cloudwithdan · cloudwithdan · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026
diff --git a/.gitignore b/.gitignore
@@ -1 +1,24 @@
-dnsendpoint.yaml
+# Trash
+.DS_Store
+Thumbs.db
+tmp
+# k8s
+kubeconfig
+talosconfig
+# vscode-sops
+.decrypted~*.yaml
+*.agekey
+*.pub
+*.key
+# Taskfile
+.task
+Brewfile.lock.json
+# Output
+megalinter-reports
+# scripts
+node_modules
+*.log
+*.pem
+# Python
+.venv*
+_out
diff --git a/AGENTS.md b/AGENTS.md
@@ -0,0 +1,221 @@
+# AGENTS.md - AI Coding Agent Guidelines
+
+## Repository Overview
+
+This is a **Kubernetes GitOps homelab infrastructure** repository using [FluxCD](https://fluxcd.io/) to manage cluster state. It runs on [Talos Linux](https://www.talos.dev/) with applications deployed via Helm and Kustomize.
+
+**Key Technologies:**
+- FluxCD (GitOps continuous delivery)
+- Kustomize (configuration management)
+- SOPS + age (secrets encryption)
+- Helm (application packaging)
+- Talos Linux (immutable Kubernetes OS)
+
+## Build / Lint / Test Commands
+
+### Validate All Kustomizations
+```bash
+# Validate all kustomize builds across the cluster
+find kubernetes/main/apps -name "kustomization.yaml" -exec dirname {} \; | \
+  xargs -I {} sh -c 'echo "Building {}" && kustomize build {} > /dev/null || exit 1'
+```
+
+### Validate Single Application
+```bash
+# Test a specific application's kustomization
+kustomize build kubernetes/main/apps/<app-name>/app
+
+# Example: Test audiobookshelf
+kustomize build kubernetes/main/apps/audiobookshelf/app
+```
+
+### YAML Validation (if yamllint installed)
+```bash
+# Lint all YAML files
+yamllint kubernetes/
+
+# Lint specific file
+yamllint kubernetes/main/apps/<app-name>/app/<file>.yaml
+```
+
+### Kubernetes Schema Validation (if kubeconform installed)
+```bash
+# Validate Kubernetes manifests against schemas
+kustomize build kubernetes/main/apps/<app-name>/app | kubeconform -strict
+```
+
+### Check SOPS Encryption
+```bash
+# Verify secrets are properly encrypted
+sops -d kubernetes/main/apps/<app-name>/app/<secret>.sops.yaml > /dev/null && echo "Valid"
+```
+
+### Flux Validation
+```bash
+# Validate Flux Kustomization resources
+flux get kustomizations
+
+# Reconcile specific app manually
+flux reconcile kustomization <app-name>
+```
+
+## Code Style Guidelines
+
+### File Naming Conventions
+- Use **kebab-case** for all filenames: `my-config.yaml`, `deployment.yaml`
+- Secrets must use `.sops.yaml` extension: `secret.sops.yaml`
+- Kustomization files must be named exactly: `kustomization.yaml`
+- Application entry point: `ks.yaml` (Flux Kustomization resource)
+
+### Directory Structure
+```
+apps/<app-name>/
+├── ks.yaml                    # Flux Kustomization (root resource)
+└── app/
+    ├── kustomization.yaml     # Lists all resources
+    ├── namespace.yaml         # App namespace
+    ├── repository.yaml        # HelmRepository (if needed)
+    ├── release.yaml           # HelmRelease
+    ├── *.sops.yaml           # Encrypted secrets
+    └── ...                   # Additional manifests
+```
+
+### YAML Formatting
+- **Indentation:** 2 spaces (no tabs)
+- **Document separators:** Use `---` at start of each file
+- **Line endings:** Unix (LF)
+- **Trailing whitespace:** Remove trailing whitespace
+- **Empty lines:** Single blank line between resources
+- **Quotes:** Use double quotes for strings with special characters
+
+### Kubernetes Resource Standards
+
+**Namespace Labels (Required):**
+```yaml
+metadata:
+  labels:
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged
+    goldilocks.fairwinds.com/enabled: "true"
+```
+
+**Common Metadata (Required in ks.yaml):**
+```yaml
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app  # Anchor reference
+```
+
+**Flux Kustomization Template:**
+```yaml
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app <app-name>
+  namespace: flux-system
+spec:
+  targetNamespace: <app-name>
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/main/apps/<app-name>/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+```
+
+### Secrets Management (SOPS)
+
+**ALWAYS encrypt sensitive values:**
+- All secrets must be stored in files ending with `.sops.yaml`
+- Use `sops` CLI to edit: `sops <file>.sops.yaml`
+- Never commit plaintext secrets
+- Follow the encryption regex pattern: `^(data|stringData)$`
+
+**Creating New Encrypted Secret:**
+```bash
+cat <<EOF > secret.sops.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: <secret-name>
+  namespace: <namespace>
+stringData:
+  KEY: "value"  # Will be encrypted
+EOF
+sops -e -i secret.sops.yaml
+```
+
+### HelmRelease Conventions
+
+**Standard HelmRelease Structure:**
+```yaml
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: <app-name>
+  namespace: <namespace>
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: <chart-name>
+      version: "x.x.x"  # Pin version
+      sourceRef:
+        kind: HelmRepository
+        name: <repo-name>
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  values:
+    # App-specific values
+```
+
+### Variable References
+- Use `${SECRET_EXTERNAL_DOMAIN}` for external domain references
+- Use anchors (`&app`) and aliases (`*app`) for consistent naming
+- Store cluster-wide vars in `kubernetes/main/flux-system/vars/`
+
+## Error Handling
+
+**No Automated Tests:** This repo has no traditional test suite. Validation is done via:
+1. `kustomize build` success
+2. Flux reconciliation status
+3. Kubernetes manifest schema validation
+
+**Debugging Tips:**
+- Check Flux reconciliation: `flux get kustomizations --watch`
+- Check pod status: `kubectl get pods -n <namespace>`
+- View logs: `kubectl logs -n flux-system -l app=kustomize-controller`
+
+## PR Workflow
+
+Before submitting changes:
+1. Run `kustomize build` on affected app(s)
+2. Ensure secrets are encrypted with `.sops.yaml` extension
+3. Verify YAML indentation (2 spaces)
+4. Check that namespaces include required labels
+5. Validate syntax with `yamllint` if available
+
+## Resources
+
+- [Flux Documentation](https://fluxcd.io/flux/)
+- [Kustomize Reference](https://kubectl.docs.kubernetes.io/references/kustomize/)
+- [SOPS Documentation](https://github.com/mozilla/sops)
+- [Talos Linux Docs](https://www.talos.dev/v1.9/)
+- Based on [flux-cluster-template](https://github.com/onedr0p/flux-cluster-template)
diff --git a/.../main/avto-masini/avto-masini-web/ks.yaml → .../apps/avto-masini/avto-masini-web/ks.yaml b/.../main/avto-masini/avto-masini-web/ks.yaml → .../apps/avto-masini/avto-masini-web/ks.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
@@ -9,11 +10,12 @@ spec:
   commonMetadata:
     labels:
       app.kubernetes.io/name: *app
-  path: ./kubernetes/main/avto-masini/avto-masini-web/staging
+  path: ./kubernetes/apps/avto-masini/avto-masini-web/staging
   prune: true
   sourceRef:
     kind: GitRepository
     name: flux-system
+    namespace: flux-system
   wait: false
   interval: 30m
   retryInterval: 1m
@@ -29,12 +31,13 @@ spec:
   commonMetadata:
     labels:
       app.kubernetes.io/name: *app
-  path: ./kubernetes/main/avto-masini/avto-masini-web/production
+  path: ./kubernetes/apps/avto-masini/avto-masini-web/production
   prune: true
   sourceRef:
     kind: GitRepository
     name: flux-system
+    namespace: flux-system
   wait: false
   interval: 30m
   retryInterval: 1m
-  timeout: 5m
+  timeout: 5m
diff --git a/...vto-masini-web/production/deployment.yaml → ...vto-masini-web/production/deployment.yaml b/...vto-masini-web/production/deployment.yaml → ...vto-masini-web/production/deployment.yaml
@@ -29,7 +29,7 @@ spec:
           image: ghcr.io/avto-masini/avto-masini-web:v2.0.10
           imagePullPolicy: Always
           ports:
-            - name: prod-svc
+            - name: http
               containerPort: 80
           livenessProbe:
             httpGet:

diff --git a/...i/avto-masini-web/production/ingress.yaml → ...i/avto-masini-web/production/ingress.yaml b/...i/avto-masini-web/production/ingress.yaml → ...i/avto-masini-web/production/ingress.yaml
@@ -5,10 +5,10 @@ metadata:
   name: avto-masini-web-production-ingress
   namespace: avto-masini
   annotations:
-    external-dns.alpha.kubernetes.io/target: "${SECRET_PROD_DOMAIN}"
+    external-dns.alpha.kubernetes.io/target: "${SECRET_AVTO_MASINI_TUNNEL_ID}.cfargotunnel.com"
     external-dns.alpha.kubernetes.io/hostname: "${SECRET_PROD_DOMAIN}, www.${SECRET_PROD_DOMAIN}"
 spec:
-  ingressClassName: avto-masini
+  ingressClassName: traefik-avto-masini
   rules:
     - host: "${SECRET_PROD_DOMAIN}"
       http:
@@ -19,7 +19,7 @@ spec:
               service:
                 name: avto-masini-web-production
                 port:
-                  name: prod-svc
+                  number: 80
     - host: "www.${SECRET_PROD_DOMAIN}"
       http:
         paths:
@@ -29,4 +29,4 @@ spec:
               service:
                 name: avto-masini-web-production
                 port:
-                  name: prod-svc
+                  number: 80
diff --git a/...vto-masini-web/staging/kustomization.yaml → ...-masini-web/production/kustomization.yaml b/...vto-masini-web/staging/kustomization.yaml → ...-masini-web/production/kustomization.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:

diff --git a/...ni/avto-masini-web/production/secret.yaml → ...ni/avto-masini-web/production/secret.yaml b/...ni/avto-masini-web/production/secret.yaml → ...ni/avto-masini-web/production/secret.yaml
diff --git a/...i/avto-masini-web/production/service.yaml → ...i/avto-masini-web/production/service.yaml b/...i/avto-masini-web/production/service.yaml → ...i/avto-masini-web/production/service.yaml
@@ -5,9 +5,9 @@ metadata:
   namespace: avto-masini
 spec:
   ports:
-    - name: avto-masini-web-production
+    - name: http
       port: 80
-      targetPort: prod-svc
+      targetPort: 80
   selector:
     app: avto-masini-web-production
   type: ClusterIP
diff --git a/...i/avto-masini-web/staging/deployment.yaml → ...i/avto-masini-web/staging/deployment.yaml b/...i/avto-masini-web/staging/deployment.yaml → ...i/avto-masini-web/staging/deployment.yaml
@@ -27,7 +27,7 @@ spec:
           image: ghcr.io/avto-masini/avto-masini-web:9ff0c4c
           imagePullPolicy: Always
           ports:
-            - name: staging-svc
+            - name: http
               containerPort: 80
           livenessProbe:
             httpGet:

diff --git a/...sini/avto-masini-web/staging/ingress.yaml → ...sini/avto-masini-web/staging/ingress.yaml b/...sini/avto-masini-web/staging/ingress.yaml → ...sini/avto-masini-web/staging/ingress.yaml
@@ -5,8 +5,8 @@ metadata:
   name: avto-masini-web-staging-ingress
   namespace: avto-masini
   annotations:
-    external-dns.alpha.kubernetes.io/target: "${SECRET_PROD_DOMAIN}"
-    external-dns.alpha.kubernetes.io/hostname: "${SECRET_PROD_DOMAIN}"
+    external-dns.alpha.kubernetes.io/target: "${SECRET_AVTO_MASINI_TUNNEL_ID}.cfargotunnel.com"
+    external-dns.alpha.kubernetes.io/hostname: "staging.${SECRET_PROD_DOMAIN}"
     # nginx.ingress.kubernetes.io/auth-url: |-
     #    http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
     # nginx.ingress.kubernetes.io/auth-signin: |-
@@ -16,7 +16,7 @@ metadata:
     # nginx.ingress.kubernetes.io/auth-snippet: |
     #    proxy_set_header X-Forwarded-Host $http_host;
 spec:
-  ingressClassName: avto-masini
+  ingressClassName: traefik-avto-masini
   rules:
     - host: "staging.${SECRET_PROD_DOMAIN}"
       http:
@@ -27,4 +27,4 @@ spec:
               service:
                 name: avto-masini-web-staging
                 port:
-                  name: staging-svc
+                  number: 80
diff --git a/...-masini-web/production/kustomization.yaml → ...vto-masini-web/staging/kustomization.yaml b/...-masini-web/production/kustomization.yaml → ...vto-masini-web/staging/kustomization.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:

diff --git a/...asini/avto-masini-web/staging/secret.yaml → ...asini/avto-masini-web/staging/secret.yaml b/...asini/avto-masini-web/staging/secret.yaml → ...asini/avto-masini-web/staging/secret.yaml
diff --git a/...sini/avto-masini-web/staging/service.yaml → ...sini/avto-masini-web/staging/service.yaml b/...sini/avto-masini-web/staging/service.yaml → ...sini/avto-masini-web/staging/service.yaml
@@ -5,9 +5,9 @@ metadata:
   namespace: avto-masini
 spec:
   ports:
-    - name: avto-masini-web-staging
+    - name: http
       port: 80
-      targetPort: staging-svc
+      targetPort: 80
   selector:
     app: avto-masini-web-staging
   type: ClusterIP