us8fAkrp
+            5rZPG2IhlxAG+5NbbQq13jxjGuQuzACllkreXD3NtwmACWgubGZV2Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-16T14:35:28Z"
+    mac: ENC[AES256_GCM,data:K7jl1bA6UAlJ3LVJsnAOdHf1MFJAK4vrxRktWzoV1zh4DSOVIo3TeGn7wLqlPlbbILFlXKMJUHT7AzfKyv/MtECTe5TOyjQqFYPZ7ZRvE72faghkJAN/AfHIjLZWFOuWOAB2ZEY9cJWCe7zLbC+cwHC7KxepPBHZdQnh//wuz4s=,iv:aooSLGTTL5v5ZhHGJKKcaCGhSl6GciHpGyG00ybzWIQ=,tag:pQ/HNQODherqkToT+JTbIA==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

apps/seija/uptime-kuma/pvc.yaml

@@ -5,7 +5,7 @@ metadata:
 spec:
   accessModes:
     - ReadWriteOnce
-  storageClassName: s3yuyuko
+  storageClassName: hcloud-volumes
   resources:
     requests:
-      storage: 3Gi
+      storage: 3Gi

apps/seija/znc/pvc.yaml

@@ -8,4 +8,4 @@ spec:
   resources:
     requests:
       storage: 5Gi
-  storageClassName: seaweedfs-storage
+  storageClassName: hcloud-volumes

apps/seija/znc/services.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: znc-service
+  name: znc
 spec:
   type: NodePort
   selector:
@@ -10,10 +10,8 @@ spec:
     - protocol: TCP
       port: 4921
       targetPort: 4921
-      nodePort: 30004
       name: https
     - protocol: TCP
       port: 4922
       targetPort: 4922
-      nodePort: 30008
       name: http

apps/sekibanki/etherpad/configmap.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: etherpad-config
+data:
+  TITLE: "🌻 Etherpad"
+  DEFAULT_PAD_TEXT: "Welcome to Etherpad! This pad text is provided by the prettysunflower collective, and is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents! Get involved with Etherpad at https://etherpad.org"
+  DB_TYPE: "postgres"
+  DB_HOST: "100.110.40.2"
+  DB_PORT: "5432"
+  TRUST_PROXY: "true"
+  AUTOMATIC_RECONNECTION_TIMEOUT: "5"

apps/sekibanki/etherpad/deployment.yaml

@@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: etherpad
+  labels:
+    app.kubernetes.io/name: etherpad
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: etherpad
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: etherpad
+    spec:
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 1
+            preference:
+              matchExpressions:
+              - key: location
+                operator: In
+                values:
+                - fsn
+      containers:
+        - name: etherpad
+          image: etherpad/etherpad:2.3.2
+          ports:
+            - containerPort: 9001
+              name: http
+          envFrom:
+            - configMapRef:
+                name: etherpad-config
+            - secretRef:
+                name: etherpad-secrets
+          volumeMounts:
+          - name: etherpad-images
+            mountPath: /opt/etherpad-lite/src/static/skins/colibris/images
+      dnsPolicy: "None"
+      dnsConfig:
+        nameservers:
+          - 100.96.226.96
+      volumes:
+      - name: etherpad-images
+        persistentVolumeClaim:
+          claimName: etherpad-images-pvc

apps/sekibanki/etherpad/kustomization.yaml

@@ -0,0 +1,6 @@
+resources:
+- deployment.yaml
+- configmap.yaml
+- secrets.yaml
+- svc.yaml
+- pvc.yaml

apps/sekibanki/etherpad/pvc.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: etherpad-images-pvc
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 256M
+  storageClassName: nfs-csi

apps/sekibanki/etherpad/secrets.sops.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: etherpad-secrets
+type: Opaque
+stringData:
+    DB_USER: ENC[AES256_GCM,data:8ewltKeF4XE=,iv:VEzUayqbRUGl3aPpIic56MLVaYymw9Rf/OUjdOsnlWk=,tag:w2BtxnVBVtQopPNxRr+rRQ==,type:str]
+    DB_PASS: ENC[AES256_GCM,data:/dppdINLe4fiEdyjbeE=,iv:5iO79O+81CV1UROtDPuoupd1HIk9x14RQ981ZdEe/GM=,tag:EQ/9Ugs/UGQur1+RvmVluw==,type:str]
+sops:
+    age:
+        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzWGM5T1VTUkdZanNNRTR3
+            bkprOEYzTGorSDh4a1Y3dytJT3p0QlBtQW1nCkdsVUEzUWxVckpiZjRkUHFpSFRM
+            bXFUNnk0TEFuYmd6WUdRM0swWE5FYlUKLS0tIFJlTmxkaXdJM1ZDeDd2ejB2czVw
+            SzYvV1RmYXpzdnZBU1RYaS9NYlAxaFkKEbbTjI6c2cr/NqGA4rZEmSpeVni1R1KP
+            7CPrKpPiV96vnG9NM37L2lpwZvig5H3JUtPdRzSdpJJDoQbBeAvpYg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-16T14:35:28Z"
+    mac: ENC[AES256_GCM,data:UPl5mlWdtTyXl6W+QINngFrMIPpMdOrnRPCREsFuMJqcU0Qb2udIBImZIeYdURXd/ymRr3hwC0E6bzRbQJBUEJpd9oWzOTv/IIsvdptnjuKjZz7Ojnpfrmd8FO8YuSnR9x/qHC4B05E14GPrOKHJIOuKrAv40ATSwrAl2PFdoTo=,iv:meWIlngiKEWHoivsDv4AUFOEJY4w75zuL9lVtv9VW2E=,tag:HpHKDB5Ux57YM5yeGgx4og==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

apps/sekibanki/etherpad/svc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: etherpad
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: etherpad
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: http

apps/sekibanki/gitea/configmap.yaml

@@ -13,7 +13,7 @@ data:
   GITEA__server__STATIC_ROOT_PATH: /usr/share/webapps/gitea
   GITEA__server__APP_DATA_PATH: /var/lib/gitea/data
   GITEA__server__LFS_START_SERVER: "true"
-  GITEA__server__SSH_DOMAIN: git.default.svc.yakumo.prettysunflower.moe
+  GITEA__server__SSH_DOMAIN: git.default.svc.sekibanki.prettysunflower.moe
   GITEA__server__DOMAIN: git.prettysunflower.moe
   GITEA__server__HTTP_PORT: "3000"
   GITEA__server__ROOT_URL: https://git.prettysunflower.moe/
@@ -23,7 +23,7 @@ data:
   GITEA__server__PUBLIC_URL_DETECTION: auto
   GITEA__database__DB_TYPE: postgres
   GITEA__database__SSL_MODE: disable
-  GITEA__database__HOST: 100.75.132.10:5432
+  GITEA__database__HOST: 100.110.40.2:5432
   GITEA__database__NAME: gitea
   GITEA__database__SCHEMA: public
   GITEA__database__LOG_SQL: "false"
@@ -61,4 +61,4 @@ data:
   GITEA__security__PASSWORD_HASH_ALGO: argon2
   GITEA__cache__ADAPTER: redis
   GITEA__cache__HOST: redis://127.0.0.1:6379/0
-  GITEA__cache_0X2E_last_commit__COMMITS_COUNT: "1"
+  GITEA__cache_0X2E_last_commit__COMMITS_COUNT: "1"

apps/sekibanki/gitea/deployment.yaml

@@ -14,16 +14,6 @@ spec:
       labels:
         app.kubernetes.io/name: gitea
     spec:
-      affinity:
-        nodeAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 1
-            preference:
-              matchExpressions:
-              - key: location
-                operator: In
-                values:
-                - fsn
       volumes:
         - name: data
           persistentVolumeClaim:
@@ -40,7 +30,7 @@ spec:
         nameservers:
           - 100.96.226.96
       containers:
-        - image: docker.gitea.com/gitea:1.24.2-rootless 
+        - image: docker.gitea.com/gitea:1.24.3-rootless 
           name: gitea
           ports:
             - containerPort: 3000

apps/sekibanki/gitea/pvc.yaml

@@ -8,8 +8,8 @@ spec:
     - ReadWriteMany
   resources:
     requests:
-      storage: 5G
+      storage: 50G
-  storageClassName: seaweedfs-storage
+  storageClassName: nfs-csi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -21,16 +21,4 @@ spec:
   resources:
     requests:
       storage: 64M
-  storageClassName: seaweedfs-storage
+  storageClassName: nfs-csi
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: gitea-tigris-pvc
-spec:
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: 50G
-  storageClassName: tigris

apps/sekibanki/gitea/secrets.sops.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gitea-secrets
+type: Opaque
+stringData:
+    GITEA__server__LFS_JWT_SECRET: ENC[AES256_GCM,data:lUGklHzgVyGtW7YWHqQlOEs9TlcKrAp+wOHKmvrnUx7g9NzrUOarqVwwqg==,iv:Fyr5WFaFps60Sc735FkcdaTUfP4Rf++3ZGFC8/x/beI=,tag:D11RCpU8j1YkqJnJghzbPw==,type:str]
+    GITEA__database__USER: ENC[AES256_GCM,data:J1WUgvw=,iv:f/PIxtSVYJD0M6oQATy/cCcLqBska2KbqJu0LOdgCnQ=,tag:6J1NjGpVEKQY+eII5aM2kQ==,type:str]
+    GITEA__database__PASSWD: ENC[AES256_GCM,data:MDsAOxL3BDmZD2s8NPE=,iv:nbs4k3kqZbJXW3ptyQy04M8ZehxXzzRiaJpCFbmeGXA=,tag:+EXlilcYXFdU1flRV+Y+nw==,type:str]
+    GITEA__mailer__USER: ENC[AES256_GCM,data:h3aLMQygmPalb53QGe4KP2DvQxpUaw==,iv:nsTin6xBu6aGEfElOULW7ScdvMUNoM5fbX3x+WSpwgc=,tag:w8Nvm/XOBQqDHdRBgmDc4w==,type:str]
+    GITEA__mailer__PASSWD: ENC[AES256_GCM,data:aDuDhi8miweNKBYV2N7p5Q==,iv:WPur5yPGtKOUPQ+17MfihHljinBAKgpFTnXPW/HGuO4=,tag:fEAUy5bfxwIFEUs5oYljtQ==,type:str]
+    GITEA__storage__MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:gDC9Xk6k01sar/AdG6FA7topLA1yzBklpXB3v11u7PseRXKtxSzbjg3yRSxDKfS7dz0uuChTx/Fj4yR3+MZSKMR+Av1UU9dA0koS,iv:lMvi+NCmeZZz7AtVhFJpM1qjweGf9tNmA0pXSJdsdL0=,tag:NbCmn20JTrYSzmbc2kgnBQ==,type:str]
+    GITEA__security__INTERNAL_TOKEN: ENC[AES256_GCM,data:LBD8u8OsXhkO69XSvhfP0vDCeZRfY+Yc1nKfaacCF2QL/T6v2054ymbvGjTvR+DM5g+XezwZWLYrE+AfY5LEa35EpC4S2c7kQAGikyBvGo9ANAcP6NxfC6ShraUBnGg5njrjf4ZVBGrd,iv:xH5amSwdV5e4rqneqr/x62hCdOWnjoPHFA30LwM3260=,tag:LhK1heV4xe3qUXwZ+pgfwg==,type:str]
+    GITEA__security__SECRET_KEY: ENC[AES256_GCM,data:mRdk8gS0wrV6PYr9jiSwvZAql4SyUjXEc0UNLdZMV3FOZsRKPHVWAsiw443HwPZ8pyBH6ucNHj1Zdj9qTMonHg==,iv:k8EIL2n+EGT+Fz0wTP4u+Tczyv2la478x0oV/jAHa/o=,tag:0gfQNJ3YQ6EK5WAPfzd6dg==,type:str]
+    GITEA__oauth2__JWT_SECRET: ENC[AES256_GCM,data:JoU3xarzXINK1Vs0slgtdVYGG9ilTENLzt2ggT69zFoQppQKt2lZUmqw5g==,iv:nAd74z6iMwpYN++0FQ8Ow3cg03sYBrV6790NiV4y2lk=,tag:KAvL0ugsZDzRfhpdoqzo/A==,type:str]
+sops:
+    age:
+        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArUU5vdTVaS2t6OXpwaUEx
+            cUNTWFpUbkVmYStHT1VBRXBJWCsvZllzQWwwClZZV01aSFRaamI2VzR5SGNvR0ZE
+            VUQyU3hPVUZUY2dHT1NSMzdGdHVSeHMKLS0tIHRBRlVzRWR4b2tXb3o5UmxPdjNt
+            YXRHQkdHek1DTkM5WjhRenBaLzRxdEUKBypMt0YqbWUgzmcMgfWjEXDICOstdYya
+            sGqjC1GYuaffqCrpWScDq5ok/QXznbye3yEJwzV1opwbhKPrWmOgqQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-16T14:35:28Z"
+    mac: ENC[AES256_GCM,data:0N1JMKyxhHKsQ/Q5A9uCCAo+E5tvbhA75wJiVAX1fSRtPIfaJ7T6LdP7MLLxNXQTcl+LqcHn+XvIfU7z5XeZmH/qBZZEldgwj8CbEhPKjw3+kThoNWHV5nggxlIyFePE18bo/lpRV8Bqpyhocdd0F1fEDNEotnaO5Nle7SWAcWo=,iv:qWEv7WVf2v7aIr19S7OE/Q4Fu13FZ7hVF+bAdlZZv1s=,tag:/rzDd4uheETv+WugfaizEw==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

apps/sekibanki/glance/deployment.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     app.kubernetes.io/name: glance
 spec:
-  replicas: 2
+  replicas: 1
   selector:
     matchLabels:
       app.kubernetes.io/name: glance

apps/sekibanki/glance/glance.yml

@@ -40,7 +40,10 @@ pages:
           - type: search
             search-engine: https://kagi.com/search?token=ygXAizA-9gY.ejxyFYbeHxOWVxBYgxMGtJPmAeu1pi1DCtOVTW5yFd8&q={QUERY}
             autofocus: true
-          - type: hacker-news
+          - type: group
+            widgets:
+              - type: lobsters
+              - type: hacker-news
           - type: bookmarks
             groups:
               - title: Internal

apps/sekibanki/gotosocial/configmap.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gotosocial-config
+data:
+  GTS_HOST: fedi.prettysunflower.moe
+  GTS_ACCOUNT_DOMAIN: prettysunflower.moe
+  GTS_TRUSTED_PROXIES: "10.217.0.0/32"
+  GTS_INSTANCE_LANGUAGES: en,fr
+  GTS_ACCOUNTS_ALLOW_CUSTOM_CSS: "true"

apps/sekibanki/gotosocial/deployment.yaml

@@ -0,0 +1,76 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gotosocial
+  labels:
+    app.kubernetes.io/name: gotosocial
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: gotosocial
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: gotosocial
+    spec:
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: gotosocial-pvc
+      dnsPolicy: "None"
+      dnsConfig:
+        nameservers:
+          - 100.96.226.96
+      containers:
+        - image: docker.io/superseriousbusiness/gotosocial:0.19.1
+          name: gotosocial
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+              name: http
+          volumeMounts:
+          - name: data
+            mountPath: /gotosocial/storage
+          envFrom:
+            - configMapRef:
+                name: gotosocial-config
+            - secretRef:
+                name: gotosocial-secrets
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+          livenessProbe:
+            httpGet:
+              path: /livez
+              port: http
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            timeoutSeconds: 5
+            failureThreshold: 3
+            successThreshold: 1
+          startupProbe:
+            httpGet:
+              path: /readyz
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 30
+            successThreshold: 1
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: http
+            initialDelaySeconds: 15
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 3
+            successThreshold: 1

apps/sekibanki/gotosocial/kustomization.yaml

@@ -0,0 +1,6 @@
+resources:
+- configmap.yaml
+- deployment.yaml
+- pvc.yaml
+- secrets.yaml
+- svc.yaml

apps/sekibanki/gotosocial/pvc.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gotosocial-pvc
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10G
+  storageClassName: nfs-csi

apps/sekibanki/gotosocial/secrets.sops.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gotosocial-secrets
+type: Opaque
+stringData:
+    GTS_DB_ADDRESS: ENC[AES256_GCM,data:PqPAl3c/2yYw/R+o,iv:01M73o6Ok/cDxxtSpHjduWKSFplXNJ93WcQYf19DTWg=,tag:KdMISrg8LEG7pj49OyeYdA==,type:str]
+    GTS_DB_USER: ENC[AES256_GCM,data:LFMfG09Z2OIBhA==,iv:L2Gapmk2nvOdDRiRM7sRLdIJnhhJ+N9kAzYl4P4w7r8=,tag:PghjpZRZjiN6BqvCz5g3Dg==,type:str]
+    GTS_DB_PASSWORD: ENC[AES256_GCM,data:CnqraWwcOkRHt+ET/0lp,iv:asmChmzapS73l3nTVK+qhBr3HDNi7UvNVwjOO2razPk=,tag:fB9JOnpqWf1ZczAjIjc9Zg==,type:str]
+sops:
+    age:
+        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6dkoxaUJ2bnRDNEFadjdN
+            MFRmUUM2M0xlRXJ1WmhPY080WVdHa2h2S1FRCnI2MmdJRUxlUlNxVnBUa3ZHUEVF
+            YkxKaUZXYTFrU0FYSmNIQm94SDN4bHcKLS0tIHIvdTBXdmxqM2I3WGo3dWpPK3lL
+            ditudGE2OVpNZVRTMXdoM2w2eHdpZkUKOQ+LS4zDEeJheoJ/pR06h/WwozoyBXMz
+            DbxFpJ0ykjmUuRJ3CBr/MPVRa0V8NA8qVTHxjYDYwg4H9LH4nB+yiw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-16T14:35:28Z"
+    mac: ENC[AES256_GCM,data:Ys4wt4Z2ocKt3WPxztXl7K/2gEFnnppxvSPGxqB6KBeNe/mRkYQ7PAqCcUKZledncIgXpxRfU/Cv7huc93MlQVGyNZ1MgYO7U9H8vBHaDJuS1bAJ6n/NnDKKCQA7yJOJpfd09FnScOpeMf1cO+PQPuHaYUbIZpS+6ctepXLpHQo=,iv:uCFSGP8qvZA6EmTzUD6q9uwrkIHraMGyyjQ+42FikTM=,tag:gCePqCDIeZ3yxkKbsWCsZw==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

apps/sekibanki/gotosocial/svc.yaml

@@ -1,14 +1,13 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: teable
+  name: gotosocial
-  namespace: teable
 spec:
   type: ClusterIP
   selector:
-    app.kubernetes.io/name: teable
+    app.kubernetes.io/name: gotosocial
   ports:
     - protocol: TCP
       port: 80
-      targetPort: 3000
+      targetPort: http
       name: http

apps/sekibanki/opengist/pvc.yaml

@@ -9,4 +9,4 @@ spec:
   resources:
     requests:
       storage: 5Gi
-  storageClassName: seaweedfs-storage
+  storageClassName: nfs-csi

apps/sekibanki/opengist/secrets.sops.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: opengist-secret
+type: Opaque
+data:
+    OG_SECRET_KEY: ENC[AES256_GCM,data:CvlbIc/O4FkhELpy76zfE027zavhIEfSDx1JwPfjN5716LJDEuPIoLd19RDx8i92jbPk5RrGEvgLcwyWShwQ11BXPuXIXD8KsAqFwECwk6TKneuJSDbnlQ==,iv:xruob7s++xnqvzmS+JboXlL6W0leicziZMOc0zn//HA=,tag:/OLxQC02uFbcduvhJeoAKg==,type:str]
+    OG_OIDC_PROVIDER_NAME: ENC[AES256_GCM,data:Asg/Wvct6UjcKQj0ZmO/zWYAlZ8=,iv:14qEsQgm923nX3L+zDrrwYWX4oqpAGRS5lkP/c+Ufl4=,tag:38WXRayva09L2/QsKqPsXw==,type:str]
+    OG_OIDC_DISCOVERY_URL: ENC[AES256_GCM,data:3OD/XS9JUAAI3MacofVKQXWl/jC1mBoG9CEFmIm/ol7GaN9PBdmlC7c5+rsvf37aolqKkpyQdlVVEAlP98caRAJxR75STzEQS708pw==,iv:b4d1i/xOX3TaYR3ZwDh84mvAe0MYmat5JHLJj4TXSsU=,tag:5Aqhpl39RURk+PjEPJtw2A==,type:str]
+stringData:
+    OG_OIDC_CLIENT_KEY: ENC[AES256_GCM,data:mdWOC+W+ksd+XOJRYKBEFSHDyIYV7ID9fYkpHAjoJf9UNx+c,iv:xU9zVltACcgqsATlJgfhT7M/P3+sVIE8rWn83/1fubo=,tag:rW3zq1rY0InpFo3Mmgft2A==,type:str]
+    OG_OIDC_SECRET: ENC[AES256_GCM,data:97lerV+9dPvEcCEJneTnwO7Iv829PnLiGd0WYuD48H4=,iv:5oDgiZ0oOnTCVJPyHXIQ+Tjaq/dBe+xZEn6EhGaDn+s=,tag:ZWBqzTGREyEuDRu6gBfKcA==,type:str]
+    OG_DB_URI: ENC[AES256_GCM,data:QjdJc2PDyMTBga9P+U6c5JkTABuXIpoA5ba+rPW+DHyWDA7WZtvlt+cssPd2yBH363+XqLmH40r9Wz8pWXaRHj7dnhmI7cSfSgtnGA==,iv:ilk2GD0wL/5jefsa5fu9YXwXn0G+U4Agqzme+ilUGL4=,tag:F8C+/Hdv/gSkh0Uvxt1qAA==,type:str]
+sops:
+    age:
+        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYMnRpRlJxbjBReDVGS2dY
+            bDNyVlFWaW5oQ2VmaUdsRWNZN0dnNE9kQ1FJCjg5VW9XOUc3eEdOcnZCMTI4YXcz
+            Q3RpZjNIczJSV01QZmFsRkV6aU4vMEkKLS0tIE5xMHd4Tk1xYlllTWwxQ2htS1NR
+            M3VwVERJVHE3VVB0QzlOMGk4RDF1UEkKT2BbgMdJBz9OVX279VffXQ+LonSi5IzB
+            +gxybF3+/HzTaGnKo0juVDO8x8cZqjmWkOWGl7iFTDv7z87qHgLV+A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-16T14:35:28Z"
+    mac: ENC[AES256_GCM,data:KIeBdomBppTaAua5hF3UJUX3a2bViLNEu2kygATDCEovnhCZCr7vwuJBHnwOq9X1+tvoMJLzEf4vhXCE2PjOcNAf5QHR/a/7NZdnB/9lnWCpRVu2Av6vJPBtbqWhIhS6skFgBPnz22Lo9y1A4ZhqiMF4kx0gVKe8CfMXhFhcfT4=,iv:TfY9mxLBDllQE56GklfCgMD9OrSW1tHMHvhWKVjQulI=,tag:O//p0etj0WTf+/5qnmkmEw==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

apps/sekibanki/planka/configmap.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: planka-config
+data:
+  BASE_URL: https://kanban.prettysunflower.moe
+  OIDC_ISSUER: https://auth.remilia.ch
+  OIDC_CLIENT_ID: eb200a8b-5b93-4b77-a070-1081481270a1
+  OIDC_IGNORE_ROLES: "true"
+  OIDC_ENFORCED: "true"

apps/sekibanki/planka/deployment.yaml

@@ -0,0 +1,44 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: planka
+  labels:
+    app.kubernetes.io/name: planka
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: planka
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: planka
+    spec:
+      volumes:
+        - name: planka-data
+          persistentVolumeClaim:
+            claimName: planka-data-pvc
+      containers:
+        - name: planka
+          image: ghcr.io/plankanban/planka:2.0.0-rc.3
+          ports:
+            - containerPort: 1337
+              name: http
+          volumeMounts:
+          - name: planka-data
+            subPath: favicons
+            mountPath: "/app/public/favicons/"
+          - name: planka-data
+            subPath: user-avatars
+            mountPath: "/app/public/user-avatars/"
+          - name: planka-data
+            subPath: background-images
+            mountPath: "/app/public/background-images/"
+          - name: planka-data
+            subPath: attachments
+            mountPath: "/app/private/attachments/"
+          envFrom:
+            - configMapRef:
+                name: planka-config
+            - secretRef:
+                name: planka-secrets

apps/sekibanki/planka/kustomization.yaml

@@ -0,0 +1,6 @@
+resources:
+- configmap.yaml
+- deployment.yaml
+- pvc.yaml
+- secrets.yaml
+- svc.yaml

apps/sekibanki/planka/pvc.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: planka-data-pvc
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 5G
+  storageClassName: nfs-csi

apps/sekibanki/planka/secrets.sops.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: planka-secrets
+type: Opaque
+stringData:
+    DATABASE_URL: ENC[AES256_GCM,data:/P/UTQ5hn4iXostkAQfguXOEgm3i4u4GU2AtXf63Fa5Vj+xphAZIswrVs3A/UYUGsm8pQzc=,iv:Scg5AkeGhBG6k7AoYbsEihOu659Q5g4j8EOp7xYW6Zo=,tag:FBrGgdzW6divFyEAbdZnvQ==,type:str]
+    SECRET_KEY: ENC[AES256_GCM,data:SN8r72D2iLxpGdqEzjQ5I9PHW/P3NwwJOUYbp+Gi9Hg/a0TBZ9QJZnhveGJPh9aV3KiwuzNK8+AT5TWcFkCSwYa33ZlwJeiTxvfombDYWuqvccwl2Vwun52vUYfrdqogDYcaeP9US6GsJd8eaRUO3iyc0A+C039S68jkGt18h8Q=,iv:hlpmq4fGDjnxXmYRhCBTM9RwBWXA1OAF5AMhs7T0IqU=,tag:Soq3gnQQDaTHBBYoQ9l88A==,type:str]
+    OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:PE6qqlsEpAcaZopGVh6y6/S2EuM3ybTpha+Gmhh7krA=,iv:AcS4H21JOOlAtLDDawqpyzdxdSUr3kFtMB6ynxG3Ewg=,tag:WLZ1JfVOOahaJgvP+YYORA==,type:str]
+    DEFAULT_ADMIN_EMAIL: ENC[AES256_GCM,data:0q437f+tid9X9Hj2F+nlEvyD,iv:TR6YBD84MevOic8d/btZdIAJtkiHRPftOIIJQwkc5iQ=,tag:nspH0pSxPMfevqwXz3RYMw==,type:str]
+sops:
+    age:
+        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnMVhvdGNYSzBhSWhpTXRY
+            eFU0Y3Z1YXlIUU1tZkhHVTloaEhMbk1rNFNvCnl3d3NSZit3MklkSHBPOFgrL25n
+            d01RbGJlZ3BzN2V4R3lVbUZBZ051VTQKLS0tIFp4c3pRTitISFJOR3JYNjU2TnRI
+            YzAvRHM5cHprbDJCTlNGa3h0MkZxN2sKnlvHgMwqUM3X47+OeRLxJepfEaVvHSag
+            XWVGGhEAtFkXbyW3e59+LygrabU1Eq0BX4sbN404VpSaosCCxREM5A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-16T14:35:28Z"
+    mac: ENC[AES256_GCM,data:9rFIGDm44sPYF2a8lYAw5ooMW0U2td8ajclYHoeOHxQNPouXtTLvEyqjYNeXIIpUfpjYe6qz7us3PeuFeCCGAmobQ34qRu87Jd2n9yg70OSyklzMr4lCaeenlU+3q5nhWWyrv0tHuDUgLWR9F674Xl5T4QfbfbfKwzNMskNg7QM=,iv:pIT6NI7ed8EK7FEF6OySSxrN4vurMv0rUl75Y45wUdQ=,tag:rHgn4IWBGq9UH6d3z1lVkw==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

apps/sekibanki/planka/svc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: planka
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: planka
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: http

apps/sekibanki/radicale/config

@@ -0,0 +1,321 @@
+# -*- mode: conf -*-
+# vim:ft=cfg
+
+# Config file for Radicale - A simple calendar server
+#
+# Place it into /etc/radicale/config (global)
+# or ~/.config/radicale/config (user)
+#
+# The current values are the default ones
+
+
+[server]
+
+# CalDAV server hostnames separated by a comma
+# IPv4 syntax: address:port
+# IPv6 syntax: [address]:port
+# Hostname syntax (using "getaddrinfo" to resolve to IPv4/IPv6 adress(es)): hostname:port
+# For example: 0.0.0.0:9999, [::]:9999, localhost:9999
+#hosts = localhost:5232
+hosts = 0.0.0.0:5232
+
+# Max parallel connections
+#max_connections = 8
+
+# Max size of request body (bytes)
+#max_content_length = 100000000
+
+# Socket timeout (seconds)
+#timeout = 30
+
+# SSL flag, enable HTTPS protocol
+#ssl = False
+
+# SSL certificate path
+#certificate = /etc/ssl/radicale.cert.pem
+
+# SSL private key
+#key = /etc/ssl/radicale.key.pem
+
+# CA certificate for validating clients. This can be used to secure
+# TCP traffic between Radicale and a reverse proxy
+#certificate_authority =
+
+# SSL protocol, secure configuration: ALL -SSLv3 -TLSv1 -TLSv1.1
+#protocol = (default)
+
+# SSL ciphersuite, secure configuration: DHE:ECDHE:-NULL:-SHA (see also "man openssl-ciphers")
+#ciphersuite = (default)
+
+# script name to strip from URI if called by reverse proxy
+#script_name = (default taken from HTTP_X_SCRIPT_NAME or SCRIPT_NAME)
+
+
+[encoding]
+
+# Encoding for responding requests
+#request = utf-8
+
+# Encoding for storing local collections
+#stock = utf-8
+
+
+[auth]
+
+# Authentication method
+# Value: none | htpasswd | remote_user | http_x_remote_user | dovecot | ldap | oauth2 | pam | denyall
+#type = denyall
+type = none
+
+# Cache logins for until expiration time
+#cache_logins = false
+
+# Expiration time for caching successful logins in seconds
+#cache_successful_logins_expiry = 15
+
+## Expiration time of caching failed logins in seconds
+#cache_failed_logins_expiry = 90
+
+# Ignore modifyTimestamp and createTimestamp attributes. Required e.g. for Authentik LDAP server
+#ldap_ignore_attribute_create_modify_timestamp = false
+
+# URI to the LDAP server
+#ldap_uri = ldap://localhost
+
+# The base DN where the user accounts have to be searched
+#ldap_base = ##BASE_DN##
+
+# The reader DN of the LDAP server
+#ldap_reader_dn = CN=ldapreader,CN=Users,##BASE_DN##
+
+# Password of the reader DN
+#ldap_secret = ldapreader-secret
+
+# Path of the file containing password of the reader DN
+#ldap_secret_file = /run/secrets/ldap_password
+
+# the attribute to read the group memberships from in the user's LDAP entry (default: not set)
+#ldap_groups_attribute = memberOf
+
+# The filter to find the DN of the user. This filter must contain a python-style placeholder for the login
+#ldap_filter = (&(objectClass=person)(uid={0}))
+
+# the attribute holding the value to be used as username after authentication
+#ldap_user_attribute = cn
+
+# Use ssl on the ldap connection
+# Soon to be deprecated, use ldap_security instead
+#ldap_use_ssl = False
+
+# the encryption mode to be used: tls, starttls, default is none
+#ldap_security = none
+
+# The certificate verification mode. Works for ssl and starttls. NONE, OPTIONAL, default is REQUIRED
+#ldap_ssl_verify_mode = REQUIRED
+
+# The path to the CA file in pem format which is used to certificate the server certificate
+#ldap_ssl_ca_file =
+
+# Connection type for dovecot authentication (AF_UNIX|AF_INET|AF_INET6)
+# Note: credentials are transmitted in cleartext
+#dovecot_connection_type = AF_UNIX
+
+# The path to the Dovecot client authentication socket (eg. /run/dovecot/auth-client on Fedora). Radicale must have read / write access to the socket.
+#dovecot_socket = /var/run/dovecot/auth-client
+
+# Host of via network exposed dovecot socket
+#dovecot_host = localhost
+
+# Port of via network exposed dovecot socket
+#dovecot_port = 12345
+
+# IMAP server hostname
+# Syntax: address | address:port | [address]:port | imap.server.tld
+#imap_host = localhost
+
+# Secure the IMAP connection
+# Value: tls | starttls | none
+#imap_security = tls
+
+# OAuth2 token endpoint URL
+#oauth2_token_endpoint = <URL>
+
+# PAM service
+#pam_serivce = radicale
+
+# PAM group user should be member of
+#pam_group_membership =
+
+# Htpasswd filename
+#htpasswd_filename = /etc/radicale/users
+
+# Htpasswd encryption method
+# Value: plain | bcrypt | md5 | sha256 | sha512 | argon2 | autodetect
+# bcrypt requires the installation of 'bcrypt' module.
+# argon2 requires the installation of 'argon2-cffi' module.
+#htpasswd_encryption = autodetect
+
+# Enable caching of htpasswd file based on size and mtime_ns
+#htpasswd_cache = False
+
+# Incorrect authentication delay (seconds)
+#delay = 1
+
+# Message displayed in the client when a password is needed
+#realm = Radicale - Password Required
+
+# Convert username to lowercase, must be true for case-insensitive auth providers
+#lc_username = False
+
+# Strip domain name from username
+#strip_domain = False
+
+
+[rights]
+
+# Rights backend
+# Value: authenticated | owner_only | owner_write | from_file
+#type = owner_only
+
+# File for rights management from_file
+#file = /etc/radicale/rights
+
+# Permit delete of a collection (global)
+#permit_delete_collection = True
+
+# Permit overwrite of a collection (global)
+#permit_overwrite_collection = True
+
+# URL Decode the given username (when URL-encoded by the client - useful for iOS devices when using email address)
+# urldecode_username = False
+
+[storage]
+
+# Storage backend
+# Value: multifilesystem | multifilesystem_nolock
+#type = multifilesystem
+
+# Folder for storing local collections, created if not present
+#filesystem_folder = /var/lib/radicale/collections
+filesystem_folder = /data/collections
+
+# Folder for storing cache of local collections, created if not present
+# Note: only used in case of use_cache_subfolder_* options are active
+# Note: can be used on multi-instance setup to cache files on local node (see below)
+filesystem_cache_folder = /cache
+
+# Use subfolder 'collection-cache' for 'item' cache file structure instead of inside collection folder
+# Note: can be used on multi-instance setup to cache 'item' on local node
+use_cache_subfolder_for_item = True
+
+# Use subfolder 'collection-cache' for 'history' cache file structure instead of inside collection folder
+# Note: use only on single-instance setup, will break consistency with client in multi-instance setup
+use_cache_subfolder_for_history = True
+
+# Use subfolder 'collection-cache' for 'sync-token' cache file structure instead of inside collection folder
+# Note: use only on single-instance setup, will break consistency with client in multi-instance setup
+use_cache_subfolder_for_synctoken = True
+
+# Use last modifiction time (nanoseconds) and size (bytes) for 'item' cache instead of SHA256 (improves speed)
+# Note: check used filesystem mtime precision before enabling
+# Note: conversion is done on access, bulk conversion can be done offline using storage verification option: radicale --verify-storage
+use_mtime_and_size_for_item_cache = True
+
+# Use configured umask for folder creation (not applicable for OS Windows)
+# Useful value: 0077 | 0027 | 0007 | 0022
+#folder_umask = (system default, usual 0022)
+
+# Delete sync token that are older (seconds)
+#max_sync_token_age = 2592000
+
+# Skip broken item instead of triggering an exception
+#skip_broken_item = True
+
+# Command that is run after changes to storage, default is emtpy
+#  Supported placeholders:
+#   %(user)s: logged-in user
+#   %(cwd)s : current working directory
+#   %(path)s: full path of item
+#  Command will be executed with base directory defined in filesystem_folder
+#  For "git" check DOCUMENTATION.md for bootstrap instructions
+# Example(test): echo \"user=%(user)s path=%(path)s cwd=%(cwd)s\"
+# Example(git): git add -A && (git diff --cached --quiet || git commit -m "Changes by \"%(user)s\"")
+#hook =
+
+# Create predefined user collections
+#
+# json format:
+#
+#  {
+#    "def-addressbook": {
+#       "D:displayname": "Personal Address Book",
+#       "tag": "VADDRESSBOOK"
+#    },
+#    "def-calendar": {
+#       "C:supported-calendar-component-set": "VEVENT,VJOURNAL,VTODO",
+#       "D:displayname": "Personal Calendar",
+#       "tag": "VCALENDAR"
+#    }
+#  }
+#
+#predefined_collections =
+
+
+[web]
+
+# Web interface backend
+# Value: none | internal
+#type = internal
+
+
+[logging]
+
+# Threshold for the logger
+# Value: debug | info | warning | error | critical
+#level = info
+
+# Don't include passwords in logs
+#mask_passwords = True
+
+# Log bad PUT request content
+#bad_put_request_content = False
+
+# Log backtrace on level=debug
+#backtrace_on_debug = False
+
+# Log request header on level=debug
+#request_header_on_debug = False
+
+# Log request content on level=debug
+#request_content_on_debug = False
+
+# Log response content on level=debug
+#response_content_on_debug = False
+
+# Log rights rule which doesn't match on level=debug
+#rights_rule_doesnt_match_on_debug = False
+
+# Log storage cache actions on level=debug
+#storage_cache_actions_on_debug = False
+
+[headers]
+
+# Additional HTTP headers
+#Access-Control-Allow-Origin = *
+
+
+[hook]
+
+# Hook types
+# Value: none | rabbitmq
+#type = none
+#rabbitmq_endpoint =
+#rabbitmq_topic =
+#rabbitmq_queue_type = classic
+
+
+[reporting]
+
+# When returning a free-busy report, limit the number of returned
+# occurences per event to prevent DOS attacks.
+#max_freebusy_occurrence = 10000

apps/sekibanki/radicale/deployment.yaml

@@ -0,0 +1,69 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: radicale
+  labels:
+    app.kubernetes.io/name: radicale
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: radicale
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: radicale
+    spec:
+      volumes:
+        - name: radicale-data
+          persistentVolumeClaim:
+            claimName: radicale-data-pvc
+          # emptyDir:
+          #   sizeLimit: 50Mi
+          #   medium: Memory
+        - name: radicale-config
+          configMap:
+              name: radicale-config
+        - name: cache-volume
+          emptyDir:
+            sizeLimit: 50Mi
+            medium: Memory
+      containers:
+        - name: radicale
+          image: tomsquest/docker-radicale:3.5.4.0
+          ports:
+            - containerPort: 5232
+              name: http
+          volumeMounts:
+          - name: radicale-data
+            mountPath: "/data"
+          - name: radicale-config
+            mountPath: "/config"
+          - name: cache-volume
+            mountPath: "/cache"
+          resources:
+            requests:
+              cpu: 200m
+              memory: 64M
+            limits:
+              cpu: 500m
+              memory: 256M
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 5232
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            timeoutSeconds: 5
+            failureThreshold: 3
+            successThreshold: 1
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault

apps/sekibanki/radicale/kustomization.yaml

@@ -0,0 +1,8 @@
+resources:
+  - deployment.yaml
+  - pvc.yaml
+  - svc.yaml
+configMapGenerator:
+- name: radicale-config
+  files:
+  - config

apps/sekibanki/radicale/pvc.yaml

@@ -1,11 +1,11 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: technitium-data-pvc
+  name: radicale-data-pvc
 spec:
   accessModes:
     - ReadWriteOnce
-  storageClassName: longhorn
   resources:
     requests:
-      storage: 1Gi
+      storage: 3Gi
+  storageClassName: nfs-csi

apps/sekibanki/radicale/svc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: caldav
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: radicale
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: http

apps/sekibanki/renovate/secrets.sops.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: renovate-gitea-env
+type: Opaque
+stringData:
+    RENOVATE_GITHUB_COM_TOKEN: ENC[AES256_GCM,data:tEaxtH/tMQ4lpvSMwNRf75Ir5Z711/x45fgOkvFDE/SQDq752QfKhA==,iv:2j2aQFodFg47a1xRTw5KCJsE/hqCa9Fe9bDMr1IPhvY=,tag:QvOEfa38bx0DnGeimP8EFA==,type:str]
+    RENOVATE_AUTODISCOVER: ENC[AES256_GCM,data:qgD3GA==,iv:hIXYcwxQTOn6XVdWYqjz8UISwIJ4fGdSo0bQrxbgcLs=,tag:YLP/28760E6YyuWiWVcCFw==,type:str]
+    RENOVATE_ENDPOINT: ENC[AES256_GCM,data:Yx8NJsN/zfCAy4IeMgObrhvpVOCdi4k9oubQfKubJlbBF5309nE=,iv:ozkCVyOgHtE05qUfcubxqUTrfYiNKrIIDg3ZZlbNGMs=,tag:8gqxc4FienvPH1oqP81ZKA==,type:str]
+    RENOVATE_GIT_AUTHOR: ENC[AES256_GCM,data:WFwP86EfQYSedLLcQyL/nQmZFkIRx7IMSfOTNeCqIDRLjMueQ7zeupRivNPk9A==,iv:aOC1n0EbWx5jq+8C3kM9KLUwZIAXW6GlZXvGjMwDTZ0=,tag:yrATDQw4EdUY2XcCltUhQg==,type:str]
+    RENOVATE_PLATFORM: ENC[AES256_GCM,data:Uw4ihT8=,iv:2Y4Mv6YNjG0KfU+0ZBX6f1eJ47v1r2o0kiV1QgWOn5I=,tag:XBw4rJCDcBTBHdxMcwmLfA==,type:str]
+    RENOVATE_TOKEN: ENC[AES256_GCM,data:brPzHjCuxpPU3z0pfd1loXavpMiqAWD0Nod4+szW3EWBsWAHgHj26A==,iv:smXMkCRv5vNg1vsd+X2x6RyumRcqSSwGp8xaKppsg6w=,tag:nbUYnF8Vte8shvcIQyiI0Q==,type:str]
+    RENOVATE_KUBERNETES: ENC[AES256_GCM,data:kY8sEwcsuvehijA6BwHvHIUI6OSO/S2MCsY=,iv:UMRcqpTQ9vScisXugKiVnDPLR8tsSz600pl6dw3v/xc=,tag:GukTMpkIXozz6TAATZjA0w==,type:str]
+sops:
+    age:
+        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBbitVRE5mcnBhaUhybHlT
+            dFg5N0V0R0g1UFlyZzFjSk9aa09QUVVEUkhvCkFPanpEYmZ6a1lmMlFCMlZZMC9O
+            V0gwM2lBNFhKeWtwVzRIeEhGZ0YxL0UKLS0tIEl2NkxsTThaUTY5UUozNjk1cnBx
+            a0NWZFRyYkVJTXZpU0d0QlBmRDNrWm8KNGrP45Bj87LHygIZsFLsz6iL8zHyuDw0
+            JVxqzb2tCa90OfhzDQpIh06N5ep1AowE9IWea7PoW4jaWzd7vDge5g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-16T14:35:28Z"
+    mac: ENC[AES256_GCM,data:+0envuEAfwqgOI2ysbTYcPph7sIKFK26RqAy8vLQ/tvQ700nXyZRgOS2DSOIKeMq0+e3bg2gbgWaKLu8TPGYSf6DI4xGOx+vXSjcPMdiO05Wa0qu1Ha3+C3Uoyijt1YY2TZ0YO/WCNakyF7WPP4urFBNtictvoZIWTv31JPw7OQ=,iv:TmsTKP8dJxnjnDM0WFzSIRqImT0XVwYBAgG06VTWkDE=,tag:++33bVCSjOhW4JQCQ8e2Xg==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

apps/sekibanki/teable/config.yaml

@@ -8,4 +8,5 @@ data:
   BACKEND_CACHE_PROVIDER: "redis"
   NEXT_ENV_IMAGES_ALL_REMOTE: "true"
   PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING: "1"
-  NODE_TLS_REJECT_UNAUTHORIZED: '0'
+  NODE_TLS_REJECT_UNAUTHORIZED: '0'
+  BACKEND_STORAGE_TOKEN_EXPIRE_IN: '1d'

apps/sekibanki/teable/deployment.yaml

@@ -15,28 +15,13 @@ spec:
       labels:
         app.kubernetes.io/name: teable
     spec:
-      affinity:
-        nodeAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 1
-            preference:
-              matchExpressions:
-              - key: location
-                operator: In
-                values:
-                - fsn
-      volumes:
-        - name: valkey-data
-          persistentVolumeClaim:
-            claimName: valkey-data-pvc
       hostAliases:
       - ip: "100.113.193.5"
         hostnames:
         - "mail.prettysunflower.moe"
       initContainers:
         - name: db-migrate
-          image: ghcr.io/teableio/teable:sha-257d098af67e9260b6abb09da0e08eafef34ae08
+          image: ghcr.io/teableio/teable:83745958bbba83111145e1cd48de811cfc7db601
-          imagePullPolicy: Always
           args:
             - migrate-only
           envFrom:
@@ -63,8 +48,7 @@ spec:
               type: RuntimeDefault
       containers:
         - name: teable
-          image: ghcr.io/teableio/teable:sha-257d098af67e9260b6abb09da0e08eafef34ae08
+          image: ghcr.io/teableio/teable:83745958bbba83111145e1cd48de811cfc7db601
-          imagePullPolicy: Always
           args:
             - skip-migrate
           ports:
@@ -108,7 +92,30 @@ spec:
             timeoutSeconds: 5
             failureThreshold: 3
             successThreshold: 1
-        - image: valkey/valkey:alpine
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: valkey
+  namespace: teable
+  labels:
+    app.kubernetes.io/name: valkey
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: valkey
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: valkey
+    spec:
+      volumes:
+        - name: valkey-data
+          persistentVolumeClaim:
+            claimName: valkey-data-pvc
+      containers:
+        - image: valkey/valkey:8.1.2-alpine
           name: valkey
           envFrom:
             - secretRef:
@@ -129,4 +136,4 @@ spec:
               drop:
                 - ALL
             seccompProfile:
-              type: RuntimeDefault
+              type: RuntimeDefault

apps/sekibanki/teable/pvc.yaml

@@ -9,4 +9,4 @@ spec:
   resources:
     requests:
       storage: 5Gi
-  storageClassName: seaweedfs-storage
+  storageClassName: nfs-csi

apps/sekibanki/teable/secrets.sops.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: teable-secrets
+    namespace: teable
+type: Opaque
+stringData:
+    PRISMA_DATABASE_URL: ENC[AES256_GCM,data:S7Y4B5apBAYbZ6lQ5/O31RThkAnKV3Qx+ab2ieQSn63qsik451ciRWzTysIuADOeivo+1sSqyIIdBvBGpPR+n108kw==,iv:zSwa0dgoydq2hbaxxXDO/gBcrLMPFqAxjTUaPMfzyOg=,tag:Uy/+KAP7SE4bOrDN7eNWIg==,type:str]
+    SECRET_KEY: ENC[AES256_GCM,data:KXnjt6MiPts4u1vqf4pFYjAJq+6xPQ==,iv:8U61KBz8ZaNZluvLsGNmP3X7M5Upv/02ngoy2lpndUQ=,tag:0RmPivQtQgQa+XAltN6Dxg==,type:str]
+    BACKEND_STORAGE_PROVIDER: ENC[AES256_GCM,data:M9o=,iv:Z8twg5olXc+PtrVNxl24W6m+l/5bS81kAiXF4O8CSHQ=,tag:ImiZg6nCiGGFUPIfWRqrlQ==,type:str]
+    BACKEND_STORAGE_S3_REGION: ENC[AES256_GCM,data:JvGqWw==,iv:8KbVumdAXPZBLB7g7oqf1rfFnHKhPvleezY7Tryma1o=,tag:9VVoNTjvuPs7v0ep8wSc9w==,type:str]
+    BACKEND_STORAGE_S3_ENDPOINT: ENC[AES256_GCM,data:THKG0BPjvXU9u1qeutoBkGJ8pbq1aw==,iv:T04svNvlk+05mrwlVV9sp32eyjbKWp/Z0Fdc3PUOB1k=,tag:Ov7Wr4lJ0ixdTD3/9db0DA==,type:str]
+    BACKEND_STORAGE_S3_ACCESS_KEY: ENC[AES256_GCM,data:4X9UespqF1qtiLIfMQRi79VP5Xdjage7xTxZKPtJ80vs2VnaFknqzzDTMsAm9fZk7FKMCWde,iv:Rp0AlShe6e0JrQ/4fVyiGs5lAkPXl7574UF35HHntwQ=,tag:TSemTreK3c5+mZjTt+Cl0w==,type:str]
+    BACKEND_STORAGE_S3_SECRET_KEY: ENC[AES256_GCM,data:GtenV4qKUlZmGMV8WCO3/9tsjpdTceoCzY8v4maWIo1L9iy/u4I8TKXa6iv/9QpSTq0YW2qh5YtmSOvpeqOsmceNV3s61CNydqsE,iv:I9cn5jmP6OjQ3H3Z8TLT5ZGNihnME3cnyn7BI9iBIUg=,tag:9CXNZtg9B/4Yj2ZKTgwSRg==,type:str]
+    BACKEND_STORAGE_PUBLIC_BUCKET: ENC[AES256_GCM,data:GoOlFVdgcG8yx9hTFyI0zK/WvlgnMAYshLejrKs=,iv:lJTx2Wovtka+fHGK7ojWiY81besS7IrV/oPcN5546UI=,tag:M4Q0ukX3Vhc/F6WPQsmmVQ==,type:str]
+    BACKEND_STORAGE_PRIVATE_BUCKET: ENC[AES256_GCM,data:2pmNoVRrkkwggoj2gjxy2fOGQYTT+q5L7LqYnNOF,iv:LSe93EycfC304/ji1BU/dovsCP2L+s6II3Uz7drl7lY=,tag:NlCE0GMQOEWABcjDKG6rIQ==,type:str]
+    BACKEND_CACHE_REDIS_URI: ENC[AES256_GCM,data:2WSh32ZQb26dPyI9LVqxQaykMdXhFuA6YKMzpT9X3HXcKO0wGiJMl0tDZvIK/qnGU4ShgCXqD5/TQZSzTe6XI1YKJoFou6pvHkXgFIoEJEZSgxWlhY9unj3Fizwm,iv:8vkHRo5cpLRNzVxmeJILY/DAO9Xgp8RoJnTiG4mqQJc=,tag:EzhcJ9ntjlWD95KDpke2Bg==,type:str]
+    BACKEND_MAIL_HOST: ENC[AES256_GCM,data:dRZR7Oi9acB5ANFcO6HWUyPyHFcgESYb,iv:uyyQHB18OuZJDM0+6FcYvbyZEjOeOPQj8HTE7zWLl28=,tag:6x5clI3OquJI4ryoJ/mIhQ==,type:str]
+    BACKEND_MAIL_PORT: ENC[AES256_GCM,data:UzK1,iv:KYdakhFPfe7wLyNbxpQlAmYDYhmHfKVAiDtFMTwxhPU=,tag:KfrNLO7Z5y24gWcFo3O9Sw==,type:str]
+    BACKEND_MAIL_SECURE: ENC[AES256_GCM,data:yqGAQG0=,iv:oVaScBsc2v7AqudqJxyM/AGmd9479igZzNsY+G+wNWE=,tag:JM7JfT8Ljv6IbytBGmAplg==,type:str]
+    BACKEND_MAIL_SENDER: ENC[AES256_GCM,data:PNmUSwER7gjYv4bVxBPDxy5LOwFMhoPsY6U=,iv:1lUdrocPb6nP7N/6Xk4+d67pF3iu4jvvskKJ0x/UADU=,tag:reHZtXP0ZXwOFH9XibNrWA==,type:str]
+    BACKEND_MAIL_SENDER_NAME: ENC[AES256_GCM,data:IipWnw==,iv:Tp6k90QrG1/5M9kdvSLnXtz4xcU/mxNQ4563PSeb0Xc=,tag:oIJjlXpIuDbbTtnbZ6HRgw==,type:str]
+    BACKEND_MAIL_AUTH_USER: ENC[AES256_GCM,data:7pz5djxOzt19o2KgDchkO4hdXuPoZA==,iv:LHK7Cb1iFJbRWlGEEB4ziKZJKhOJ4OPfEgGNqxm244I=,tag:03A36lsN5GkKZhTqQQFMFw==,type:str]
+    BACKEND_MAIL_AUTH_PASS: ENC[AES256_GCM,data:7Oo6vF4MRSLuTWJGnZueug==,iv:813e2G1nGQFLv9AWZF4oKIIHq1eBLKuTm/0BR/a0tAw=,tag:iWUsbvmDFLnBVNNoXJ4hcA==,type:str]
+sops:
+    age:
+        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQVVUU3AxN2tnUG1ORmpw
+            c29YMWErYXl0QmtKVWdjWng2azRBUDJSbnlnClVnSVBlRUJ6NElDWmZOVnJRTUVB
+            NWVIRm1FUWc2NW14TE9MSnNpVnNPcU0KLS0tIDdrbjhWY3hoZCtROWtPKytXenJ0
+            eEptQ1R2QlAyeDdnZWdkZGNBcFZxL0EKe5wXjgOEN5hULVrSdyq7ljGIDlhDdwTl
+            jo0aeu4ObPlgMCc6jC9Coxk62SNt7yVg+brvkX2AmufuwR0lzg7N+g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-16T14:35:28Z"
+    mac: ENC[AES256_GCM,data:aFo7gkxw4ZgbJEkI7UbXwTUwB8DJHZGQ3cjJxTlRuROsoz6ryxzUg6jq0cDHVMrBa+Aj6atU5KUQ/o0krThZzZiL4kAWystxFgHj0IVH5aJBN2R4P5qLzwgofXP0UuTSd5x32hrAi5XVJ4loJGTQBxu/LdBHwOGQTg5Iuclk2K0=,iv:iRWTZnjiCUVCTnB99+wGmOjh6PkGak4PHJrMIs/rptU=,tag:0OgOkXAcsVaeCcXmCTSHjw==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2
+---
+apiVersion: v1
+kind: Secret
+metadata:
+    name: valkey-secrets
+    namespace: teable
+type: Opaque
+stringData:
+    VALKEY_EXTRA_FLAGS: ENC[AES256_GCM,data:S+rjMu5wNv+Nni1d7/ZZTDoPhqf2TY28xJhgH/FPPmQB5qGpQmkVGoZW9rhsuc6eI7JL7KDRbfPyyoa8,iv:v3pjMJD1RvusZ9+0ppCP3RW3ojpsqQseeitJ8jagvxo=,tag:IQAIFa9vsRmFFDFXAmV8Jg==,type:str]
+sops:
+    age:
+        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQVVUU3AxN2tnUG1ORmpw
+            c29YMWErYXl0QmtKVWdjWng2azRBUDJSbnlnClVnSVBlRUJ6NElDWmZOVnJRTUVB
+            NWVIRm1FUWc2NW14TE9MSnNpVnNPcU0KLS0tIDdrbjhWY3hoZCtROWtPKytXenJ0
+            eEptQ1R2QlAyeDdnZWdkZGNBcFZxL0EKe5wXjgOEN5hULVrSdyq7ljGIDlhDdwTl
+            jo0aeu4ObPlgMCc6jC9Coxk62SNt7yVg+brvkX2AmufuwR0lzg7N+g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-16T14:35:28Z"
+    mac: ENC[AES256_GCM,data:aFo7gkxw4ZgbJEkI7UbXwTUwB8DJHZGQ3cjJxTlRuROsoz6ryxzUg6jq0cDHVMrBa+Aj6atU5KUQ/o0krThZzZiL4kAWystxFgHj0IVH5aJBN2R4P5qLzwgofXP0UuTSd5x32hrAi5XVJ4loJGTQBxu/LdBHwOGQTg5Iuclk2K0=,iv:iRWTZnjiCUVCTnB99+wGmOjh6PkGak4PHJrMIs/rptU=,tag:0OgOkXAcsVaeCcXmCTSHjw==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

apps/sekibanki/teable/services.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: teable
+  namespace: teable
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: teable
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 3000
+      name: http
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: valkey
+  namespace: teable
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: valkey
+  ports:
+    - protocol: TCP
+      port: 6379
+      targetPort: 6379